Posts

Online Security Tips While Working Remotely During Quarantine

While many businesses across the nation are closing office doors, many people are going to be experiencing working remotely for the next several weeks. As you get your work-at-home stations set up, be mindful of the following things to keep your personal and company information secure.

  • Know your cybersecurity basics – Ensure you have up to date software, a security or anti-virus software installed (MalwareBytes is a popular free program), and use passwords on all your devices and apps.
  • Secure your home network – Turn on encryption (WPA2 or WPA3) on your home router. What encryption does is it scrambles information sent over your network so outsiders can’t read it. As a reminder, make sure your router software is up to date.
  • Keep an eye on your laptop – this is important even if you’re working at home, live with roommates, or at a shared work space. Never leave your laptop unattended and unlocked. Your pets, kids, family members, roommates – anyone can accidentally mess up your programs if you leave your laptop around.
  • Securely store sensitive files – Not everything you bring from work is stored on a laptop. If you have printed sensitive documents, make sure to properly and securely store these documents in locked drawers. Remember, this is sensitive material and although your kids probably don’t understand your work, you must treat your “home office” the same way as your actual office and make sure sensitive company information is secure.
  • Dispose of sensitive data securely – You may have a someone properly disposing sensitive documents at your office, but not at home. Make sure to shred anything you throw away that contains work-related information.
  • Follow your employer’s security practices – Employers who sent their workers home most likely gave a set of guidelines for the remote work for the next few weeks. Your home is now an extension of your office. So, follow the protocols that your employer has implemented.

To learn more ways to stay on top of cybersecurity, visit the FTC website here

Read Related Article Here

Lawson Security – The Theory of Greatest Privilege Access Explained

When Lawson left LAUA security, it redesigned its hierarchical security as so:

  • Roles
    • Classes
      • Tokens (or rules)

These all followed the theory of the greatest privilege access since v9

 

What does this mean?

In the simplest form, it means that if there is an ALL_ACCESS and a DENY_ACCESS rule within the same class or role, the ALL_ACCESS wins and grants access to the rule.

 

Real world example:

Problem: Say you wanted to grant a user access to view an AP form but noticed that the form itself shows a vendor’s number under the TAX ID field.

 

If the vendor does not have a vendor number, typically they use their social security number and this is added to the TAX ID field which is a field on the APVENMAST table.

 

If we set DENY_ACCESS on the TAX ID field within APVENMAST as shown below:

When the user loads the AP form up again, that field will appear blank or greyed out.

 

Let’s say this user eventually takes on newer tasks and gets a new role assigned to them to submit requisition orders and this newly assigned access inadvertently grants ALL_ACCESS to the APVENMAST table.

This new access now overrides the DENY_ACCESS set on the TAX ID field and the user can now once again see the TAX ID field and reveal sensitive information such as a vendor’s social security number.

 

I hope this helps when designing your security for employees.

Landmark Security Access

To maintain Landmark Security (classes and roles), in the Gen environment in Rich Client, go to Start > Configure > Security.  If you don’t see the Security or Configure, you will need to have your Security Administrator give you access to it.  The Infor delivered role for this is “ConfigConsoleSecurityadmin_ST”.  Have that role added to your account and wait about 30 minutes for the sync to complete.

Configure LBI for ADFS

When you configure LSF for ADFS, you will need to make some changes to your LBI configuration so that users will be able to access LBI with the userPrincipalName (username@company.com).

The first thing you need to do is ensure that you have a user in Lawson security where RMID = SSOP = UPN (userPrincipalName).  The RM User that is used to search LSF for LBI users must have an account where RMID and SSOP match.  It is recommended that you have a new AD user created for this purpose (such as lbirmadmin).

Add the new user to Lawson, ensuring that their ID and SSOP values both use UPN.  (lbirmadin@company.com)  Also make sure the new user is in the appropriate LBI groups for LBI access.

The next change will take place in the sysconfig.xml file located in <LBI install directory>/FrameworkServices/conf.  The ssoRMUserid should be the UPN of your LBI user mentioned above.  After you make these changes, restart the application server, clear the IOS cache in Lawson, and try logging into LBI.

5 ways to properly secure new technology

Database errors and security breaches have increased significantly in recent years. With data migration, vulnerability to error and hacking is a great risk. “We have seen a large number of breaches and failures due to human error,” says Robert Reeves, Co-founder and CTO of Datical. Often times, humans underestimate and rely too much on “technology” to believe there will be room for error, but you can still make mistakes. Reeves emphasizes the need to automate security and system standards to eliminate (or significantly decrease) human error. Below are five recommendations on how to ensure that new technologies and systems are properly automated and secured:

How to Reduce ERP Security Risks

Due to the massive amounts of valuable data stored in their systems, enterprise resource planning (ERP) systems are a huge target by attackers. But thanks to technology, most ERP systems are prepared for these attacks. There are a few things, however, that you can do to help prevent hackers as well. Sean Michael Kerner, senior editor at eWEEK and Onapsis CTO JP Perez-Etchegoyen shares what’s behind ERP breaches and provided additional insight. When looking at ERP breaches, there are two things to consider: how the attacker got in and what they do once they have access. According to Perez-Etchegoyen, most people will not notice an ERP breach after an attacker has already gained access. Below are a number of things that organizations can and should do to limit the risk of attacks and improve ERP security:

  • Basic hygiene – find and fix vulnerabilities through patching or configuration changes
  • Define secure configurations
  • Repeatable processes – automate best practices for ERP updates
  • Manage and monitor the environment

These basic maintenance steps with your ERP systems could reduce the risk of being the target of attackers, securing your data with more more peace of mind.

For Full Article, Click Here

What is ADFS?

There has been a lot of confusion in the Infor client community lately over what ADFS is and what the impact of implementing it will be on the organization as a whole.
Active Directory Federation Services (ADFS) is a Microsoft solution created to facilitate Single Sign-On. It provides user with authenticated access to applications like Lawson without the need to provide the password information to the application.
ADFS manages user authentication through a service hosted between the active directory and the target application. It grants access to application users by using Federated trust. The users can then authenticate their identity through Single Sign-On without having to do so on the application itself. The authentication process is usually as follows:
1) The user navigates to the Lawson URL
2) The unauthenticated user is re-directed to the ADFS service
3) The user signs into ADFS
4) ADFS service authenticates the user via the Active Directory
5) The user is then given an authentication claim (in the form of a cookie) by the ADFS
6) The user is forwarded to the Lawson application with the claim which either grants or denies access based on the federated trust service
Note: The Lawson Server never sees the password information which in the case of external applications (like a cloud implementation) is a lot more secure.
 
What are some drawbacks of implementing ADFS?
 
Although ADFS is a new requirement, it comes with a few small drawbacks that you should consider:
– The additional server license and maintenance – You will need an additional server (likely one per environment) to host ADFS
– ADFS is actually somewhat complex and this new skill set can create a new challenge for smaller clients who aren’t already using ADFS for other applications
– A standard ADFS installation is not all that secure and several steps should be taken to ensure good security. Microsoft provides these best practices recommendations: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/best-practices-securing-ad-fs
There is also a great free e-book published by Microsoft about claims-based identity and access control: https://docs.microsoft.com/en-us/previous-versions/msp-n-p/ff423674(v=pandp.10)
To find out more about ADFS and how it can impact your organization, join our webinars or contact us.

BlackBerry becomes a HIMSS Analytics certified consultant on infrastructure

The once widely popular smart business phone maker is still around, and will become a valuable asset to hospital infrastructures.  BlackBerry has signed on as a HIMSS Analytics Certified Consultant and will help direct healthcare organizations through the HIMSS Infrastructure Adoption Model (INFRAM). INFRAM is an eight-stage model (0 – 7) that allows healthcare IT leaders to map the technology infrastructure capabilities needed to reach their organization’s clinical and operational goals, while also meeting benchmarks and industry standards. Sara Jost, global healthcare industry lead at BlackBerry, says that “BlackBerry will assess vulnerabilities in a hospital’s infrastructure, devices, and configurations, using a wide range of penetration testing, social engineering techniques, and physical security assessments.” Even though Blackberry has been less relevent in the mobile phone market, the company’s cyber security is still very strong and in demand. HIMSS Analytics Executive Vice President Blain Newton says, “With BlackBerry’s deep cybersecurity expertise and footprint in highly regulated industries we’re confident that having BlackBerry at the table will ensure the INFRAM is the gold standard for running a scalable and secure organization.”

For Full Article, Click Here

Infor Achieves FedRAMP Authorization

After rigorous review, Infor Public Sector has officially received the Federal Risk and Authorization Management Program (FedRAMP) Joint Authorization Board (JAB) Provisional – Authority to Operate (P-ATO) status. FedRAMP is a government-wide programs that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. With Infor on board,  the company can now offer Infor Government SaaS (IGS) cloud based solutions that include Infor Enterprise Asset Management (EAM) applications to U.S. federal agencies. Wayne Bobby, vice president, Infor Federal, states, “This is a milestone Infor is proud to reach, but as a company we are still committed to innovating and developing cloud technology that can evolve to address simple migration paths, elevated user experiences, continuous process improvements on a resilient platform, and a SaaS solution architected for the Internet.”

 

For Full Article, Click Here

Certificate chaining error

During an LSF outage, we checked the latest logs and saw security_authen.log was updated. It showed a number of errors that a certificate was not trusted. We checked the trusted certificates and saw that the certificate and related certificates were all trusted. So why was the error returned?

Scroll further down the log list to ladb.log. You may see that there is a GEN failed message. Verify that the GEN database really is available by connecting to it directly with a database utility like SQL Studio. Then verify that the gen database connection info is correct in LAWDIR\gen\MICROSOFT. If you are using SERVICENAME to lookup the password, you may want to test commenting out the service name and including the id/password in the file and secure the file. Restart the server and test the portal.

 

SECURITY_AUTHEN.LOG

Caused by: java.security.cert.CertPathValidatorException: The certificate issued by CN=PKIROOT-01-CA is not trusted; internal cause is:

java.security.cert.CertPathValidatorException: Certificate chaining error

at com.ibm.security.cert.BasicChecker.<init>(BasicChecker.java:111)

at com.ibm.security.cert.PKIXCertPathValidatorImpl.engineValidate(PKIXCertPathValidatorImpl.java:199)

at java.security.cert.CertPathValidator.validate(CertPathValidator.java:278)

at com.ibm.jsse2.util.f.a(f.java:14)

… 68 more

Caused by: java.security.cert.CertPathValidatorException: Certificate chaining error

at com.ibm.security.cert.CertPathUtil.findIssuer(CertPathUtil.java:316)

at com.ibm.security.cert.BasicChecker.<init>(BasicChecker.java:108)

… 71 more

 

LADB.LOG
DBDataAreaFactory_1 Create of kind “GEN” failed.
java.lang.UnsatisfiedLinkError: com/lawson/rdtec
h/db/api/DBJni.jniTsDBConnect(I)Ljava/lang/Integer;
DBDataAreaFactory_1 Create of kind “GEN” failed.java.lang.UnsatisfiedLinkError: com/lawson/rdtech/db/api/DBJni.jniTsDBConnect(I)Ljava/lang/Integer;

 

MICROSOFT
#LAWGATENAME=msfdb2000
DBSERVER=lawdbserver
DBNAME=LAWGEN
#SERVICENAME=DBGEN
LOGINNAME=lawson
PASSWORD=lkaj7fde#%&hdsw
SCHEMA=dbo
FILEGROUPS=FALSE
#DEBUG=TRUE

 

PORTAL