6 Most Surprising SharePoint Security Risks

© 2014 Imperva, Inc. All rights reserved.
The 6 Most Surprising SharePoint
Security Risks
Webinar
Confidential1
Carrie McDaniel - Product Marketing Manager, SharePoint Security

Agenda
Confidential2
§  Discuss 6 of the most surprising SharePoint risks
•  An example of each risk
•  Ways to mitigate these threats
§  Newly released, supporting research

Carrie McDaniel – SharePoint Security Team
3
§  Product Marketing Manager for File
Security; focus on SharePoint security
§  Previously held product marketing
position at Moody’s Analytics in San
Francisco
§  Past experience in finance and tech
industries at Wells Fargo and NetApp
§  Holds degrees in Marketing and French
from Santa Clara University

© 2014 Imperva, Inc. All rights reserved. Confidential4
Web applications remain the proverbial
punching bag of the internet. They’re
beaten in one of two ways: by exploiting a
weakness in the application or by using
stolen credentials to impersonate a valid
user.
Many of the attacks in our 2013 dataset
targeted off the shelf content
management systems…
2014 Verizon Data Breach Investigations Report

SharePoint Architecture
Confidential5
Web Servers
Application Servers
MS SQL Databases

SharePoint Components Hit Hard in 2013
Confidential6
35% of data
breaches resulted
from web
application attacks.
88% of all incidents
reported were due to
privilege abuse.
Out of all corporate
assets, 25% of data
was stolen from
databases.

Reasons Why This is Happening
Confidential7
Only 42% audit
external SharePoint
access.
76% grant
non-employee
SharePoint access.
Only 7% run
SharePoint access
logs.
Dimensional Research. SharePoint and Security Survey. December 2013.

SharePoint Security Risk 1
Confidential8
Insider Threats

Critical Data is Stored in SharePoint
Confidential9
Regulated
Sensitive

The Insider Threat is Multifaceted
Confidential10
1.  Insiders steal data by abusing excessive privileges
2.  Users are compromised, and privileges are escalated
“…taking advantage of the system access privileges
granted by an employer and using them to commit
nefarious acts – tops the list.”
Administrators hold the
keys to the kingdom.

SharePoint is Complex; Permissions
are Challenging
Confidential11
HR
Site
Finance
Site
Engineering
Site
IT
Contractor
HR Employee Engineer

Conclusions on Insider Threats
Confidential12
1.  Organizations must have a centralized
view of file and folder permissions
across the SharePoint platform.
2.  Preventing data access based solely
on an ACL-based security model is
ineffective.
•  Insiders are getting around these controls
3.  Monitor, monitor, monitor.

Confidential13
Ineffective Log Management

Companies Not Monitoring SharePoint
File Access
Confidential14
However:
•  29% of organizations do
not use SharePoint
access logs
•  64% run them monthly
Dimensional Research. SharePoint and Security Survey. December 2013.
Facts:
•  76% of organizations
allow non-employees
access to SharePoint
•  The majority are worried
about unauthorized
access from the general
public and partners

SharePoint’s Access Logs Have Challenges
Confidential15
1.  Not typically turned on.
2.  Audit logs accumulate volumes of
unnecessary data.
3.  Logs are cyclic, and rollover quickly.
4.  No separation of duties.
5.  Not auditor-ready.

Conclusions on SharePoint Log Management
Confidential16
1.  Organizations need to record all
access across the web, content and
database layers of SharePoint.
2.  Monitoring must occur in real-time to
ensure data security.
3.  Auditors need to ensure that
appropriate data controls are in
place, no matter where it’s stored.

Confidential17
Vulnerabilities in Third-party Code

More than half of organizations use or are
“…planning to use third-party add-on
products in order to enhance functionality.
Only a third thinks they will stick with the
vanilla product.”
AIIM 2012 Industry Watch Survey
Nowhere is this exploited on a larger
scale than in Content Management
Systems (CMS)…and even then, more
in the added plugins than the core CMS
code itself.
2012
2013

Add-ons Defined
Confidential19
Plug-in
A software component that adds additional functionality
to the larger SharePoint system.
Example: SharePoint Outlook Integration
Web Part
A stand-alone application that is embedded into SharePoint
that pulls in useful information from other Websites.
Example: Twitter feed
Optimus.com

Convenience
Collaboration
Productivity
Ease-of-use

© 2014 Imperva, Inc. All rights reserved.21
3rd Party
According to Veracode:
•  “Up to 70% of internally developed code originates outside of the
development team”
•  28% of assessed applications are identified as created by a 3rd
party
Confidential

IT and security teams should always assume that third-party code
present in SharePoint applications contain significant vulnerabilities.
You can’t fix code you don’t own.
Organizations won’t be protected
until that third-party addresses the
vulnerabilities.
What’s the
risk?

© 2014 Imperva, Inc. All rights reserved.23
OWASP Top 10 – 2013 Update
New, A9 - Using Known Vulnerable Components
Confidential

Classic Web Site Hacking
Confidential24
Hacking
1.  Identify Target
2.  Find Vulnerability
3.  Exploit
Single Site Attack

Classic Web Site Hacking
Confidential25
Hacking
3.  Exploit
Hacking
3.  Exploit
Hacking
3.  Exploit
Hacking
3.  Exploit
Hacking
3.  Exploit
Multiple Site Attacks

SharePoint Application Hacking
Confidential26
Hacking
1.  Identify add-on
3.  Exploit

Imperva’s Take: Vulnerabilities in Third-party
Code are Inevitable
Confidential27
Photo Credit: cnet.com

Confidential28
Data Leakage

Global Site
Sensitive Data Leakage Often Occurs Accidently
Confidential29
§  Simple SharePoint misconfigurations can expose corporate
data
Head of Finance
Finance Site
HR Site
Sales Site

Global Site
Sophisticated Search Tools Can Uncover
Sensitive Data
Confidential30
§  Google capabilities like Indexed FTP, Search by Image, and
Table Search offer new ways to discover and extract data
Web User
Finance Site
HR Site
Sales Site

Conclusions on SharePoint Data Leakage
Confidential31
1.  Organizations need tight controls
over the content being served by
SharePoint.
2.  Implementing security policies that
check for outgoing data can help
prevent leakage.
3.  As part of your security strategy,
put a process in place to validate
the content accessible via your
SharePoint web servers.

Confidential32
Targeted Attacks / Phishing

Attackers Pull Data From Websites for Use
in Targeted Attacks
Confidential33
§  Site scraping – not just for undercutting competitor’s prices and
republishing Website listings
80% of the Fortune 500 are using SharePoint
Source: www.topsharepoint.com

Conclusions on Phishing and Targeted Attacks
Confidential34
1.  Companies can protect their brand
by protecting against site scrapers.
2.  It’s difficult to distinguish site
scrapers from legitimate users;
proactive detection must be in
place.
3.  Organizations can rely on malicious
source IP address feeds to protect
against site scraping.

Confidential35
Unauthorized Access to the Microsoft SQL Database

An Overlooked SharePoint Security Risk
Confidential36
Databases and file servers, both repositories of
so much valuable information, are targeted
regularly…
Admins unknowingly
make unsupported
database changes.
Malware-compromised
insiders access the
database.
Malicious insiders target
the database.

Conclusions on Unauthorized Database Access
Confidential37
1.  The SharePoint SQL database holds the crown jewels, and must be
protected from abuse.
2.  Even unintentional changes can have a broad security impact on the
SharePoint system.
3.  Monitor, monitor, monitor.

Reduce Risk, Protect Your Data,
Save Time
Confidential38
SecureSphere for SharePoint

Imperva Secures the SharePoint Platform,
From End-to-end
Confidential39
1.  Insider Threats
2.  Ineffective Log Management
3.  Vulnerabilities in Third Party Code
4.  Data Leakage
5.  Targeted Attacks
6.  Unauthorized Access to the SQL Database
Web Application
Security
File
Security
Database
Security

Audit
Enterprise Users
The Internet
SQL
Injection
XSS
Web
Servers
Application
Servers
MS SQL
Databases
Web-Application
Firewall
Activity Monitoring,
Permissions Management &
Access Control
Excessive
Rights
Administrators
DB Activity Monitoring
& Access Control
Unauthorized
Changes
Audit
Unauthorized
Access
Layers of SharePoint Protection
Confidential40

Gartner’s Take:
WAFs Are Worth the Investment
Confidential41
Firewalls and Intrusion prevention systems don’t
provide sufficient protections for most public-
facing websites or internal business-critical and
custom Web applications.
WAFs are different from NGFWs and IPSs.
WAFs protect, at a granular level, the
enterprise's custom Web applications against
Web attacks.
Web Application Firewalls Are Worth the Investment for Enterprises
Jeremy D’Hoinne & Adam Hils; Feb 28, 2014
Gartner, Inc.

Webinar Materials
42
Post-Webinar
Discussions
Answers to
Attendee
Questions
Webinar
Recording Link
Join Group
Join Imperva LinkedIn Group,
Imperva Data Security Direct, for…

www.imperva.com
43

6 Most Surprising SharePoint Security Risks

More Related Content

What's hot (15)

Viewers also liked (20)

Similar to 6 Most Surprising SharePoint Security Risks (20)

More from Imperva (20)

Recently uploaded (20)

6 Most Surprising SharePoint Security Risks