Your SlideShare is downloading. ×
0
Protecting Against Vulnerabilities in
SharePoint Add-ons
Webinar
Carrie McDaniel – File Security Product Team

1

© 2013 I...
Agenda
1.  SharePoint Background
2.  Understanding SharePoint Add-ons
3.  Add-On Vulnerabilities
4.  How Hackers Attack Sh...
Carrie McDaniel – File Security Team
§  Product Marketing Manager for File
Security; focus on SharePoint security
§  Pre...
Top SharePoint Uses
§  Internal collaboration
§  Content management
§  Project management
§  Records management
§  Co...
Sensitive Data Lives in SharePoint
Regulated

Financial information
Personally Identifiable Information (PII)
Personal Hea...
Implementation is Progressive…

Intranet

-Internal file sharing
-Collaboration

Extranet

-Board of Directors site
-Exter...
More than half of organizations use or are
“…planning to use third-party add-on
products in order to enhance functionality...
Add-ons Defined…
Web Part

Plug-in

A stand-alone application that is embedded into SharePoint
that pulls in useful inform...
Convenience
Ease-of-use
Collaboration
Productivity

9

© 2013 Imperva, Inc. All rights reserved.

Confidential
Most Popular SharePoint Plug-ins and Web Parts

Source: PortalFront

10

© 2013 Imperva, Inc. All rights reserved.

Confid...
Business Justification
§  Custom coding is expensive and takes time; stakeholders
seek rapid results

11

© 2013 Imperva,...
3rd Party
According to Veracode:
•  “Up to 70% of internally developed code originates outside of the
development team”
• ...
IT and security teams should always assume that third-party code
present in SharePoint applications contain significant vu...
3rd Party Code Driven Incidents
Yahoo’s 3rd party hack as detailed in Imperva’s January HII report.

HII Report: http://ww...
OWASP Top 10 – 2013 Update

New, A9 - Using Known Vulnerable Components

15

© 2013 Imperva, Inc. All rights reserved.

Co...
Who’s Doing It and Why
Governments
Stealing Intellectual Property (IP) and raw data, and spying
§  Motivated by: Policy, ...
Classic Web Site Hacking
Single Site Attack

Hacking
1.  Identify Target
2.  Find Vulnerability
3.  Exploit

17

© 2013 Im...
Classic Web Site Hacking
Multiple Site Attacks

Hacking
1. 
2. 
3. 

Identify Target
Find Vulnerability
Exploit

Hacking
1...
SharePoint Application Hacking

Hacking
1.  Identify add-on
2.  Find Vulnerability
3.  Exploit

19

© 2013 Imperva, Inc. A...
Security Risks
SharePoint Building Blocks
Visual C#, Visual Basic

ASP.NET

Document Object Model

§  Cross-site scriptin...
CMS Mass Hacking
Step 1: Find a vulnerability in a CMS platform

Source: www.exploit-db.com

Even public vulnerability dat...
Data Extraction Techniques by Hackers:
2005-2011

Other
17%

SQL Injection
83%

Total = 315,424,147 records
(856 breaches)...
Main Automated Attack Tools

SQLmap
Havij
23

© 2013 Imperva, Inc. All rights reserved.

Confidential
The Attacker’s Focus

Server Takeover

Direct Data Theft

24

© 2013 Imperva, Inc. All rights reserved.

Confidential
Rebalance Your Security Portfolio

25

© 2013 Imperva, Inc. All rights reserved.

Confidential
Gartner’s Take:
NG Firewall vs. Web Application Firewall

“NGFW vendors… are mostly about controlling
external application...
Technical Recommendations
IT and security teams should always assume that third-party code
present in SharePoint applicati...
Web Application Firewall
§  Virtually patch vulnerabilities until a fix is issued
§  Detect and block attacks

28

© 201...
SecureSphere for SharePoint

29

© 2013 Imperva, Inc. All rights reserved.

Confidential
Protection Tailored to SharePoint

SecureSphere for SharePoint

Web Application Firewall

§  Protection against Web-based...
Layers of SharePoint Protection
Administrators

Unauthorized
Changes

DB Activity Monitoring
& Access Control
Web-Applicat...
Additional Resource

Download White Paper
32

© 2013 Imperva, Inc. All rights reserved.

Confidential
www.imperva.com

33

© 2013 Imperva, Inc. All rights reserved.

Confidential
Upcoming SlideShare
Loading in...5
×

Protecting Against Vulnerabilities in SharePoint Add-ons

794

Published on

As the pace of Microsoft SharePoint adoption continues, most organizations are turning to third party add-ons to support demands for functionality. It's for these reasons that experts compare SharePoint without add-ons to an iPhone without apps. Third party add-ons, however, arrive pre-packaged with unique security risks -- vulnerabilities that IT cannot directly fix.
This presentation will (1) identify risks associated with using SharePoint plug-ins and web parts developed by third parties (2) describe how hackers target and exploit third-party code using attacks such as SQL injection (3) Introduce a three-layered approach to securing SharePoint.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
794
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
27
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "Protecting Against Vulnerabilities in SharePoint Add-ons"

  1. 1. Protecting Against Vulnerabilities in SharePoint Add-ons Webinar Carrie McDaniel – File Security Product Team 1 © 2013 Imperva, Inc. All rights reserved. Confidential
  2. 2. Agenda 1.  SharePoint Background 2.  Understanding SharePoint Add-ons 3.  Add-On Vulnerabilities 4.  How Hackers Attack SharePoint Add-ons 5.  How to Protect Against Add-on Vulnerabilities 2 © 2013 Imperva, Inc. All rights reserved. Confidential
  3. 3. Carrie McDaniel – File Security Team §  Product Marketing Manager for File Security; focus on SharePoint security §  Previously held product marketing position at Moody’s Analytics in San Francisco §  Past experience in finance and tech industries at Wells Fargo and NetApp §  Holds degrees in Marketing and French from Santa Clara University 3 © 2013 Imperva, Inc. All rights reserved.
  4. 4. Top SharePoint Uses §  Internal collaboration §  Content management §  Project management §  Records management §  Corporate intranet §  File share replacement Source: AIIM 4 © 2013 Imperva, Inc. All rights reserved. Confidential
  5. 5. Sensitive Data Lives in SharePoint Regulated Financial information Personally Identifiable Information (PII) Personal Health Information (PHI) Sensitive Legal documents Intellectual property Business or Product plans Deal data 5 © 2013 Imperva, Inc. All rights reserved. Confidential
  6. 6. Implementation is Progressive… Intranet -Internal file sharing -Collaboration Extranet -Board of Directors site -External portal for employees, partners, alumni, etc. Public-facing Website 6 © 2013 Imperva, Inc. All rights reserved. -Corporate website -E-commerce site -Microsite Confidential
  7. 7. More than half of organizations use or are “…planning to use third-party add-on products in order to enhance functionality. Only a third thinks they will stick with the vanilla product.” AIIM (Association for Information and Image Management) 2012 Industry Watch Survey 7 © 2013 Imperva, Inc. All rights reserved. Confidential
  8. 8. Add-ons Defined… Web Part Plug-in A stand-alone application that is embedded into SharePoint that pulls in useful information from other Websites. A software component that adds additional functionality to the larger SharePoint system. Example: Twitter feed Example: SharePoint Outlook Integration Optimus.com 8 © 2013 Imperva, Inc. All rights reserved. Confidential
  9. 9. Convenience Ease-of-use Collaboration Productivity 9 © 2013 Imperva, Inc. All rights reserved. Confidential
  10. 10. Most Popular SharePoint Plug-ins and Web Parts Source: PortalFront 10 © 2013 Imperva, Inc. All rights reserved. Confidential
  11. 11. Business Justification §  Custom coding is expensive and takes time; stakeholders seek rapid results 11 © 2013 Imperva, Inc. All rights reserved. Confidential
  12. 12. 3rd Party According to Veracode: •  “Up to 70% of internally developed code originates outside of the development team” •  28% of assessed applications are identified as created by a 3rd party 12 © 2013 Imperva, Inc. All rights reserved. Confidential
  13. 13. IT and security teams should always assume that third-party code present in SharePoint applications contain significant vulnerabilities. What’s the risk? You can’t fix code you don’t own. Organizations won’t be protected until that third-party addresses the vulnerabilities. 13 © 2013 Imperva, Inc. All rights reserved. Confidential
  14. 14. 3rd Party Code Driven Incidents Yahoo’s 3rd party hack as detailed in Imperva’s January HII report. HII Report: http://www.imperva.com/docs/HII_Lessons_Learned_From_the_Yahoo_Hack.pdf 14 © 2013 Imperva, Inc. All rights reserved. Confidential
  15. 15. OWASP Top 10 – 2013 Update New, A9 - Using Known Vulnerable Components 15 © 2013 Imperva, Inc. All rights reserved. Confidential
  16. 16. Who’s Doing It and Why Governments Stealing Intellectual Property (IP) and raw data, and spying §  Motivated by: Policy, politics, and nationalism §  Preferred Methods: Targeted attacks Organized Crime Stealing IP and data §  Motivated by: Profit §  Preferred Methods: Targeted attacks, fraud Hacktivists Exposing IP and data, and compromising the infrastructure §  Motivated by: Political causes, ideology, personal agendas §  Preferred Methods: Targeted attacks, Denial of Service attacks 16 © 2013 Imperva, Inc. All rights reserved. Confidential
  17. 17. Classic Web Site Hacking Single Site Attack Hacking 1.  Identify Target 2.  Find Vulnerability 3.  Exploit 17 © 2013 Imperva, Inc. All rights reserved. Confidential
  18. 18. Classic Web Site Hacking Multiple Site Attacks Hacking 1.  2.  3.  Identify Target Find Vulnerability Exploit Hacking 1.  2.  3.  Identify Target Find Vulnerability Exploit Hacking 1.  2.  3.  Identify Target Find Vulnerability Exploit Hacking 1.  2.  3.  Identify Target Find Vulnerability Exploit Hacking 1.  2.  3.  18 © 2013 Imperva, Inc. All rights reserved. Identify Target Find Vulnerability Exploit Confidential
  19. 19. SharePoint Application Hacking Hacking 1.  Identify add-on 2.  Find Vulnerability 3.  Exploit 19 © 2013 Imperva, Inc. All rights reserved. Confidential
  20. 20. Security Risks SharePoint Building Blocks Visual C#, Visual Basic ASP.NET Document Object Model §  Cross-site scripting Microsoft .NET Silverlight §  SQL injection HTML.CSS §  Directory (or path) traversal Microsoft SQL Server Internet Explorer §  Remote file inclusion (RFI) Active Directory integration Microsoft has reported over 300 vulnerabilities in SharePoint Server and related products since it’s release. 20 © 2013 Imperva, Inc. All rights reserved. Confidential
  21. 21. CMS Mass Hacking Step 1: Find a vulnerability in a CMS platform Source: www.exploit-db.com Even public vulnerability databases, contain thousands of CMS related vulnerabilities. 21 © 2013 Imperva, Inc. All rights reserved. Confidential
  22. 22. Data Extraction Techniques by Hackers: 2005-2011 Other 17% SQL Injection 83% Total = 315,424,147 records (856 breaches) Source: Privacy Rights Clearinghouse 22 © 2013 Imperva, Inc. All rights reserved. Confidential
  23. 23. Main Automated Attack Tools SQLmap Havij 23 © 2013 Imperva, Inc. All rights reserved. Confidential
  24. 24. The Attacker’s Focus Server Takeover Direct Data Theft 24 © 2013 Imperva, Inc. All rights reserved. Confidential
  25. 25. Rebalance Your Security Portfolio 25 © 2013 Imperva, Inc. All rights reserved. Confidential
  26. 26. Gartner’s Take: NG Firewall vs. Web Application Firewall “NGFW vendors… are mostly about controlling external applications, such as Facebook and peer-to-peer (P2P) file sharing.” WAFs are different: [they]…are concerned with custom internal Web applications.” Magic Quadrant for Enterprise Network Firewalls Gartner, Inc., February 7, 2013 26 © 2013 Imperva, Inc. All rights reserved. Confidential
  27. 27. Technical Recommendations IT and security teams should always assume that third-party code present in SharePoint applications contain significant vulnerabilities. §  Pen test before deployment to identify these issues §  Deploy the application behind a WAF to •  Virtually patch pen test findings •  Mitigate new risks (unknown on the pen test time) •  Mitigate issues the pen tester missed •  Use cloud WAF for remotely hosted applications §  Virtually patch newly discovered CVEs •  Requires a robust security update service 27 © 2013 Imperva, Inc. All rights reserved. Confidential
  28. 28. Web Application Firewall §  Virtually patch vulnerabilities until a fix is issued §  Detect and block attacks 28 © 2013 Imperva, Inc. All rights reserved. Confidential
  29. 29. SecureSphere for SharePoint 29 © 2013 Imperva, Inc. All rights reserved. Confidential
  30. 30. Protection Tailored to SharePoint SecureSphere for SharePoint Web Application Firewall §  Protection against Web-based attacks §  Tuned for Microsoft SharePoint traffic §  Fraud prevention and reputation controls available File Activity Monitoring §  Monitor and audit file activity §  Comprehensive user rights management §  Enforce file access control policies Database Firewall §  Protect against changes to SQL server that would render it unsupportable by Microsoft §  Enforce separation of duties §  Prevent unauthorized access and fraudulent activity 30 © 2013 Imperva, Inc. All rights reserved. Confidential
  31. 31. Layers of SharePoint Protection Administrators Unauthorized Changes DB Activity Monitoring & Access Control Web-Application Firewall Activity Monitoring & User Rights Management Excessive Rights XSS Audit The Internet Audit SQL Injection Enterprise Users IIS Web Servers Unauthorized Access 31 Application Servers © 2013 Imperva, Inc. All rights reserved. Confidential MS SQL Databases
  32. 32. Additional Resource Download White Paper 32 © 2013 Imperva, Inc. All rights reserved. Confidential
  33. 33. www.imperva.com 33 © 2013 Imperva, Inc. All rights reserved. Confidential
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×