CISO's Guide to Securing SharePoint
-
Upload
imperva -
Category
Technology
-
view
1.253 -
download
1
description
Transcript of CISO's Guide to Securing SharePoint
CISO's Guide to Securing SharePoint
Rob Rachwald Director of Security Strategy, Imperva
Agenda
SharePoint in the Enterprise The Security Implications Mitigation Checklist
Today’s Presenter Rob Rachwald, Dir. of Security Strategy, Imperva
Research + Directs security strategy + Works with the Imperva Application Defense Center
Security experience + Fortify Software and Coverity + Helped secure Intel’s supply chain software + Extensive international experience in Japan, China, France, and
Australia
Thought leadership + Presented at RSA, InfoSec, OWASP, ISACA + Appearances on CNN, SkyNews, BBC, NY Times, and USA Today
Graduated from University of California, Berkeley
SharePoint in a Nutshell
Store Share Find Leverage
Source: sharepoint.microsoft.com
Major SharePoint Deployment Types
• Uses include SharePoint as a file repository
• Only accessible by internal users
Internal Portal
• Uses include SharePoint as a file repository
• Accessible from the Internet • For customers, partners or the public
External Portal
• SharePoint as the Web site infrastructure
• Not used as a file repository
Internet Website
Company Intranet
Client access
Public website
Why is File Security Important?
6
80% 20%
Unstructured (file data)
Structured (DB, Apps)
Businesses have a large amount of file data
0 100 200 300 400 500
1 2 3 4 5 6 7 8 9
Vol
ume
Time
File data grows 60% annually
Some files hold sensitive business data… Financial information Business plans Medical images Etc.
60%
Unsecured Files are a Serious Security Problem
Reducing Insider Threats
Files are susceptible to insider threat by their very nature
+ Intentionally accessible for collaboration, communication, etc.
Required protections include:
+ Monitor sensitive data usage by all users
+ Enforce separation of duties and eliminate excessive rights
+ Discover sensitive data
SharePoint Admins Gone Wild
Most popular documents eyeballed were those containing the details of their fellow employees, 34 per cent, followed by
salary – 23 per cent – and 30 per cent said "other."
Have Your Shared Privileged Info via SharePoint?
Yes 48% No
43%
No answer, 9%
Source: NetworkWorld, May 2, 2011
Type of Content Shared
HR 21%
Customer Data 30%
Financial 22%
Other Proprietary
33%
Source: NetworkWorld, May 2, 2011
Impact of SharePoint Insecurity
“[Investigators] discovered Wget scripts on Manning’s computer that pointed to a Microsoft
SharePoint server holding the Gitmo documents. He ran the scripts to download the
documents, then downloaded the ones that WikiLeaks had published and found they were
the same.” —Wired, Dec 2011
Source: http://www.wired.com/threatlevel/2011/12/cables-scripts-manning/
Impact of SharePoint Insecurity
“[Investigators] discovered Wget scripts on Manning’s computer that pointed to a Microsoft
SharePoint server holding the Gitmo documents. He ran the scripts to download the
documents, then downloaded the ones that WikiLeaks had published and found they were
the same.” —Wired, Dec 2011
Source: http://www.wired.com/threatlevel/2011/12/cables-scripts-manning/
Employee Attitudes Towards Data
70% of employees plan to take something with them when they leave the job
+ Intellectual Property: 27% + Customer data: 17%
Over 50% feel they own it
Source: November 2010 London Street Survey of 1026 people, Imperva
Insiders
Human Nature at Work?
70% of Chinese admit to accessing information they shouldn’t
62% took data when the left
56% admit internal hacking
36% feel they own it
Source: February 2011 Shanghai and Beijing Street Survey of 1012 people, Imperva
But SharePoint Takes the Problem Beyond Files
Web + E-commerce: Businesses leverage SharePoint to create Web
sites that provide consumer content and, more importantly, the ability to buy products. Credit cards are a common form of payment.
Database + Healthcare: Hospitals use SharePoint to house patient data.
– In the past, this information has been very attractive since it helps hackers steal identities.
– Patient records often contain a very rich list of data including Social Security numbers, address details, and even credit cards for co-pays.
+ Education: Schools and universities store student information in SharePoint.
Microsoft SharePoint: Taming Unstructured Data
$1.3B licensing in 2009 SharePoint provides…
• Content repository • Web browser-based access • Easy portal construction • Easy application construction • Search • Business intelligence services • Social media capabilities
67% of SharePoint breaches are by insiders. 96% of breaches were avoidable through simple or intermediate controls
Data value within SharePoint + 46% > $10M + 30% > $50M + 9% > $500M + Toxic data accumulation
Security and rights management is #2 add-on, with 63% using or planning to use
5X # of SP 2010 deployments in the last 6 months
+ 50% deployed enterprise-wide + 75% used for portal/web-content
What Version of SharePoint is Deployed?
Source: SharePoint: Strategies and Experiences, September 2011
SharePoint Security Capabilities: 2007 vs 2010
2007 Encryption You can unplug all
the servers.
2010 Some policy
management Authentication Permissions Metadata tagging Versioning Workflow Info rights
management
SharePoint 2010 is Still Missing
Functionality + Proper auditing + Web-based protection + Security-centric reporting + Security-centric policies
Bottom line + SharePoint is built for collaboration first, security second, third
or tenth. + Features may provide security, but aren’t inherent security tools + Did you know?
– SSL is NOT turned on by default for downloading. – Remote binary large object (BLOB) storage does not coordinate underlying
storage permissions with its own access control lists.
CONFIDENTIAL
What are the Key Security SharePoint Challenges?
- CONFIDENTIAL -
Challenge #1: Built for Collaboration
They didn’t call it “HogPoint.” SharePoint:
+ Was first designed to share content with partners and other external parties using a MS SQL.
+ Then, you built a website on top of it.
Security was an afterthought + Trends #5: “Security and authentication will become more
important.”* + Poor security features
– Poor user management capabilities – Poor authentication
Source: http://www.sptechweb.com/content/article.aspx?ArticleID=36160&print=true
Do you use SharePoint for Collaboration with any of the Following?
Source: SharePoint: Strategies and Experiences, September 2011
Key Issues with SharePoint
Source: SharePoint: Strategies and Experiences, September 2011
Native SharePoint Security Capabilities
In general, SharePoint involves a complex set of interactions that
makes it difficult for security teams to know if all their concerns
are covered.” —Burton Group, 2010
Challenge #2: Sidesteps IT
“Much of SharePoint's appeal is that it enables users to bypass the
explicit and organizational and process barriers of the
organization.” —Gartner, 2009
Third-Party Additions
Source: SharePoint: Strategies and Experiences, September 2011
Challenge #3: It Has Holes
Example: April 2010, Microsoft reveals a SharePoint issue
The vulnerability could allow escalation of privilege (EoP) within the SharePoint site. If an attacker successfully exploits the vulnerability, the person could run commands against the SharePoint server with
the privileges of the compromised user.
Source: http://www.eweek.com/c/a/Security/Microsoft-Confirms-SharePoint-Security-Vulnerability-187410/
Challenge #3: It Has Holes
Ooops, I did it again.
CONFIDENTIAL
Key SharePoint Security Issues
- CONFIDENTIAL -
Security Issue #1: Understanding Entitlements
Problem: + It’s difficult to effectively track and manage all of the permissions. + Access rights are in a constant state of flux as the organization grows.
Details: + SharePoint’s access control lists (ACL) are similar to Windows: administrators
define users and groups, and provide permissions. + Business unit employees who don’t understand the technology often have
responsibility for entitlement. It is tough to get employees to put in place confidentiality workflows, tagging, and classification of sensitive data.
+ A common issue once SharePoint instances have proliferated within an organization is to see and understand who has what permissions to what kind of data.
Example: + If a hospital uses SharePoint for patient data and the system is managed by
hospital staff, then who keeps track of which doctors, nurses, or administrators can see patient data? Further, who maintains and updates these permissions over time? How are they able to do what they do? How do you identify excessive or dormant rights?
Security Issue #2: Meeting Compliance Mandates and Governance
Problem: + SharePoint does not provide a way to demonstrate to auditors that specific site
set up is correct as well as provide an audit trail for potential breaches.
Details: + In the same way database activity monitoring (DAM) helps provide an audit trail
and forensic evidence of possible wrong doing, SharePoint features no such inherent capability.
+ If a breach occurs—either from an insider or a hacker—how can organizations learn how it happened?
Example: + In August 2011, Bloomberg reported on 300,000 healthcare records that
appeared in an Excel file. No one knows where the file came from, indicating a lack of auditing.
Governance Policies in Place
Source: SharePoint: Strategies and Experiences, September 2011
Regulations and SharePoint
0.00%
5.00%
10.00%
15.00%
20.00%
25.00%
30.00%
35.00%
40.00%
PCI HIPAA SOX
Source: NetworkWorld, May 2, 2011
Regulations and SharePoint
0.00%
5.00%
10.00%
15.00%
20.00%
25.00%
30.00%
35.00%
40.00%
PCI HIPAA SOX
But 72 percent of companies have NOT evaluated compliance issues related to
SharePoint data.
Source: NetworkWorld, May 2, 2011
Security Issue #3: Web Site Vulnerabilities
Problem: + All of the same issues you have with a Web site application, you have with
SharePoint.
Details: + The typical problems should be familiar: SQL injections, brute forced password
attacks, cross site scripting (XSS) and so forth. + As a platform for building applications, many of the typical flaws that developers
put into code will apply to SharePoint. + Many apps can be developed by contractors, so fixing vulnerabilities can be
especially cumbersome and time consuming.
Example: + According to CVE details, XSS is the most commonly reported vulnerability in
SharePoint.
Security Issue #4: Securing the Back-End Database
Problem: + SharePoint’s reliance on SQL Server, storage protection is essentially database protection.
Details: + Access control should govern access. However, in SharePoint, database access based on
corporate policies and stored procedures usually doesn’t apply—creating viable threat vectors.
+ Awareness of database threats is high, but few know that SharePoint functions differently.
+ Current versions support columnar database encryption. For many, the word encryption means omnipotent protection, others know better.
+ Privileged users: Will admins have a key? Audit policies needed to monitor malicious/compromised insiders.
Example: + “Database modifications may result in an unsupported database state,” Microsoft
support. + “Fully audit all SQL Server administrative activities,” Gartner 2009. + “SharePoint is notoriously difficult to patch,” Infoworld. In June of 2010, many
SharePoint admins reported that installing SharePoint patches caused their Windows SharePoint Server 3.0 machines to lock up.
Security Issue #5: Exposure to Search Engines
Problem: + Misconfigured entry points are quickly indexed by search engines.
Example: + Soldiers’ personal information was exposed through the external SharePoint
Web site of Missouri’s national guard.
Google Diggity Project
A Checklist to Securing SharePoint
• Implement a SharePoint governance policy. • Put in place security requirements when SharePoint
instances go live. • Don’t trust native security features. • Specify what kind of information can be put in SharePoint.
Get ahead of all SharePoint deployments
• Use search capabilities to identify sensitive data. • Sensitive data in databases: use database activity
monitoring to identify and protect confidential data. • Sensitive data transacted by SharePoint Web applications • Secure sensitive data held in files: use file activity
monitoring to apply user rights management and auditing capabilities.
Identify sensitive data and protect it
A Checklist to Securing SharePoint
•Ensure legitimate access to data. •Accelerate permissions reviews and management. • Identify and delete dormant users. Check for dormant users on a regular basis.
• Focus on regulated data and streamline access. •Adjust department-level access. •Create permission reports for data owners. • Implement ownership policies – especially for alerts around unauthorized access.
Deploy user rights management to identify data ownership
• Identify sensitive data transacted by SharePoint Web applications and use Web application firewalls to monitor and protect intranets, portals, and Web sites.
• Log all failed login attempts.
Protect Web sites
A Checklist to Securing SharePoint
• Who accessed this data? • When and what did they access? • Who owns this data? • Are external users accessing admin pages? • Have there been repeat failed login attempts?
Enable auditing for compliance and forensics
CONFIDENTIAL
SecureSphere for SharePoint
- CONFIDENTIAL -
Usage Audit
Access Control
Rights Management
Attack Protection
Reputation Controls
Virtual Patching
Imperva Data Security in 60 Seconds
Audit
SharePoint & SecureSphere for SharePoint
- CONFIDENTIAL - 44
Enterprise Users
The Internet
SQL Injection
XSS
IIS Web Servers
Application Servers
MS SQL Databases
Web-Application Firewall
Activity Monitoring & User Rights Management
Excessive Rights
Administrators
DB Activity Monitoring & Access Control
Unauthorized Changes
Audit
Unauthorized Access
External Access to Admin pages and Failed Login Attempts
Partners
Data Across Borders & Ethical Walls
Employees from other sites
Migrations - Permissions - Data ownership - Data cleanup
SecureSphere for SharePoint
User rights management + Aggregate and visualize rights + Identify excessive and dormant rights + Streamline rights reviews + Identify data owners
Activity monitoring + Monitor file & list access in real-time + Find unused data
Policy based threat protection + Defend against file, Web and database threats + Alert and block in real-time
Webinar Materials
Post-Webinar Discussions
Answers to Attendee Questions
Webinar Recording Link Webinar Slides
Get LinkedIn to Imperva Data Security Direct for…
www.imperva.com