OTM Security in an Evolving Threat Landscape Anoop Jangamakote Ryan Haney
Introduction Table of Contents 1. What is Information Security? Why is it important? 2. Introduction to OTM Security 3. OTM Threat Modeling 4. Secure Infrastructure 5. Functional Security 6. OTM Security Resources 7. Open Discussion / Q&A 3
What is Information Security? Protection of information against unauthorized access to or modification of information, whether in storage, processing, or transit, and against the denial of service to authorized users or the provision of service to unauthorized users, including those measures necessary to detect, document, and counter such threats. Information Security is a combination of security requirements and goals, business processes, technical controls, policies, and procedures. Shorter and easier: Information security is about making sure information is available when it s needed to only the right people, and being able to verify the availability of and access to information. 4
Why is Security Important? Neiman Marcus White Lodging Sally Beauty Michaels 5
Why is Security Important? Neiman Marcus White Lodging Sally Beauty Michaels 11 different casinos State of New York PF Changs Albertsons and Super Valu 6
Why is Security Important? Neiman Marcus White Lodging Sally Beauty Michaels 11 different casinos State of New York PF Changs Albertsons and Super Valu Community Health Systems UPS Dairy Queen Goodwill 7
Why is Security Important? Neiman Marcus White Lodging Sally Beauty Michaels 11 different casinos State of New York PF Changs Albertsons and Super Valu Community Health Systems UPS Dairy Queen Goodwill Home Depot Jimmy John s JP Morgan Chase Sourcebooks 8
Why is Security Important? Neiman Marcus White Lodging Sally Beauty Michaels 11 different casinos State of New York PF Changs Albertsons and Super Valu Community Health Systems UPS Dairy Queen Goodwill Home Depot Jimmy John s JP Morgan Chase Sourcebooks Kmart Staples Bebe Sony 9
Why is Security Important? These are only the Forbes Top 20 information security breaches in 2014 McAfee estimates the total global cost of cyber and information security breaches to be between $375 and $575 billion dollars to date through 2014. Security breaches not only cost money directly, but they can reduce innovation, damage brand reputation, and threaten future business prospects 10
OTM Security What in OTM is valuable to an attacker? OTM typically does not contain data that represents the highest risk or highest value to most attackers such as PII and credit card data OTM may contain significant confidential and or proprietary information that is valuable to an attacker for corporate espionage or revenge/embarrassment Access to OTM may grant an attacker an attack vector to another system with higher value data Integration of OTM to JDE/PeopleSoft, SAP, and other business software packages that do contain high volumes of PII or other valuable data - Understanding and evaluating threats to OTM an important step in securing OTM 11
OTM Threat Model 1. Identify Assets 2. Architecture Overview 3. Deconstruct the Application 4. Identify the Threats 5. Document the Threats 6. Rate the Threats Corporate data, financial data, PII, operational intelligence, business processes Diagram and document OTM s physical and logical architecture in your environment - Break down the OTM s architecture areas in step 2 in to security zones such as public/dmz, internal only, and secure/protected. Identify the possible threats to each security zone by analyzing the goals of the potential attacker, the attacker s potential knowledge of your system, and potential vulnerabilities. Create a threat assessment document for potential threats that were identified; this document should include threat methodology, the threat risk (based on likelihood and impact), and corrective actions Classify each threat according to your corporate information security policy, typically high, medium, and low with corresponding levels of priority given to each level of threat 12
OTM Threat Model 1. Identify Assets Privileged information rate information 2. Architecture Overview 3. Deconstruct the Application 4. Identify the Threats 5. Document the Threats 6. Rate the Threats 13
Identify the Asset Rate information Confidential/proprietary data Integral to OTM functionality May represent valuable data for corporate espionage Compromise of rate data can have a broad impact on business operations not just to the OTM system owner but also its vendors (carriers) 14
OTM Threat Model 1. Identify Assets 2. Architecture Overview Privileged information rate information Web tier, application tier, database tier 3. Deconstruct the Application 4. Identify the Threats 5. Document the Threats 6. Rate the Threats 15
16 Architecture Overview
OTM Threat Model 1. Identify Assets 2. Architecture Overview 3. Deconstruct the Application Privileged information rate information Web tier, application tier, database tier Web tier is public/dmz, application tier is internal, and database tier is secure 4. Identify the Threats 5. Document the Threats 6. Rate the Threats 17
Architecture Overview Public / DMZ 18
Architecture Overview Public / DMZ Internal 19
Architecture Overview Public / DMZ Internal Secure / Protected 20
OTM Threat Model 1. Identify Assets 2. Architecture Overview 3. Deconstruct the Application 4. Identify the Threats Privileged information rate information Web tier, application tier, database tier Web tier is public/dmz, application tier is internal, and database tier is secure Create a list or matrix of threats to each tier 5. Document the Threats 6. Rate the Threats 21
Identify the Threats Public / DMZ Brute force access to OTM front-end Social engineering attack on OTM users to obtain login information or rate data directly Common web vulnerabilities (SQL injection, XSS) Compromised integration points / external systems Unknown threats Internal App layer web service exposure Unknown threats Server level access Log files OTM java / python tools Protected Social engineering attacks on DBAs, other high-privileged administrators OAQ Compromise of HPA computers Unknown threats 22
OTM Threat Model 1. Identify Assets 2. Architecture Overview 3. Deconstruct the Application 4. Identify the Threats 5. Document the Threats Privileged information rate information Web tier, application tier, database tier Web tier is public/dmz, application tier is internal, and database tier is secure Create a list or matrix of threats to each tier Create a threat document that addresses the risk of each threat, where risk is a value assigned based on likelihood and consequences of a breach. This document should also include mitigation steps if any exist, whether technical or process based. 6. Rate the Threats 23
Probability Document the Threats Risk = Probability x Impact Business Impact Low Medium High Certain High Extreme Extreme Possible Moderate High Extreme Unlikely Low Moderate High 24
Document the Threats Brute force access to OTM front-end Risk Analysis: Probability is Possible Impact is Medium Overall risk is High Mitigation Implement strong OTM password policies Low cost, easy to implement Monitor OTM logs for brute force attempts Low cost, easy to implement Use SSO for strong access control at a business level Moderate cost, more difficult to implement 25
Rate the Threats Compare each threat to others faced by the root asset, and others faced by the asset and threat tier Rank the threats according to risk, and then evaluate mitigation strategies according to cost and benefit Threat modeling as a part of project planning is particularly valuable, as mitigation strategies can be baked into the solution as it is developed 26
Security Infrastructure Encryption Data in flight HTTPS/TLS is supported and recommended between end-users and the OTM web tier HTTPS certificate may be implemented directly on Oracle HTTP Server (OHS), or offloaded to a load balancer In-flight data between OHS and Tomcat is unencrypted, but typically only transits via localhost In-flight data between Tomcat and WebLogic is unencrypted by default using the T3 protocol, but encrypted T3 may be implemented In-flight JDBC data is also unencrypted by default, but may be encrypted using the Oracle standard JDBC driver Data at rest Oracle Transparent Data Encryption may be used on the database for encryption Windows and Linux both offer disk encryption methods Both Oracle TDE and Windows/Linux disk encryption have extremely low overhead using modern CPUs with the AES-NI instruction set Most modern SAN storage systems offer transparent encryption at the block or file level 27
Security Infrastructure Access Many different access points and levels to consider: OTM web access, server level access, database access, and access to different levels of data, different OTM servlets, and logs OTM web access can use the default OTM authentication or SSO OTM SSO supports LDAP and Oracle Access Manager Either authentication method still requires users to be assigned to domains Important! Remember that each new domain is created with a default user of <DOMAIN>.ADMIN with the password CHANGEME There are many default OTM users on an initial installation, some can be removed, others cannot System and guest accounts are required for operation, and should be created with unique and secure passwords when installing OTM Older OTM versions used CHANGEME as the default, so OTM installations running 6.2 and older versions should double check and change these values immediately! Server level access can also be tied in to SSO via Active Directory accounts or LDAP on Unix systems OTM log data may contain important or sensitive information, such as the system password in the WebLogic console log; carefully consider the permissions on the OTM log directories 28
Security Infrastructure Access Database access is one of the most important considerations for system security Consider limiting and locking down access to OTM out-of-box schemas (GLOGOWNER, REPORTOWNER, etc) and instead creating custom schemas with least-necessary privileges This not only increases security, but decreases the likelihood of system instability and problems during upgrades The number of users and administrators with database access should generally decrease the closer one gets to production Database auditing may be used to audit for successful and or unsuccessful statement executions (either once per user session or each time), activities of all users, activities of a specific user, actions involving a specific database object, actions involving a specific type of SQL statement, actions involving the evocation of a specific privilege, and fine grained auditing where the granularity is extremely customizable. Database auditing can have a significant performance impact, so it is important to implement a strategy that captures the needed information without burdening the system Capturing the audit trail to an operating system file versus to the database audit trail table can improve audit performance 29
Security Infrastructure Access OTM Servlets can be extremely powerful and represent a significant risk to the stability of the system Access can be limited by ACL or by removing the servlet at the OTM web tier by modifying the OTM web.xml and commenting out the servlet SQL, Event Diagnostics, and Process servlets are examples that OTM administrators may want to remove or restrict from external facing web servers 30
Enabling Security - Functionally Access Control List VPD Account Policy Manage User Access Role Grants User Role User User Grants Access Control List Level Grants 31
Account Policies An Account Policy controls user login and password security attributes such as: - User password expiration period - Warning period to alert a user that their password is about to expire - History of used passwords that cannot be re-used until recycled - Number of invalid login attempts to be allowed as well as a lockout duration when a user exceeds the maximum number of login attempts - Number of days to allow a login to be dormant before expiring the user account - Login history to keep track of when a user logs in or attempts to log in to Oracle Transportation Management - Rules that define the content of a password (for example, the minimum number of characters, alpha/numeric/mixed characters, etc..) - Some examples of Account Policies - [a-za-z0-9]$ last character of the password should NOT be a special character - ^.{7,10}$ password must be at least 7 characters long and max of 10 characters - [:digit:] password must contain at least one number - [^a-za-z0-9] password must contain at least one special character - [:alpha:] password must contain at least one alphabetic character 32
User/User Role Security - User Roles controls - Data security (ability to view, edit, & delete) - Functional security (ability to execute actions) Access Control List VPD Role Grants User Grants User Role User Preferences Access Control List 33
Access Control List - Collection of servlets - Provides the ability for user or user role to view/edit any page in OTM - Restricts access points - Ex: Sq lservlet which allows select/update/delete 34
Virtual Private Database - Used when you need to filter based on a User or User Role - Will provide an additional layer of security to specific tables and or columns - For Example: Business has multiple 3PL service providers. They need to use the same role but need to have access to only their data 35
User Role/User/Level Grants Enabling Role(s) to have access to multiple other roles Users to have access to multiple roles Defining a clear plan and process to design the proper access to roles for user roles or users will ensure data is not compromised. 36
Manage Access Effectively Functional Access Page Access Menu Access 37
Think out of the box to secure Using other OTM functions to enable a more secure environment Define and Refine User Menu based on User/Role Define and Refine User Actions based on User/Role Control Actions on data using Action Checks Provide only required data to view leveraging ability of Manager Layout and Screen Sets Be a step ahead: Use Field Screen Sets whenever necessary User Menu User Actions Action Checks Manager Layouts Screen Set Field Screen Sets 38
OTM Security Resources OTM Security Guide is an excellent resource for OTM specific recommendations Oracle security alerts are available at http://www.oracle.com/technetwork/topics/security/alerts-086861.html Enter your email when installing OTM and associated Oracle products for security alerts U.S. Computer Emergency Readiness Team mailing lists will send vulnerability alerts and digests: https://www.us-cert.gov/mailing-lists-andfeeds The National Vulnerability Database provides tools to search for vulnerable versions of OTM and related software at https://nvd.nist.gov/ 39
40 Open Discussion / Q&A