6 Most Surprising SharePoint Security Risks

© 2014 Imperva, Inc. All rights reserved.

The 6 Most Surprising SharePoint Security Risks Webinar

Confidential 1

Carrie McDaniel - Product Marketing Manager, SharePoint Security


Agenda

Confidential 2

§ Discuss 6 of the most surprising SharePoint risks •  An example of each risk •  Ways to mitigate these threats

§ Newly released, supporting research


Carrie McDaniel – SharePoint Security Team

3

§ Product Marketing Manager for File Security; focus on SharePoint security

§ Previously held product marketing position at Moody’s Analytics in San Francisco

§ Past experience in finance and tech industries at Wells Fargo and NetApp

§ Holds degrees in Marketing and French from Santa Clara University

© 2014 Imperva, Inc. All rights reserved. Confidential 4

Web applications remain the proverbial punching bag of the internet. They’re beaten in one of two ways: by exploiting a weakness in the application or by using stolen credentials to impersonate a valid user. Many of the attacks in our 2013 dataset targeted off the shelf content management systems…

2014 Verizon Data Breach Investigations Report


SharePoint Architecture

Confidential 5

Web Servers

Application Servers

MS SQL Databases


SharePoint Components Hit Hard in 2013

Confidential 6

35% of data breaches resulted

from web application attacks.

88% of all incidents reported were due to

privilege abuse.

Out of all corporate assets, 25% of data

was stolen from databases.



Reasons Why This is Happening

Confidential 7

Only 42% audit external SharePoint

access.

76% grant non-employee

SharePoint access.

Only 7% run SharePoint access

logs.

Dimensional Research. SharePoint and Security Survey. December 2013.


SharePoint Security Risk 1

Confidential 8

Insider Threats


Critical Data is Stored in SharePoint

Confidential 9

Regulated

Sensitive



The Insider Threat is Multifaceted

Confidential 10

1.  Insiders steal data by abusing excessive privileges 2.  Users are compromised, and privileges are escalated

“…taking advantage of the system access privileges granted by an employer and using them to commit

nefarious acts – tops the list.” 2014 Verizon Data Breach Investigations Report

Administrators hold the keys to the kingdom.


SharePoint is Complex; Permissions are Challenging

Confidential 11

HR Site

Finance Site

Engineering Site

IT Contractor

HR Employee Engineer


Conclusions on Insider Threats

Confidential 12

1.  Organizations must have a centralized view of file and folder permissions across the SharePoint platform.

2.  Preventing data access based solely on an ACL-based security model is ineffective.

•  Insiders are getting around these controls

3.  Monitor, monitor, monitor.



Confidential 13

Ineffective Log Management


Companies Not Monitoring SharePoint File Access

Confidential 14

However: •  29% of organizations do

not use SharePoint access logs

•  64% run them monthly

Dimensional Research. SharePoint and Security Survey. December 2013.

Facts:

•  76% of organizations allow non-employees access to SharePoint

•  The majority are worried about unauthorized access from the general public and partners


SharePoint’s Access Logs Have Challenges

Confidential 15

1.  Not typically turned on. 2.  Audit logs accumulate volumes of

unnecessary data. 3.  Logs are cyclic, and rollover quickly. 4.  No separation of duties. 5.  Not auditor-ready.


Conclusions on SharePoint Log Management

Confidential 16

1.  Organizations need to record all access across the web, content and database layers of SharePoint.

2.  Monitoring must occur in real-time to ensure data security.

3.  Auditors need to ensure that appropriate data controls are in place, no matter where it’s stored.



Confidential 17

Vulnerabilities in Third-party Code


More than half of organizations use or are “…planning to use third-party add-on

products in order to enhance functionality.

Only a third thinks they will stick with the vanilla product.”

AIIM 2012 Industry Watch Survey

Nowhere is this exploited on a larger scale than in Content Management Systems (CMS)…and even then, more in the added plugins than the core CMS code itself.

2012

2013



Add-ons Defined

Confidential 19

Plug-in

A software component that adds additional functionality to the larger SharePoint system.

Example: SharePoint Outlook Integration

Web Part

A stand-alone application that is embedded into SharePoint that pulls in useful information from other Websites.

Example: Twitter feed

Optimus.com


Convenience

Collaboration

Productivity

Ease-of-use

© 2014 Imperva, Inc. All rights reserved. 21

3rd Party

According to Veracode: •  “Up to 70% of internally developed code originates outside of the

development team” •  28% of assessed applications are identified as created by a 3rd

party

Confidential


IT and security teams should always assume that third-party code present in SharePoint applications contain significant vulnerabilities.

You can’t fix code you don’t own.

Organizations won’t be protected until that third-party addresses the

vulnerabilities.

What’s the risk?

© 2014 Imperva, Inc. All rights reserved. 23

OWASP Top 10 – 2013 Update

New, A9 - Using Known Vulnerable Components

Confidential


Classic Web Site Hacking

Confidential 24

Hacking 1.  Identify Target 2.  Find Vulnerability 3.  Exploit

Single Site Attack


Classic Web Site Hacking

Confidential 25

Hacking

1.  Identify Target 2.  Find Vulnerability 3.  Exploit

Hacking


Hacking


Hacking


Hacking


Multiple Site Attacks


SharePoint Application Hacking

Confidential 26

Hacking

1.  Identify add-on 2.  Find Vulnerability 3.  Exploit


Imperva’s Take: Vulnerabilities in Third-party Code are Inevitable

Confidential 27

Photo Credit: cnet.com



Confidential 28

Data Leakage


Global Site

Sensitive Data Leakage Often Occurs Accidently

Confidential 29

§  Simple SharePoint misconfigurations can expose corporate data

Head of Finance

Finance Site

HR Site

Sales Site


Global Site

Sophisticated Search Tools Can Uncover Sensitive Data

Confidential 30

§  Google capabilities like Indexed FTP, Search by Image, and Table Search offer new ways to discover and extract data

Web User

Finance Site

HR Site

Sales Site


Conclusions on SharePoint Data Leakage

Confidential 31

1.  Organizations need tight controls over the content being served by SharePoint.

2.  Implementing security policies that check for outgoing data can help prevent leakage.

3.  As part of your security strategy, put a process in place to validate the content accessible via your SharePoint web servers.



Confidential 32

Targeted Attacks / Phishing


Attackers Pull Data From Websites for Use in Targeted Attacks

Confidential 33

§  Site scraping – not just for undercutting competitor’s prices and republishing Website listings

80% of the Fortune 500 are using SharePoint

Source: www.topsharepoint.com


Conclusions on Phishing and Targeted Attacks

Confidential 34

1.  Companies can protect their brand by protecting against site scrapers.

2.  It’s difficult to distinguish site scrapers from legitimate users; proactive detection must be in place.

3.  Organizations can rely on malicious source IP address feeds to protect against site scraping.



Confidential 35

Unauthorized Access to the Microsoft SQL Database


An Overlooked SharePoint Security Risk

Confidential 36

Databases and file servers, both repositories of so much valuable information, are targeted regularly…

Admins unknowingly make unsupported database changes.

Malware-compromised insiders access the

database. Malicious insiders target

the database.



Conclusions on Unauthorized Database Access

Confidential 37

1.  The SharePoint SQL database holds the crown jewels, and must be protected from abuse.

2.  Even unintentional changes can have a broad security impact on the SharePoint system.

3.  Monitor, monitor, monitor.


Reduce Risk, Protect Your Data, Save Time

Confidential 38

SecureSphere for SharePoint


Imperva Secures the SharePoint Platform, From End-to-end

Confidential 39

1.  Insider Threats

2.  Ineffective Log Management

3.  Vulnerabilities in Third Party Code

4.  Data Leakage

5.  Targeted Attacks

6.  Unauthorized Access to the SQL Database

Web Application Security

File Security

Database Security


Audit

Enterprise Users

The Internet

SQL Injection

XSS

Web Servers

Application Servers

MS SQL Databases

Web-Application Firewall

Activity Monitoring, Permissions Management &

Access Control

Excessive Rights

Administrators

DB Activity Monitoring & Access Control

Unauthorized Changes

Audit

Unauthorized Access

Layers of SharePoint Protection

Confidential 40


Gartner’s Take: WAFs Are Worth the Investment

Confidential 41

Firewalls and Intrusion prevention systems don’t provide sufficient protections for most public-facing websites or internal business-critical and custom Web applications. WAFs are different from NGFWs and IPSs. WAFs protect, at a granular level, the enterprise's custom Web applications against Web attacks.

Web Application Firewalls Are Worth the Investment for Enterprises Jeremy D’Hoinne & Adam Hils; Feb 28, 2014

Gartner, Inc.


Webinar Materials

42

Post-Webinar Discussions

Answers to Attendee

Questions

Webinar Recording Link Join Group

Join Imperva LinkedIn Group, Imperva Data Security Direct, for…

https://www.linkedin.com/groups?home=&gid=3849609


www.imperva.com

43

Technology

6 Most Surprising SharePoint Security Risks