Just Another Day and Another Breach… This Time on Dish Networkin Blog Article by Jeff Hare
ERP Risk Advisors comments on the Dish TV breach: Another day… another breach
“Satellite TV giant, Dish Network, confirmed a recent outage was the result of a cyberattack and admitted data was stolen.”
While we do not know the details of what caused the breach this reminded us of the significant cyber risks organizations face when using Oracle’s E-Business Suite’s internet facing applications. There are several applications Oracle has built for external parties to maintain data such as iProcurement, iSupplier, and Employee Self-Service.
There are several known vulnerabilities that would allow a threat actor to get access to full DML / DDL abilities such as is available for the APPS database user. One vulnerability that is common is the use of encrypted passwords. We have covered this risk many times with our partner, Integrigy. See our recorded webinar on this topic here:
Oracle’s Support Note 457166.1 has a more in-depth discussion of the risk to continuing to use encrypted passwords. Unfortunately, most organizations have not recognized the need to migrate from encrypted passwords to hash passwords. This migration process is not included in normal database or application patches and as a result about 90% of our clients have not run this process.
Additionally, organizations frequently fail to secure or monitor risks related to SQL injection at the application tier. Even when E-Business Suite is not internet facing the risk of SQL injection is a significant risk organizations should address for insider threats. Oddly enough, most external auditors don’t audit either of these risks. Both should be included in their ITGC audit. We have stressed in our training to the PCAOB that these risks should be addressed as part of the audit from a fraud and cyber security perspective.
We wrote an article on this topic recently:
We won’t re-hash the details but would be happy discuss its implications related to cyber security risks via a call or virtual meeting.
To schedule a meeting to continue the conversation, please contact us here: https://www.erpra.net/contact-us/