PeopleSoft Campus Solutions Business Risks
What kind of malicious actions can cybercriminals perform if they get access to PeopleSoft via one or another vulnerability? The CIA well-known triad (Confidentiality, Integrity, and Availability) is used to manage cybersecurity. As for ERP Systems, these terms transform into Espionage, Sabotage, and Fraud, which are considered as the main risks.
PeopleSoft Campus Solutions is a comprehensive suite for Universities. The application consists of a number of functional modules:
- Academic Advisement
- Campus Community
- Recruiting and Admissions
- Contributor Relations
- Financial Aid
- Recruiting and Admissions
- Student Financials
- Student Records
Each module can be advantageous to attackers.
A perpetrator can exploit one of the vulnerabilities, e.g. PeopleSoft Jolt Vulnerability in Oracle Tuxedo, and get full access to PeopleSoft system. What can be done next? We will consider PeopleSoft Campus Solutions in the light of Espionage, Sabotage, and Fraud to find it out.
Let’s look at potential attack vectors and some examples.
What exactly can a malefactor obtain?
- Financial information (e.g. Financial reports, Financial Aid, Student Financial details, student budgets)
- Contributor Relations data (e.g. strategic and cultivation activity plans, Contributor Relations Reports)
- Student data (e.g. contacts, personal records, credit cards, and other sensitive info)
- Information about recruiters (e.g. their role, the types of students they work with, the regions they serve)
Examples of espionage
Let’s look at some examples of what a malicious person can get in PeopleSoft Campus Solutions:
- Student Budget Summary page (STDNT_BUDGET_SUMM Definition Name, navigation – Financial Aid, Budgets, View Student Budget Summary, Student Budget Summary):
- Award Activity page (STDNT_AWRD_ACTV Definition Name, navigation – Financial Aid, Awards, View Award Activity, Award Activity):
- Student’s originated loans for a selected aid year in Origination Student Summary page (LOAN_ORIG_SUMM Definition Name, navigation – Financial Aid, Loans, View Originated Loans, Origination Student Summary):
There are several categories of attacks depending on their focus and aim:
- Academic requirements (e.g. increase or decrease the requirements)
- Process (e.g. significant reduction of service and deliverability)
- Students (e.g. mass admission of students or delayed awards disbursed)
- Finances (e.g. tampering with financial reports, manipulation of credit and financial aid limits)
- Reputation (e.g. official websites, technical support service, students compliance violations)
- Data (e.g. destruction or encryption of critical data about students, applicants, education strategy etc.)
Examples of sabotage
An attacker can change academic requirements using Pages to Set Up Academic Requirements in Define Academic Requirements component (ACADEMIC_REQUIREMENTS Definition Name). In this case, none of the students would be able to meet them in order to graduate or, on the contrary, all of them would.
- Financial aid fraud (e.g. falsification of financial aid data to spend more money when it’s not required)
- Grade fraud (e.g. change student grades)
- Recruiting and Admissions fraud (e.g. admit an applicant as a student)
- Student financial fraud (e.g. reduction of tuition fees)
- Financial Reports embezzlement (e.g. tampering with costs of tuition)
Examples of fraud
Let’s look at specific examples in more details.
Suppose, a student wants to save money and is looking forward to receive a grant to pay for tuition. In this case, they can use Financial Aid. For example, a perpetrator gets creds with administration roles, logs in and disburse financial aid manually for themselves. Here, Disburse Aid (STDNT_DISB_PROCESS Definition Name) or Disburse Aid with Override (STDNT_DISB_PROC_WO Definition Name) pages can be used:
You can’t defend your business if you don’t know what threats are coming your way. I hope, this article helped to shed light on the various risks associated with Espionage, Sabotage, and Fraud attacks on PeopleSoft Campus Solutions. We recommend you to apply the latest patches for Peoplesoft or at least one that closes JoltandBleed vulnerability. Also, consider checking the latest patches for Oracle Applications quarterly. Subscribe to our newsletter and follow us on Twitter to get the latest information about each CPU update published by Oracle.