CISO's Guide to Securing SharePoint

Rob Rachwald Director of Security Strategy, Imperva

Agenda

SharePoint in the Enterprise The Security Implications Mitigation Checklist

Today’s Presenter Rob Rachwald, Dir. of Security Strategy, Imperva

Research + Directs security strategy + Works with the Imperva Application Defense Center

Security experience + Fortify Software and Coverity + Helped secure Intel’s supply chain software + Extensive international experience in Japan, China, France, and

Australia

Thought leadership + Presented at RSA, InfoSec, OWASP, ISACA + Appearances on CNN, SkyNews, BBC, NY Times, and USA Today

Graduated from University of California, Berkeley

SharePoint in a Nutshell

Store Share Find Leverage

Source: sharepoint.microsoft.com

Major SharePoint Deployment Types

• Uses include SharePoint as a file repository

• Only accessible by internal users

Internal Portal

• Uses include SharePoint as a file repository

• Accessible from the Internet • For customers, partners or the public

External Portal

• SharePoint as the Web site infrastructure

• Not used as a file repository

Internet Website

Company Intranet

Client access

Public website

Why is File Security Important?

6

80% 20%

Unstructured (file data)

Structured (DB, Apps)

Businesses have a large amount of file data

0 100 200 300 400 500

1 2 3 4 5 6 7 8 9

Vol

ume

Time

File data grows 60% annually

Some files hold sensitive business data… Financial information Business plans Medical images Etc.

60%

Unsecured Files are a Serious Security Problem

Reducing Insider Threats

Files are susceptible to insider threat by their very nature

+ Intentionally accessible for collaboration, communication, etc.

Required protections include:

+ Monitor sensitive data usage by all users

+ Enforce separation of duties and eliminate excessive rights

+ Discover sensitive data

SharePoint Admins Gone Wild

Most popular documents eyeballed were those containing the details of their fellow employees, 34 per cent, followed by

salary – 23 per cent – and 30 per cent said "other."

Have Your Shared Privileged Info via SharePoint?

Yes 48% No

43%

No answer, 9%

Source: NetworkWorld, May 2, 2011

Type of Content Shared

HR 21%

Customer Data 30%

Financial 22%

Other Proprietary

33%

Source: NetworkWorld, May 2, 2011

Impact of SharePoint Insecurity

“[Investigators] discovered Wget scripts on Manning’s computer that pointed to a Microsoft

SharePoint server holding the Gitmo documents. He ran the scripts to download the

documents, then downloaded the ones that WikiLeaks had published and found they were

the same.” —Wired, Dec 2011

Source: http://www.wired.com/threatlevel/2011/12/cables-scripts-manning/

Impact of SharePoint Insecurity

“[Investigators] discovered Wget scripts on Manning’s computer that pointed to a Microsoft

SharePoint server holding the Gitmo documents. He ran the scripts to download the

documents, then downloaded the ones that WikiLeaks had published and found they were

the same.” —Wired, Dec 2011

Source: http://www.wired.com/threatlevel/2011/12/cables-scripts-manning/

Employee Attitudes Towards Data

70% of employees plan to take something with them when they leave the job

+ Intellectual Property: 27% + Customer data: 17%

Over 50% feel they own it

Source: November 2010 London Street Survey of 1026 people, Imperva

Insiders

Human Nature at Work?

70% of Chinese admit to accessing information they shouldn’t

62% took data when the left

56% admit internal hacking

36% feel they own it

Source: February 2011 Shanghai and Beijing Street Survey of 1012 people, Imperva

But SharePoint Takes the Problem Beyond Files

Web + E-commerce: Businesses leverage SharePoint to create Web

sites that provide consumer content and, more importantly, the ability to buy products. Credit cards are a common form of payment.

Database + Healthcare: Hospitals use SharePoint to house patient data.

– In the past, this information has been very attractive since it helps hackers steal identities.

– Patient records often contain a very rich list of data including Social Security numbers, address details, and even credit cards for co-pays.

+ Education: Schools and universities store student information in SharePoint.

Microsoft SharePoint: Taming Unstructured Data

$1.3B licensing in 2009 SharePoint provides…

• Content repository • Web browser-based access • Easy portal construction • Easy application construction • Search • Business intelligence services • Social media capabilities

67% of SharePoint breaches are by insiders. 96% of breaches were avoidable through simple or intermediate controls

Data value within SharePoint + 46% > $10M + 30% > $50M + 9% > $500M + Toxic data accumulation

Security and rights management is #2 add-on, with 63% using or planning to use

5X # of SP 2010 deployments in the last 6 months

+ 50% deployed enterprise-wide + 75% used for portal/web-content

What Version of SharePoint is Deployed?

Source: SharePoint: Strategies and Experiences, September 2011

SharePoint Security Capabilities: 2007 vs 2010

2007 Encryption You can unplug all

the servers.

2010 Some policy

management Authentication Permissions Metadata tagging Versioning Workflow Info rights

management

SharePoint 2010 is Still Missing

Functionality + Proper auditing + Web-based protection + Security-centric reporting + Security-centric policies

Bottom line + SharePoint is built for collaboration first, security second, third

or tenth. + Features may provide security, but aren’t inherent security tools + Did you know?

– SSL is NOT turned on by default for downloading. – Remote binary large object (BLOB) storage does not coordinate underlying

storage permissions with its own access control lists.

CONFIDENTIAL

What are the Key Security SharePoint Challenges?

- CONFIDENTIAL -

Challenge #1: Built for Collaboration

They didn’t call it “HogPoint.” SharePoint:

+ Was first designed to share content with partners and other external parties using a MS SQL.

+ Then, you built a website on top of it.

Security was an afterthought + Trends #5: “Security and authentication will become more

important.”* + Poor security features

– Poor user management capabilities – Poor authentication

Source: http://www.sptechweb.com/content/article.aspx?ArticleID=36160&print=true

Do you use SharePoint for Collaboration with any of the Following?

Source: SharePoint: Strategies and Experiences, September 2011

Key Issues with SharePoint

Source: SharePoint: Strategies and Experiences, September 2011

Native SharePoint Security Capabilities

In general, SharePoint involves a complex set of interactions that

makes it difficult for security teams to know if all their concerns

are covered.” —Burton Group, 2010

Challenge #2: Sidesteps IT

“Much of SharePoint's appeal is that it enables users to bypass the

explicit and organizational and process barriers of the

organization.” —Gartner, 2009

Third-Party Additions

Source: SharePoint: Strategies and Experiences, September 2011

Challenge #3: It Has Holes

Example: April 2010, Microsoft reveals a SharePoint issue

The vulnerability could allow escalation of privilege (EoP) within the SharePoint site. If an attacker successfully exploits the vulnerability, the person could run commands against the SharePoint server with

the privileges of the compromised user.

Source: http://www.eweek.com/c/a/Security/Microsoft-Confirms-SharePoint-Security-Vulnerability-187410/

Challenge #3: It Has Holes

Ooops, I did it again.

CONFIDENTIAL

Key SharePoint Security Issues

- CONFIDENTIAL -

Security Issue #1: Understanding Entitlements

Problem: + It’s difficult to effectively track and manage all of the permissions. + Access rights are in a constant state of flux as the organization grows.

Details: + SharePoint’s access control lists (ACL) are similar to Windows: administrators

define users and groups, and provide permissions. + Business unit employees who don’t understand the technology often have

responsibility for entitlement. It is tough to get employees to put in place confidentiality workflows, tagging, and classification of sensitive data.

+ A common issue once SharePoint instances have proliferated within an organization is to see and understand who has what permissions to what kind of data.

Example: + If a hospital uses SharePoint for patient data and the system is managed by

hospital staff, then who keeps track of which doctors, nurses, or administrators can see patient data? Further, who maintains and updates these permissions over time? How are they able to do what they do? How do you identify excessive or dormant rights?

Security Issue #2: Meeting Compliance Mandates and Governance

Problem: + SharePoint does not provide a way to demonstrate to auditors that specific site

set up is correct as well as provide an audit trail for potential breaches.

Details: + In the same way database activity monitoring (DAM) helps provide an audit trail

and forensic evidence of possible wrong doing, SharePoint features no such inherent capability.

+ If a breach occurs—either from an insider or a hacker—how can organizations learn how it happened?

Example: + In August 2011, Bloomberg reported on 300,000 healthcare records that

appeared in an Excel file. No one knows where the file came from, indicating a lack of auditing.

Governance Policies in Place

Source: SharePoint: Strategies and Experiences, September 2011

Regulations and SharePoint

0.00%

5.00%

10.00%

15.00%

20.00%

25.00%

30.00%

35.00%

40.00%

PCI HIPAA SOX

Source: NetworkWorld, May 2, 2011

Regulations and SharePoint

0.00%

5.00%

10.00%

15.00%

20.00%

25.00%

30.00%

35.00%

40.00%

PCI HIPAA SOX

But 72 percent of companies have NOT evaluated compliance issues related to

SharePoint data.

Source: NetworkWorld, May 2, 2011

Security Issue #3: Web Site Vulnerabilities

Problem: + All of the same issues you have with a Web site application, you have with

SharePoint.

Details: + The typical problems should be familiar: SQL injections, brute forced password

attacks, cross site scripting (XSS) and so forth. + As a platform for building applications, many of the typical flaws that developers

put into code will apply to SharePoint. + Many apps can be developed by contractors, so fixing vulnerabilities can be

especially cumbersome and time consuming.

Example: + According to CVE details, XSS is the most commonly reported vulnerability in

SharePoint.

Security Issue #4: Securing the Back-End Database

Problem: + SharePoint’s reliance on SQL Server, storage protection is essentially database protection.

Details: + Access control should govern access. However, in SharePoint, database access based on

corporate policies and stored procedures usually doesn’t apply—creating viable threat vectors.

+ Awareness of database threats is high, but few know that SharePoint functions differently.

+ Current versions support columnar database encryption. For many, the word encryption means omnipotent protection, others know better.

+ Privileged users: Will admins have a key? Audit policies needed to monitor malicious/compromised insiders.

Example: + “Database modifications may result in an unsupported database state,” Microsoft

support. + “Fully audit all SQL Server administrative activities,” Gartner 2009. + “SharePoint is notoriously difficult to patch,” Infoworld. In June of 2010, many

SharePoint admins reported that installing SharePoint patches caused their Windows SharePoint Server 3.0 machines to lock up.

Security Issue #5: Exposure to Search Engines

Problem: + Misconfigured entry points are quickly indexed by search engines.

Example: + Soldiers’ personal information was exposed through the external SharePoint

Web site of Missouri’s national guard.

Google Diggity Project

A Checklist to Securing SharePoint

• Implement a SharePoint governance policy. • Put in place security requirements when SharePoint

instances go live. • Don’t trust native security features. • Specify what kind of information can be put in SharePoint.

Get ahead of all SharePoint deployments

• Use search capabilities to identify sensitive data. • Sensitive data in databases: use database activity

monitoring to identify and protect confidential data. • Sensitive data transacted by SharePoint Web applications • Secure sensitive data held in files: use file activity

monitoring to apply user rights management and auditing capabilities.

Identify sensitive data and protect it

A Checklist to Securing SharePoint

•Ensure legitimate access to data. •Accelerate permissions reviews and management. • Identify and delete dormant users. Check for dormant users on a regular basis.

• Focus on regulated data and streamline access. •Adjust department-level access. •Create permission reports for data owners. • Implement ownership policies – especially for alerts around unauthorized access.

Deploy user rights management to identify data ownership

• Identify sensitive data transacted by SharePoint Web applications and use Web application firewalls to monitor and protect intranets, portals, and Web sites.

• Log all failed login attempts.

Protect Web sites

A Checklist to Securing SharePoint

• Who accessed this data? • When and what did they access? • Who owns this data? • Are external users accessing admin pages? • Have there been repeat failed login attempts?

Enable auditing for compliance and forensics

CONFIDENTIAL

SecureSphere for SharePoint

- CONFIDENTIAL -

Usage Audit

Access Control

Rights Management

Attack Protection

Reputation Controls

Virtual Patching

Imperva Data Security in 60 Seconds

Audit

SharePoint & SecureSphere for SharePoint

- CONFIDENTIAL - 44

Enterprise Users

The Internet

SQL Injection

XSS

IIS Web Servers

Application Servers

MS SQL Databases

Web-Application Firewall

Activity Monitoring & User Rights Management

Excessive Rights

Administrators

DB Activity Monitoring & Access Control

Unauthorized Changes

Audit

Unauthorized Access

External Access to Admin pages and Failed Login Attempts

Partners

Data Across Borders & Ethical Walls

Employees from other sites

Migrations - Permissions - Data ownership - Data cleanup

SecureSphere for SharePoint

User rights management + Aggregate and visualize rights + Identify excessive and dormant rights + Streamline rights reviews + Identify data owners

Activity monitoring + Monitor file & list access in real-time + Find unused data

Policy based threat protection + Defend against file, Web and database threats + Alert and block in real-time

Webinar Materials

Post-Webinar Discussions

Answers to Attendee Questions

Webinar Recording Link Webinar Slides

Get LinkedIn to Imperva Data Security Direct for…

www.imperva.com