Protecting Against Vulnerabilities in SharePoint Add-ons

1. WHITE PAPER Microsoft SharePoint is a widely adopted data-sharing and collaboration platform that is often extended using third-party software. When the data in SharePoint is sensitive and regulated, the security of the platform—as well as the software extensions—must be a top concern for organizations. Seventy percent of organizations are facilitating cross-functional collaboration and increasing productivity by using Microsoft SharePoint as an intranet, extranet, and to host public websites1 . This means business-critical data, including regulated or sensitive information, is stored in most SharePoint environments. In parallel, companies are leveraging third-party add-ons within the SharePoint platform to get their deployment off the ground, encourage adoption, and increase employee interaction. This paper will discuss the threats introduced when using third-party SharePoint plug-ins and Web Parts, evaluate the effectiveness of traditional security solutions in respect to these threats, and provide recommendations for hardening SharePoint systems. What Organizations Store in SharePoint In an Industry Watch report survey conducted by independent research firm Association for Information and Image Management (AIIM), results concluded that SharePoint is highly integrated into companies, especially when compared to most other enterprise IT systems. The report stated that “…over half of respondents are deploying a single SharePoint system across the full enterprise”, indicating that SharePoint is becoming an enterprise-wide, “highly integrated”system2 , and not just a tool used in pockets of the organization. DID YOU KNOW? Business-critical data, including regulated or sensitive information, is stored in most SharePoint environments. 1. David Jones.“The SharePoint Puzzle—adding the missing pieces.”AIIM. 2. David Jones.“The SharePoint Puzzle—adding the missing pieces.”AIIM. Protecting Against Vulnerabilities in SharePoint Add-ons

2. 2 The principal reasons organizations implement SharePoint are internal collaboration, content management, project management, records management, corporate intranet, and as a replacement for file shares3 . These uses are core to running a business and imply that groups and individuals store a multitude of files with sensitive or regulated data in SharePoint. For example, consider whether the information below is stored in your company’s SharePoint deployment: • Regulated data. Personally identifiable information (PII), credit card information, personal health information (PHI), and financial records. Organizations operating in highly regulated industries, such as the Healthcare, Financial Services, and Federal sectors, commonly leverage SharePoint as a file repository and extranet portal. HIPAA, FINRA, PCI DSS, ITAR and SOX regulations are some of the primary motivators for organizations to ensure that data of this nature is not breached. • Sensitive data. Intellectual property, deal data, competitive information, business plans, and legal information. The data that an organization considers to be the most sensitive is not always evident, especially if IT teams, rather than data owners, are determining how information is to be classified. As an example, take an international retailer with store operations plans and strategies stored in SharePoint. While one business unit might assume this data is the most critical to the organization’s success, management and the Board of Directors may consider the data pertaining to its international expansion strategy to be top of mind. SharePoint Starts Small Companies typically implement SharePoint in a progressive manner, starting with an intranet for file sharing and content management, and eventually expanding to externally- facing deployments. Extranets are often used as a portal for customers, partners, employees, or alumni and commonly for a Board of Directors site. The later versions of SharePoint, such as SharePoint 2013, offer new functionality for simple and low-cost website creation, leading a number of Fortune 500 companies to create corporate websites, microsites, and e-commerce sites with SharePoint. As more applications are created in SharePoint, and new data is made available to those accessing SharePoint, the risk of exposure increases. The introduction of third-party widgets exacerbates the situation. According to AIIM, more than half of organizations implementing SharePoint use or are: “…planning to use third-party add-on products in order to enhance functionality. Only a third thinks they will stick with the vanilla product.”4 In addition to individual components, many organizations outsource SharePoint application development entirely. With almost thirty percent of all applications being produced by third parties5 , organizations need to evaluate the security of SharePoint applications given the amount of regulated and sensitive information dispersed across the platform. WHAT INFORMATION IS STORED IN YOUR SHAREPOINT DEPLOYMENT? Regulated Data • Personally identifiable information (PII) • Credit card information • Personal health information (PHI) • Financial records Sensitive Data • Intellectual property • Deal data • Competitive information • Business plans • Legal information More than half of organizations implementing SharePoint use or are: “…planning to use third- party add-on products in order to enhance functionality. Only a third thinks they will stick with the vanilla product.” –AIIM 2012 3. David Jones.“The SharePoint Puzzle—adding the missing pieces.”AIIM. 4. David Jones.“The SharePoint Puzzle—adding the missing pieces.”AIIM. 5. Veracode State of Software Security Report, Volume 4

3. 3 Why Organizations Use SharePoint Plug-ins and Web Parts “Many would argue that the sheer volume of third-party add-ons highlights that SharePoint is nothing more than a Swiss army knife: a platform that requires users to plug-in“industry- strength”tools from external suppliers in order to achieve the performance, functionality and robustness required.”6 Microsoft SharePoint without plug-ins or Web Parts can be compared to an iPhone without apps7 . While consumers use apps for convenience, ease-of-use, collaboration, and productivity, it’s for these same reasons that IT teams will look to third-party SharePoint widgets to directly modify the content, appearance, and behavior of SharePoint site pages8 . Some of the most popular categories9 of SharePoint plug-ins and Web Parts include: • Forms. These widgets enhance the feature set of SharePoint forms, allowing admins to customize and create forms more quickly. • Document Management. As one of the most common use cases for SharePoint, organizations leverage this category of add-ons for better distribution of documents throughout teams or groups; increased organization of documents; template customization; enhanced SharePoint search capabilities; and more. • Productivity. Productivity plugins make tasks easier for employees, enabling them to be completed more quickly. Additionally, there is business justification for IT teams to put third-party tools in place; this can also be referred to as a“no-code”strategy for SharePoint. First, there is significant cost and time associated with custom coding projects within the platform. Stakeholders and end-users are interested in getting SharePoint deployments off the ground and seeing employee adoption. Third-party tools enable exactly that, e.g., the ability to deliver in-depth workflows within a matter of days versus weeks. While administrators can experience quick wins with external products, incorporating third-party code alongside regulated and confidential data presents a serious and wide reaching security risk to SharePoint intranets, extranets, websites, and also their end-users.10 PLUG-IN AND WEB PART DEFINED Plug-in (a.k.a. extension): A software component that adds additional functionality to the larger SharePoint system Example: SharePoint Outlook Integration Web Part (a.k.a. web widget): A stand-alone application that is embedded into SharePoint, and which pulls in useful information from other websites Example: Twitter feed 6. David Jones.“The SharePoint Puzzle—adding the missing pieces.”AIIM. 7. Francis Brown.“SharePoint Security: Advanced SharePoint Security Tips and Tools.”Stach & Liu, LLC. 8. “Creating Web Parts for SharePoint.”Microsoft. 9. “Top 50 SharePoint Plug-Ins and Web Parts for 2013.”Portal Front. 10. “The‘No Code’SharePoint Strategy.”PointBeyond Ltd.

4. 4 Risks Associated with SharePoint Plug-ins and Web Parts Practically every SharePoint web application includes components that were not developed by in-house application programmers. Even if an application were to be completely homegrown, the web server and operating system were almost certainly coded elsewhere. According to Veracode, about seventy percent of internally developed code originates outside of the development team11 . In many cases, developers aren’t aware of all application components they are using, not to mention their versions. From a business standpoint, SharePoint administrators and security teams should always assume that third-party code—coming from partners, vendors, mergers, and acquisitions—contains significant vulnerabilities. Moreover, organizations have no control over fixing weaknesses in code they do not own. Not only are organizations blind to vulnerabilities when implementing third-party Web Parts and plug-ins, but they will not be protected until that third-party addresses those vulnerabilities. These security gaps transform add-ons from useful SharePoint tools into vehicles for delivering malware and technical attacks. If a vulnerable component is exploited, such attacks can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities have the ability to undermine application defenses and introduce a range of possible attacks and business impacts. The Latest Addition to the OWASP Top 10 Concerns around third-party applications are of such concern that the Open Web Application Security Project (OWASP), an industry group focused on web application security best practices, added this threat to its most recent Top 10 report. The Top 10 report represents the most critical web application security risks as identified by a broad consensus of application security experts around the world. This addition is the main difference between the previous OWASP Top 10 and the 2013 Top 10. This new OWASP Top 10 threat not only reinforces the popularity of third-party components in application development, but also underscores the risks introduced by these components. Because thousands of SharePoint instances may include the same vulnerable code, attackers are highly motivated to locate and exploit vulnerabilities in these application components. It’s likely that this is why many of today’s high profile breaches are caused by vulnerable third-party components. SHAREPOINT SECURITY TIP SharePoint administrators and security teams should always assume that third- party code—coming from partners, vendors, mergers, and acquisitions— contains significant vulnerabilities. SHAREPOINT SECURITY RISK Applications using components with known vulnerabilities have the ability to undermine application defenses and introduce a range of possible attacks and business impacts. 11. Veracode State of Software Security Report, Volume 4

5. 5 Hacking and the Rise of CMS Hacking Cyber attacks are motivated by a number of reasons—whether they are performed by profit-driven industrialized hacker groups; by hacktivists looking to target organizations based on ideology or personal agendas; or by government entities seeking economic or political gain. Depending on the motivation, hackers might focus on exploiting one particular organization, as demonstrated in the December 2012 attack on Yahoo! in which a hacker exploited a third-party astrology web application and successfully gained full access into the company’s Microsoft SQL database. Other motivations might inspire“mass hacking” in which malicious groups or individuals identify vulnerabilities in content management systems (CMS) and where the same principals apply. SharePoint, one of the leading CMS systems, is built using mainly Visual C#, Visual Basic, the Microsoft .NET Framework, ASP.NET, HTML/CSS, Document Object Model, and Silverlight, it integrates with Active Directory, and is designed for use with Microsoft SQL Server and Internet Explorer12 . As a result, the system contains its share of potential security challenges. Microsoft has reported nearly 300 vulnerabilities in SharePoint Server and related products since its release in 2001, which have rendered the underlying software subject to attacks such as cross-site scripting (XSS), SQL injection (SQLi), directory (or path) traversal, and remote file inclusion (RFI)13 . While classic website hacking consists of a single site attack in which cybercriminals identify the target, find a vulnerability, and set out to exploit it, CMS hacking, where one CMS vulnerability has the ability to compromise thousands of organizations, is on the rise. “Microsoft addressed a zero-day flaw and nine other vulnerabilities in SharePoint that could allow remote code execution… In addition, the server has two cross-site scripting vulnerabilities that can be used by an attacker to carry out attacks and run malicious scripts while masquerading as the logged-in user.”14 – Robert Westervelt on critical security updates in Microsoft SharePoint, September 2013 Intricacies of a Third-Party Code Exploit This section explores how an exploit takes place via SQL injection (SQLi), a very common data extraction technique with the objective to retrieve sensitive data, steal site admin credentials, or infect an end-user with malware. Even after a decade of web application development and awareness around web application security, this attack method is still very relevant and continues to play a major role in application hacking. This is demonstrated by the fact that SQLi has become highly automated and can be performed by unsophisticated hackers with the assistance of hacking tools like SQLmap and Havij. On-demand Webinar CMS Hacking 101 Content Management Systems (CMS), like SharePoint, expose organizations to a new set of vulnerabilities. This presentation shows how malicious hackers exploit vulnerabilities found in CMS to systematically identify and attack unsuspecting organizations and provides recommendations for attack protection. View Webinar 12. Gustavo Garcia.“SharePoint: In Defense of Cross-Site Scripting.” 13. Gustavo Garcia.“SharePoint: In Defense of Cross-Site Scripting.” 14. Robert Westervelt.“Patch Tuesday: Microsoft Fixes Critical Outlook Error, Critical SharePoint Flaws.”CRN.

6. 6 Anatomy of a SQL Injection Attack Hackers begin by taking advantage of non-validated input vulnerabilities in which unchecked user input is transformed into database queries. Cyber criminals use a variety of approaches to identify application weaknesses. First, they may search public vulnerability databases, which contain thousands of web application and CMS-related vulnerabilities. Another option is to perform Google searches for weak or exposed applications. Additionally, hackers are known to leverage vulnerability scanners from vendors in the same way that organizations do to enhance their security posture. The next step is to inject SQL commands through the web application which are then executed by a backend database. Because programmers often connect SQL commands with user-provided parameters, hackers have the ability to embed SQL commands inside these parameters. As a result, the attacker has the ability to execute SQL commands on the backend database server via the web application. While there are multiple approaches to carrying out this category of attack, the targets are particular database tables that contain valuable information. No matter which methods or motivations are behind the exploitation of add-ons and CMS systems, hackers are after regulated or sensitive data. On one hand, using third-party add-ons leave the enterprise with full responsibility for securing the application, and on the other hand, very limited capacity to actually control the code. Because third-party add‑on code cannot be fixed in-house, it is important that IT and Information Security teams have the appropriate technology in place to shield the application from attacks, given the potential vulnerabilities. Protecting Your SharePoint System Complementing Traditional Defenses with Dedicated Protection IT and Security teams continue to spend the vast majority of their cyber security budget on traditional defenses, with the assumption that next-generation firewalls (NGFW) or intrusion prevention systems (IPS) will mitigate attacks against third-party plug-ins or Web Parts. While these defenses are an important and key part of security strategy, they are ill-equipped to stop attacks of this nature. Even if they were 100% effective, additional layers would be needed to ensure that critical business data is protected. These solutions are designed to protect networks and users, and although next- generation firewalls are“application aware,”meaning that they can prevent users from visiting phishing sites or tunneling applications in HTTP, they are not designed to protect web applications from external attacks. Hackers looking to steal sensitive data, such as intellectual property, deal data or PII, know exactly where to find it: in SharePoint’s unique application, file, and database elements. The reality is that cyber-attacks have become increasingly sophisticated, leveraging new hacking methods, with the explicit purpose of circumventing conventional barriers. Trend Report Lessons Learned From theYahoo! Hack In 2012, a hacker claimed to have breached Yahoo!’s security systems and acquired full access to certain Yahoo! databases, leading to full access on the server for that domain. Imperva found that the hacker was able to determine the allegedly vulnerable Yahoo! application and the exact attack method, SQL injection. This attack underscores the security problem posed by hosting third-party code— as is often done with cloud- based services. Download Report

7. 7 Technical Recommendations As an enterprise builds out its security model, it is common that vulnerable components outside the purview of the organization are not taken into account. It’s important that IT and security teams always assume that third-party code present in SharePoint applications contain significant vulnerabilities. Protect SharePoint Instances Leveraging Third-party Code Against Web Attacks To protect CMS systems, it’s vital that organizations incorporate security into the software development life cycle; perform penetration tests and vulnerability assessments on applications; and deploy SharePoint applications behind a web application firewall (WAF) in order to detect and block attacks. When third-party code is present, protecting applications with a web application firewall is essential. Without the ability to fix the code, a WAF is the only relevant protection option. As Gartner states in“Security No-Brainer #9,”it’s fundamental that application vulnerability scanners interface with application firewalls. Analyst Neil McDonald states that once an application security testing tool identifies a vulnerability, the natural next step is to fix the problem. However, this presents challenges if the development team is backlogged, or IT teams don’t have access to the source code15 . Furthermore, PCI DSS requirement 6.6 provides two options for protecting web applications16 . This first option is to conduct a vulnerability assessment and incorporate these assessments into the software development life cycle. The other option is to deploy a web application firewall in front of the web application. Harden the SharePoint System When an add-on is promoted from development to production, the system configuration must be hardened to disable any irrelevant parts that may help the attacker. In the hardening process, detailed error messages should be disabled; excessive file and directory permissions should be restricted; leftover source code should be deleted; and so on. Three-layers of SharePoint Security While this paper focuses on the security implications of third-party web applications, parts and plug-ins, the SharePoint system can be compromised on many levels. In addition to web-based attacks, both malicious insiders, as well as users that have been compromised by malware, pose significant risk. Moreover, Microsoft SharePoint does not have sufficient built-in security capabilities to protect your organization from the wide range of internal and external SharePoint threats. Imperva SecureSphere™ for SharePoint offers a unique three-layer approach for protecting all of SharePoint’s web, file, and database resources. White Paper What Next Generation Firewalls Miss Web application attacks threaten nearly every organization with an online presence. While some security vendors contend that their next generation firewalls can stop Web attacks, these products lack essential Web security features, leaving customers exposed to attack. Download White Paper 15. Neil MacDonald.“Security No-Brainer #9: Application Vulnerability Scanners Should Communicate with Application Firewalls.”Gartner, Inc. 16. “Information Supplement: Application Reviews and Web Application Firewalls Clarified.”PCI Security Standards Council.

8. 8 Layer #1: Deploy a Web Application Firewall Tailored to SharePoint Traditional technologies leave holes in application defenses—defenses that are only addressed by dedicated web application firewalls. SecureSphere for SharePoint uses market leading web application firewall technology to protect SharePoint web applications with vulnerable components. Through defenses such as patented Dynamic Profiling technology, SQL injection and XSS correlation engines, and detection of Microsoft SharePoint HTTP protocol violations, SecureSphere identifies zero-day attempts to exploit vulnerable components. In addition, once a new vulnerability is published, the Imperva Application Defense Center (ADC) quickly develops a signature or a set of policies to virtually patch the vulnerability. Through automatic security updates, all SecureSphere appliances receive the latest security content, and are protected against newly published vulnerabilities. Many organizations do not know what third-party components are used in their web applications, nor do they track vulnerability announcements for these components. As a result, applications built with vulnerable components are often exposed to attack for long periods of time. The SecureSphere Web Application Firewall solution has multiple layers of defense to protect applications with third-party components. Layer #2: Safeguard Files, Folders, and Lists with User Rights Management and Activity Monitoring SharePoint administrators often face challenges managing user permissions; maintaining a comprehensive audit trail of file access activity; and producing reports for compliance and forensic purposes. SecureSphere for SharePoint offers a user rights management framework which aggregates and consolidates user rights across SharePoint sites, providing visibility into effective SharePoint permissions. This allows organizations to efficiently conduct rights reviews, eliminate excess rights, and identify dormant users--all of which help ensure that access is based on business need-to-know. Additionally, Imperva’s SharePoint solution provides continuous monitoring and a detailed audit trail of all data access activity, showing the“Who, What, When, Where, and How”of each data access. This enables security, compliance, and SharePoint administrative staff to understand exactly who accessed, moved, changed, or deleted data. Furthermore, SecureSphere offers a flexible security policy framework, which allows businesses to respond immediately when data access activity deviates from corporate policy. Natively, SharePoint offers rudimentary reporting capabilities that are insufficient for compliance reporting and investigating security incidents. SecureSphere for SharePoint features interactive, on-screen audit analytics to quickly visualize file data access activity and user rights. Security and compliance teams can use these analytics to identify trends, patterns, and problems with file activity, and user rights. SecureSphere’s analytics and reporting help measure risk and document compliance with regulations such as SOX, PCI, and data privacy laws. eBook SharePoint Security Playbook The increasing use of Microsoft SharePoint to store sensitive business data and extend access and collaboration to partners, customers, and suppliers has outpaced native SharePoint security capabilities. By implementing the five lines of defense outlined in this eBook, organizations will be able to overcome operational challenges and protect SharePoint deployments against both internal and external threats. Download eBook

9. 9 Layer #3: Protect SharePoint’s Microsoft SQL Database from Tampering The Microsoft SQL database is at the core of the SharePoint platform—storing all files, lists, and application data. Internal security requirements and compliance mandates call for privileged-user monitoring and preventing unauthorized database access. This also applies to the database component of the SharePoint platform. SecureSphere for SharePoint monitors all database access and ensures unauthorized access is prevented. Conclusion Microsoft SharePoint is one of the most widely deployed and used content management and collaboration platforms in the world. For the vast majority of organizations, that means that SharePoint holds and provides application-level access to business-critical data. As businesses seek a rapid return on their SharePoint investments, it’s common for them to turn to third-party SharePoint add-ons to expand the power and utility of SharePoint. From a security and compliance perspective, adding these extensions to an already complex business system means that additional, tailored measures need to be put in place to safeguard business data and applications. These include web application firewall technology, rights management capabilities, and activity monitoring for all data access. SecureSphere for SharePoint addresses all of these requirements in a single, integrated package.

10. www.imperva.com © Copyright 2013, Imperva. All rights reserved. Imperva and SecureSphere are registered trademarks of Imperva. All other brand or product names are trademarks or registered trademarks of their respective holders. WP-VulSPAddOns-0913.1 Data Center Security Solutions Imperva, pioneering the third pillar of enterprise security, fills the gaps in traditional security by directly protecting the high-value applications and data assets in physical and virtual data centers. Over 2600 customers in more than 75 countries rely on our SecureSphere® platform to safeguard their business. DATABASE SECURITY PRODUCTS Database Activity Monitoring Full auditing and visibility into database data usage Database Firewall Activity monitoring and real-time protection for critical databases Discovery and Assessment Server Vulnerability assessment, configuration management, and data classification for databases User Rights Management for Databases Review and manage user access rights to sensitive databases ADC Insights Pre-packaged reports and rules for SAP, Oracle EBS, and PeopleSoft compliance and security FILE SECURITY PRODUCTS File Activity Monitoring Full auditing and visibility into file data usage File Firewall Activity monitoring and protection for critical file data SecureSphere for SharePoint Visibility and analysis of SharePoint access rights and data usage, and protection against Web‑based threats Directory Services Monitoring Audit, alert, and report on changes made in Microsoft Active Directory User Rights Management for Files Review and manage user access rights to sensitive files WEB APPLICATION SECURITY PRODUCTS Web Application Firewall Accurate, automated protection against online threats ThreatRadar Reputation Services Leverage reputation data to stop malicious users and automated attacks ThreatRadar Fraud Prevention Stop fraud malware and account takeover quickly and easily Share this White Paper with Your Network