Knowing Your Risk
As the business world continues to evolve into a more technologically-dependent society, cybercrimes and privacy breaches are becoming unavoidable. Cyberterrorists and hackers are using the data obtained from these breaches to commit costly crimes against companies and individuals. Enterprise resource planning (ERP) applications, like the PeopleSoft system, tend to house confidential data and valuable trade secrets. Due to this, they are a common target for fraud, cyber espionage, and corporate sabotage.
Recent research indicates that this upward trend will not be subsiding anytime soon, as digitized information becomes increasingly available. Companies, especially those using PeopleSoft systems to manage their critical business processes, tend to be at a higher risk, as ERP systems house the applications and products. However, their IT landscapes have made the integration of sophisticated security measures almost impractical, despite their evolution throughout the years.
The Lasting Effects of Security Breaches
The PeopleSoft system has a complex and multi-layer security structure, making it difficult for organizations to manage. Statistically, most breaches occur within an organization, due to a lack of security controls. Maintaining visibility and keeping PeopleSoft systems updated helps to reduce the risk and avoid the costly effects of a breach.
Sentinel Software provides you with tools to easily identify and remove unauthorized access.
Outlined below, are some of the many ways fraudsters have managed to find the security loopholes within an organization.
Higher Education Breaches
PeopleSoft is a popular ERM solution for many universities and colleges. Its Campus Solutions suite of products allows students, faculty, and alumni to connect seamlessly using real-time data while offering a virtual global campus environment. Higher education institutions are extremely lucrative targets since they house and process the Personally identifiable information (including SSNs), applicants’ medical data, and payment instructions for students, alumni, and faculty. Cyber intruders were able to perpetuate the following data breaches:
- Florida A&M University – In 2004, a student at the university used keylogger software to gain access to the school’s Registrar’s system and alter over 90 students’ grades and important information. He made 650 changes and used personally identifiable information (PII) data that he obtained to commit identity theft and fraud.
- Harvard University – The IT system that serves eight Harvard schools and administrative organizations, was breached in 2015. While they believed that no personally identifiable information was exposed, there were concerns that individuals’ Harvard login credentials, containing a computer and email passwords, were breached. A second incident occurred in 2016 where 1,000 students, faculty, and staff had received a phishing email requesting that they use the attached link to update their account information on a fake login screen. The hackers were intending to access the W-2 forms on the victims, which contained sensitive personal data.
- Miami University in Ohio – In the fall of 2012, two students hacked into the school’s management system and improved their grades for 17 classes as well as the grades of 50 additional students. They were trying to assist their friends as well as conceal their trail. They accomplished this by installing a keylogger device between the keyboard and computer, which recorded the keystrokes of teachers as they entered their passwords to log into the grading system.
- Ohio State University – The university detected that their server, housing around 760,000 records of personally PII for staff, students, applicants as well as previous and current faculty, was fraudulently accessed. It was determined that no sensitive data was taken and therefore posed no risk of identity theft to the individuals involved. However, the university did incur $4 million in expenses for the management and remediation of the impact of the breach.
- Salem State University – The university’s breach emanated from a virus that infiltrated their Human Resources database, exposing the sensitive information of 25,000 staff and students.
- University of Nebraska in Lincoln – An undergraduate student at the University of Nebraska hacked into the university’s PeopleSoft system, exposing 654,000 students’ and employees’ confidential information. This included the exposure of 21,000 bank accounts.
- University of Wisconsin-Madison – A cybercriminal hacked into the Law School’s server and obtained the names, social security numbers, and applicant data of 1,213 individuals. The university responded by installing additional weakness detection software, inventorying their existing applications, and retiring the unnecessary ones, as well as implementing stricter database access controls.
- Anthem – The largest profit-driven health care company in the United States, had their PeopleSoft system compromised in 2015 by hackers, exposing over 79 million patients PII and costing the company $115M in credit monitoring fees. It is believed that the hacker acted on behalf of a foreign government, and stole the unencrypted data over a period of a couple of weeks. The data was then sold on the black market.
- Broome County – Multiple employees responded to a phishing email at the end of 2018, resulting in the hacker gaining access to 7,048 of the employees’ human resource profiles, containing their personal health information. Some employees had their payroll bank account details fraudulently changed. Broome County added multi-factor verification as focused on staff training.
- Community Health Systems Inc. – Operates 206 hospitals in 29 states, so when their ERP system was compromised in 2014, over 4.5 million individuals’ biodata and health records were exposed. The hackers originated from China and used advanced malware that was able to bypass the organization’s security system. Those patients that experienced fraud or identity theft emanation as a result of the breach, were compensated $5K.
- University of California Los Angeles (UCLA) – UCLA’s failure to adequately protect patient data cost them $7.5M as a result of a system compromise in 2014. The cyberattack exposed over 4.5 million patients data including names, dates of birth, Social Security numbers, Medicaid or health plan identification numbers, and some medical data. Victims claimed that the institution failed to take additional measures to protect their PII at a time when other major health providers where also being hacked.
- University of Pennsylvania Medical Center (UPMC) – The hacker responsible for the 2014 PeopleSoft human resources database breach at UPMC, was arrested and charged. He had sold the confidential data of the impacted employees on the darknet, which was utilized to fraudulently claim $1.7M in tax refunds. Over $885,000 in products were purchased using Amazon gift cards, which were funded using the refund money. Most of the products were shipped to Venezuela, intended to be sold online.
- University of Utah Health – This organization has been the target of multiple breaches in 2020 alone in the following:
- Malware was discovered on an employee’s workstation in February, providing access to the confidential data of 3,670 patients.
- In a phishing attempt between April-May, the cybercriminal gained access to an employee’s email account resulting in the compromise of 2,700 patients PII.
- On July 20th, the organization reported an email hack that impacted 10,000 patient’s information. At this point, they are still investigating the breadth of the data compromised.
- Marriott – The Marriott hotel chain experienced a significant data breach in 2018 that jeopardized the personal information of 500 million individuals. It was determined that the hotel chain’s reservation database was fraudulently accessed by a compromised user’s credentials who had admin privileges, and the encrypted confidential data was duplicated. Marriott experienced a second major breach in February 2020, this time impacting 5.2 million guests. The fraudsters accessed the system using the credentials of two franchise property employees.
- Morrissons – A disgruntled IT auditor at Morrisons abused his privileged access by downloading the confidential personal information of 99,998 employees onto a USB and posting this data to a file-sharing site and news agencies. The breach was identified by the organization in March 2014. The employees’ attempt to hold Morrissons liable was rejected by the court as it was determined the company had “adequate and appropriate controls” in safeguarding their data.
Costly Cyber Attacks
It is imperative that companies stay well versed on the latest cyber threats if they are looking to mitigate their losses from digital breaches. Cybercriminals tend to be unrelenting and innovative in their schemes to outmaneuver organizations’ latest security defense strategies.
Attacks are becoming more sophisticated, focused, and multi-phased, and specifically engineered to circumvent perimeter security. ERP customers tend to be under the misperception that their ERP applications and PeopleSoft systems are impervious to attacks behind their firewall. However, this is untrue as an analysis of ERP breaches indicates that the use of valid credentials has been the primary source of these compromises. Therefore perimeter security would have not been effective in thwarting these violations. Just one compromised user is all it takes for your business-critical functions and data to be jeopardized.
Attacks can stem from any of the following methods:
- Distributed Denial of Service (DDoS) Attacks – This type of cyber attack aims to overwhelm the companies server or network with a high volume of traffic to render the system inoperable. By diverting the focus of the organization, the attackers are able to steal data or install malware in the system.
- Social Engineering – Utilizes psychological manipulation to deceive your employees into disclosing confidential information which is then used to perpetrate some form of cybercrime. Attacks can be in the form of baiting, phishing, email hacking/spoofing, malware, or pretexting.
- Ransomware – Is malicious software that locks or restricts the use of your system until the ransom is paid. Victims range from large companies to individual consumers and can be quite profitable if thousands of people are impacted.
- Delayed Security Patch Updates – Security patches are periodic software updates that are released to address detected vulnerabilities in your ERP application. ERP architecture can be extremely complicated with layer-upon-layer of customized functionality, making deployment of the latest security patches challenging. Delays in applying these updates will leave your ERP ecosystem susceptible to malicious threats, and should, therefore, be kept up-to-date.
Since cyber attacks have evolved into multi-phased attacks, penetrating the security perimeters consisting of firewalls and Intrusion Prevention Systems (IPS) of internet-based ERP applications, is just the beginning. Organizations tend to primarily focus their security initiatives on perimeter breaches and not as much on critical business applications and data houses, which tend to be the definitive target of these attacks. Such a breach could result in delays in projects, unforeseen operational downtime, enhanced compliance requirements, and tainted brand credibility.
The following are examples of the invaluable information stored in data centers, which if compromised, can be costly:
- Personally Identifiable Information (PII) – Can be in the form of customer addresses, social security numbers, birthdate, phone numbers, email addresses, IP addresses, or login credentials – or basically any information that can be used to distinguish or impersonate an individual. Attackers can then utilize this data to perpetrate crimes in the victim’s name, like applying for credit cards, loans, passports or fraudulently filing income tax returns. This information can be sold on the Dark Web for up to $2000, or can also be peddled to companies for marketing or spamming campaigns. The costs of stolen PII to an individual doesn’t just have financial implications, it can also result in incalculable reputational damage as well as the loss of time as the victim works to reverse these losses.
- Personal Healthcare Information (PHI) – Is the medical data relating to an individual in the form of medical insurance, hospital records, and personal information, which can be used to purchase prescription drugs. According to the Center for Internet Security (CIS), $355 is the average cost to a healthcare agency for a patient’s compromised record, while it costs $158 for a non-healthcare related agency. Extensive medical records can sell for up to $1000 each on the Dark Web.
- Theft Of Intellectual Property And Confidential Business Information – Sophisticated hackers look for more than just individuals’ personal information to profit from. They know that stealing and selling trade secrets, copyrights, trademarks or patent information from an organization can be a highly lucrative business. Which is why compromising your PeopleSoft system is an appealing target, since it’s a vault of such precious information. Theft of such information like product design or concept can occasionally be fatal to small and medium-sized businesses.
Companies can incur substantial remediation fees emanating from the breach as well as possible fines for non-compliance with regulatory statutes like HIPPA or Sarbanes-Oxley. According to a recent report, the average cost of a breach to a U.S. organization is $8.19 million with an average breach size of 32,434 records.
ERP applications and PeopleSoft systems were configured with elaborate business requirements to empower organizations to meet the needs of enhanced productivity, decreased cost of ownership, and increased business performance.
Since the underlying business rules and architecture are so complex, it has resulted in the following challenges and vulnerabilities in managing the PeopleSoft system:
- Internet Exposure – Since they are connected to the internet, PeopleSoft systems tend to be lucrative targets for hackers. System customizations make the application of critical patches (specifically formulated to remedy identified weaknesses,) difficult without custom functionality. Even the lack of appropriate skills can hinder the application of essential security patches. Cybercriminals exploit these system vulnerabilities, taking advantage of the organization’s inability to maintain an up-to-date security environment.
- Reliance On Perimeter Security – The most significant threats to your PeopleSoft system usually is sinister intrusions, inadvertent privacy breaches, and unnecessary access permissions, which cannot be mitigated by perimeter security. These threats lie within your organization and cannot be neutralized by solutions focused primarily on your network perimeter. The new breed of firewalls focuses on preventing employees from accessing harmful applications outside of the organization but falls short of protecting internal data centers and applications.
- Inappropriate Access Rights – Organizations granting users inappropriate access rights, is frequently one of the principal risks threatening the integrity of an ERP environment. Permissions should be provisioned according to the requirements of the user’s role, rather than carrying over permissions from another role. The onus lies with the organization to ensure appropriate access entitlements thereby ensuring a more secure system through Segregation of Duties (SoD).
While it seems like the challenges of providing a secure PeopleSoft system are daunting, by maintaining proactive and dynamic security measures, companies can minimize such threats.
It is apparent from the numerous breaches detailed above, that organizations face a myriad of digital threats, for which a singular security solution would not be adequate. Companies that utilize ERP and PeopleSoft systems are primarily targeted due to the wealth of confidential and critical data that they house. It is therefore imperative that they employ a robust and comprehensive multi-layer approach to security, that includes proactive and reactive security measures.
There is a growing trend in organizations migrating their IT environments to a cloud platform. Previous apprehensions about inadequate security on the cloud are dissipating as companies realize that the benefits of cloud adoption far outweigh those of maintaining their ecosystem on-premises.
The Oracle Cloud is a computing service that offers applications, storage, network, and services that are managed by a network of Oracle data centers. It is designed to support mission-critical applications through a robust and powerful network and infrastructure within a cloud platform.
The Oracle Cloud Infrastructure provides the following benefits:
- Unlimited Storage
- High-Level Performance
- Low Operating Cost
- Advanced Data Protection.
By running your Oracle applications within the cloud platform, you gain the control to minimize overhead costs without disrupting the level of security of your data. Oracle Cloud Infrastructure allows enterprise customers to have full transparency and control over their PeopleSoft systems with confidence.
The cloud also offers the following enhanced security solutions for your cloud-hosted environment:
- Data Encryption
- Redaction Of Sensitive Application Layer Data
- Restriction Of Privileged-User Capabilities
- Subsetting Or Masking Of Data In Non-Production Environments
- Monitoring Of User Activities.
The default security settings on the Oracle Cloud ensures that your PeopleSoft system will only be accessible by your internal users and teams. You are therefore responsible for managing your PeopleSoft environment on the cloud unless you have a service provider like the Oracle Managed Cloud Services team.
There is no all-encompassing security system that would make your organization impervious to attacks. However, migrating your IT system to the cloud offers a more robust and dynamic security environment, that ultimately allows you to mitigate cyberattacks and minimize losses.
Have more questions? Contact us to receive more information on Oracle Cloud and Sentinel’s Cloud hosting.