There’s a Lack of Native MFA in ERP/HCM Cloud.

Oracle released this article in March highlighting the top cybersecurity threats and how to prevent them. In the article, they highlight the number one risk as “Business Email Compromise (BEC).”

The article states “BEC is a type of phishing attack. Other phishing scams try to trick recipients into revealing passwords, providing credit card numbers, or clicking on malware links.”

The irony of the article is that Oracle’s ERP Cloud application does not support Multi-Factor Authentication (MFA) for “local accounts”. These are accounts not leveraging an organization’s SSO provider. Local accounts are very vulnerable to these types of phishing attacks.

The Cost of Ignoring the Issue

The article goes on to say “Between 2013 and 2022, BEC attacks cost organizations worldwide $51 billion, according to the US Federal Bureau of Investigation. Abnormal Security, an email security company, reports that in the first half of 2023, BEC attacks increased by 55% over the first half of 2022.”

This lack of MFA is a significant vulnerability where threat actors have learned to use phishing attacks to commit fraud. One organization we talked to at a recent conference was a victim of this scheme. In their case, users with Accounts not requiring MFA (local accounts) gave up their credentials. The result? Threat actors used those credentials to commit fraud.

The risks associated with phishing attacks vary based on the role(s) assigned to the user. In some cases, the risk is inherent to the activities related to that user. In other cases, additional risks are caused by poorly designed controls. For ERP/HCM Cloud, overprovisioning occurs in nearly 100% of all seeded roles. We, and others, have been requesting Oracle remove high risk unnecessary privileges from seeded roles. Some changes have been implemented. One critical example of a recent change relates to the seeded Employee role. This role once contained a powerful API, the ability to upload files for processing via interfaces, and several powerful interface privileges which could easily lead to fraud.

Why is There a Critical Need for Fully Customized Roles?

Unfortunately, for the most part, system integrators (SI) are ill-equipped to identify and address these issues as part of the implementation. Why? Because the custom roles they use often have roles built on the principle of least privilege after going live. The only exception we’ve seen is when an SI has a very mature Center of Excellence dedicated to this issue. This is extremely rare. In fact, we have yet to evaluate an instance after go-live which doesn’t need significant remediation of roles – even where a large SI with a Center of Excellence has deployed their roles.

Even, if at the point of ‘going live’, the roles have had permissions removed, another risk still exists. Unless roles are fully customized through and through, the roles can be updated by the quarterly patch. This introduces new high-risk privileges over time. Most organizations cannot fully identify the new privileges each of these quarterly patches brings.

All Software as a Service Systems Are at Risk!

While this article focuses on Oracle’s cybersecurity article, these same risks exist for all SaaS applications including NetSuite, Workday, and Salesforce. The ‘bias’ in the System Integrator industry is towards using as many seeded roles as possible. Using fewer seeded roles reduces the complexity of the project and introduces new functionality from the software vendor. Simply put, the bias of most System Integrators is leading organizations to greater risks over time. Which is due in part by the use of seeded roles and partially customized roles versus using fully customized roles.

So, What Now?

ERP Risk Advisors helps organizations address these risks during the implementation through our extensive library of pre-built fully customized roles. Our roles for ERP/HCM Cloud are risk-reduced and licensed-optimized. We offer management the option to have us integrate with the project. This causes minimal impact and disruption to the SI’s efforts in getting you live on-time and on-budget. We also offer partnerships with SI’s who understand the insanity behind doing something repeatedly and expecting different results. By helping SI’s and their clients have a Secure and Compliant implementation, through the deployment of our custom roles and other services, we are able to reduce risks related to cyber security, compliance, data security, fraud, and operations.

If you want more information about how we can help address the risks addressed by Oracle in this article, contact us here.