Tuesday, November 13, 2018

Security: The PeopleSoft Social Threat Vector

In the old Mission Impossible television series from the '60s and '70s, a team of expert agents socially engineer an incredible swindle to catch a bad guy, elicit a confession, release a hostage, etc. These deceptions often included room reconstructions, elaborate disguises, rerouted telephone calls, fake news broadcasts, etc. The con had to be so good the prey had no clue. If it weren't for the regular cut-aways to "reality," viewers wouldn't be able to tell fiction from truth. I remember one episode where the IMF (the Mission Impossible team) had to convince the "bad guy" that his plot succeeded (fake news broadcast). Another episode required making a person think his victim was still alive. Incredible social engineering. It is a lot of fun to watch this unfold when good guys are conning bad guys to preserve national security. But what about when the charade is run by a bad actor attempting to steal from our organization?

Imagine you are a manager, professor, grant owner, or someone else responsible for transactions in PeopleSoft. You receive a workflow notification e-mail requesting you to approve a PeopleSoft transaction. Since you receive these emails all the time, you don't think much of it. You click the link and see your usual login screen. You authenticate and continue processing the transaction. This is a regular, every day scenario, but let me tell you, IT SCARES THE DAYLIGHTS OUT OF ME! Why? Let's review:

  • I received an e-mail with a link.
  • I clicked the link.
  • I entered my PeopleSoft credentials into the page that appeared.

It may really have been PeopleSoft or it may have been a Mission Impossible-style bluff designed to make me think I was logging into PeopleSoft. If the latter, I just gave away the front door key to my ERP kingdom and there is no telling what a bad actor will do. Actually, I can give you a couple of ideas of what they will do:

  • Change your direct deposit to an off shore account,
  • Use query to download sensitive information and sell it,
  • Steal Accounts Payable information,
  • Setup fake employees to be paid through the regular payroll,
  • Setup fake vendors for payment, and
  • Change bank account information for vendors.

How do I know this? Because I've seen it happen! This is not a PeopleSoft security issue, it is all about social engineering. It is about bad actors targeting individuals through phishing, spear phishing, and whaling. Every day good people are tricked into giving their credentials to bad people.

The most common solution is to train employees to stop clicking links in e-mails. But what is a little awkward is that PeopleSoft comes preconfigured with workflow notifications that contain links. Doesn't it seem a little ironic that most of us have anti-phishing training and policies that tell our users not to click links and then our ERP system sends e-mails with links? To compound the situation, organizations create alerts, notifications, and scheduled processes that send e-mails with links. These links keep sensitive data out of e-mails and in controlled ERP systems. This was supposed to improve security. The problem is that bad people tempt good people into clicking fake links. So what can we do?

  1. Stop sending links or
  2. Protect PeopleSoft with multi-factor authentication.

I really don't like the first option. Removing links from all PeopleSoft notifications would be a significant modification. I know some customers that do this. It is manageable and I would rather do this than nothing at all. At least my PeopleSoft implementation would be in compliance with my standard corporate security policies.

But removing links from PeopleSoft e-mails doesn't fix the problem. Users may still receive phishing e-mails with links to pseudo-PeopleSoft signon screens and may still give away their credentials. This is where multi-factor authentication protects us, and is why I prefer option 2. Not only do we avoid customizations and improve the user experience through targeted e-mail links, we protect our Enterprise system in the event an unsuspecting user accidentally passes credentials to a bad actor. With multi-factor authentication, compromised credentials are useless. The bad actor still needs that extra factor to authenticate.

I have seen many different multi-factor authentication implementations using a variety of tools. Most of them are generic solutions retrofitted into PeopleSoft, and not built specifically for PeopleSoft. Occasionally I run into a multi-factor PeopleSoft retrofit written by someone that learned just enough about PeopleSoft to write a security "plugin" (Yikes!). If it were my system to protect, I would choose Appsian's Multi-factor Authentication. Appsian's product is deeply embedded in PeopleSoft, allowing us to protect sensitive information.

Social engineering is today's cyber crime threat vector. Strong password controls, secure networks, and education are critical to defending our systems, but can't protect against a well engineered social attack. It's time to do something about it.

Are you interested in learning more about PeopleTools and how you can protect your PeopleSoft implementation? Contact us to schedule your next PeopleTools training class.

PS: I really wanted to name this post PeopleSoft Social Security Attack Vector. You get it? PeopleSoft Social -- Security Attack Vector... oh never mind. You know what they say, "If you have to explain a joke..." ... and now you know why I titled it something different ;)


Srinivas said...

Hi Jim,
In the ongoing era of cyber threat this one is really a nice subject to discuss. MFA is a must have solution for PeopleSoft one should have now but I wonder if there comes a backdoor for attacking MFA as well. Moreover, I believe if we are already logged in using SSO or basic PeopleSoft login the link in your email will not ask for credentials again as the PS or SAML token can be utilized from Browser cache. Happy to discuss more on this !!
Dabir Srinivas Patnaik

Jim Marion said...

@Dabir, I completely agree. The latest attack on 2FA with texting is to steal phone service by convincing your wireless carrier that you, the attacker, are someone else and to port your number to a new phone (the attacker's phone). Today's solution is to avoid texting and voice for the second factor, but require a physical fob or an enrolled app.

Regarding SSO, if your users NEVER log into PeopleSoft, then this isn't an issue. The challenge is when a user isn't authenticated, so they are redirected to a login page. This gives the bad actor an opportunity for social engineering. In true desktop integrated sign-in, the user is pre-authenticated when authenticating to the desktop OS and there is no social engineering opportunity (Appsian sells this too).

With this in mind, yes, SSO with ADFS, OIM, OAuth, etc, are helpful, but anytime you have a sign-in page without another factor, users are at risk.

Waj said...


Nicely described and I totally agree with you on having an extra layer of security.