SlideShare a Scribd company logo

Hacking_SharePoint_FINAL

Download as PPTX, PDF
I
Ian Naumenko, CISSP, CRISC

This document discusses why SharePoint is considered a hacker's dream. It notes that SharePoint usage has grown exponentially in recent years, with over 85 million users across 17,000 companies in 2009. SharePoint is widely used by Fortune 500 companies and contains valuable data, making it an attractive target. The document outlines some high-profile data breaches in recent years that involved SharePoint, including those by Bradley Manning and Edward Snowden. It stresses the importance of proper information security practices for SharePoint, including understanding threats, classification, and establishing governance to reduce risks and protect sensitive data.

1 of 50
SharePoint A Hackers Dream Ian Naumenko, CISSP Spot Solutions Ltd. SharePoint Saturday Vancouver, March 11, 2016 Spot Solutions Ltd.
Thanks to all the Sponsors !!! Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
Ian Naumenko, CISSP WORK ✘ Director IT and Security Operations – Spot Solutions Ltd BOARDS ✘ Vice President of InfoSecBC (Vancouver Security Special Interest Group) ✘ President Western Region IAMCP Canada (International Association of Microsoft Chanel Partners) ✘ Work with POLCYB (The Society for The Policing of cyberspace) Education, Certifications ✘ Computer Sciences, CISSP, Various Microsoft Certs, ISO 90001, random others… Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
I’m not dissing SharePoint… ✘SharePoint is a excellent collaboration platform and overall Microsoft is doing a great job making the technology secure. ✘It’s not usually the technology that is at fault, it’s how we use the technology that matters… Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
Sorry to disappoint… We are not actually going to hack anything today…
Why is SharePoint a hackers dream ? Over the past several years, the uptake of SharePoint has been considerable. Way back in 2009, it was estimated that SharePoint had licensed more than 85 million users to an estimated 17,000 companies. This number has grown exponential in recent years, especially with Microsoft "Core CALS" (which include SharePoint), and the introduction of SharePoint online and Office365. Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
Why is it a hackers dream ? “According to Association for Information and Image Management (AIIM) one in two corporations are now using SharePoint Server and in 22% of the companies, every employee uses this popular Microsoft collaboration tool.” http://www.topsharepoint.com/fortune- 500-companies-using-sharepoint Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
Why is it a hackers dream ? A vast number of Fortune 500 Private companies use SharePoint for their internal and external content UPS Store Proctor and Gamble SC JohnsonBristol-Myers Squibb Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
Why is it a hackers dream ? ..usage includes Enterprise search, enterprise content management (ECM), Business Process Management, business intelligence, records management, archiving, Intranet/Extranet, file sharing to public-facing websites… Spot Solutions Ltd.SharePoint Saturday Vancouver Contains lots of valuable data Making it a big juicy target !!! Ian Naumenko, CISSP
Why do we care… 2015's biggest hacks, breaches ✘Ashley Madison – 37 million “cheaters” records released ✘Vtech – 4.8 million records including info on 200,000 kids ✘70 million prisoner phone records stolen (attorney-client privilege may have been violated ) ✘FBI's portal breached, thousands of arrestees' data at risk, including access to CIA director John Brennan's private email account (widest external breaches of law enforcement this year) ✘Donald Trump's hotel chain hack hit thousands of hotel visitors. (credit card data including security codes and card numbers) ✘Crowdfunding service Patreon hack led to 15GB data dump ✘Experian breach hit 15 million T-Mobile customers ✘Scottrade hack: Details on 4.6 million customers stolen ✘Excellus BlueCross BlueShield – 10 million records Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
Why do we care… 2015's biggest hacks, breaches ✘Carphone Warehouse tops UK breach list with 2.4 million affected ✘CVS, Walgreens, credit card breach, millions of CC, email, postal codes etc., records leaked ✘UCLA Health failed to encrypt 4.5 million records ✘Hacking Team exploits put hundreds of millions of Flash users at risk ✘OPM breach, which affected 22.1 million US government workers (and counting). ✘LastPass customers at risk after millions of passwords accessed ✘The IRS data breach, stolen tax returns of over 100,000 tax payers ✘Anthem (US healthcare provider) breach affected one-third of Americans The annual cost of data breaches in the US is estimated to be $100 billion Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
Why do we care…Bradley Manning Forensics discovered WGET scripts on Manning’s computer that pointed to a Microsoft SharePoint server holding the Gitmo documents. He ran the scripts to download the documents… Edward Snowden NSA, General Keith Alexander indicated… “This leaker was a system administrator who was trusted with moving the information to actually make sure that the right information was on the SharePoint servers that NSA Hawaii needed." He then added that the leak was " ... a huge break in trust and confidence. So there are issues we have got to fix there.” Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
So, what do we need to do… To start… 1. We need to understand what Information Security really is all about… 2. We need to understand external and internal threats… Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
1. Information Security 101 Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
Security is not a group in SharePoint… “To many in the SharePoint world, “SharePoint security” is synonymous with “SharePoint permissions” and the Snowden breach is a great example of how permissions are a single point of failure but do not (in and of themselves) equate to a proper security architecture.” http://www.nothingbutsharepoint.com/2013/08/30/sharepoint-security-impacts-from-snowden-and-wikileaks- breaches-aspx/
Need to understand the CIA … Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
Confidentiality, Integrity and Availability Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
Confidentiality, Integrity and Availability Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
Confidentiality, Integrity and Availability Confidentiality - Confidentiality refers to limiting information access and disclosure to authorized users -- "the right people" -- and preventing access by or disclosure to unauthorized ones -- "the wrong people.“ (Think authentication, permissions and groups in SharePoint, who gets to see what…) Integrity - Integrity refers to the trustworthiness of information resources. It includes the concept of "data integrity" -- namely, that data have not been changed inappropriately, whether by accident or deliberately malign activity. It also includes "origin" or "source integrity" -- that is, that the data actually came from the person or entity you think it did, rather than an imposter. (Think SharePoint’s “Created by” or “Last modified” each time a document is uploaded/changed) Availability - Availability refers, unsurprisingly, to the availability of information resources. An information system that is not available when you need it is almost as bad as none at all. It may be much worse, depending on how reliant the organization has become on a functioning computer and communications infrastructure. (Think Disaster recovery, High Available) Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
Information Classification… Classifying data is the process of categorizing data assets based on nominal values according to its sensitivity (e.g., impact of applicable laws and regulations). An example of a Data Classification: Public - Information that may or must be open to the general public. Internal - Information that must be guarded due to proprietary, ethical, or privacy considerations. Confidential - Highly sensitive data intended for limited, specific use by a workgroup, department, or group of individuals with a legitimate need-to-know. Regulatory Data Classification - Information that’s protected by statutes and regulations, and governed by a regulatory body or council regarding the investigation, response, reporting and handling of incidents. Spot Solutions Ltd.SharePoint Saturday Vancouver
Understand the b’s and the C’s Business ✘ Technology and security are there to support the business, not the other way around ✘ Difference between a manufacturer and a Healthcare provider ✘ Government has different drivers since it's goal is to protect public ✘ Understand the actual business need ✘ Add business value Culture ✘ Heads down, don’t rock the boat ✘ Where's my bonus Assets ✘ Are we spending a Lonnie to save a dime? ✘ What is our risk appetite? ✘ Risk avoidance, reduction, transfer, acceptance ✘ Risk = Likelihood x Impact Business Security Technology Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
Security basics: definitions of threat, attack and risk Definition of threat: an object, person, or other entity that represents a constant danger to an asset Definition of vulnerability: a weakness that makes targets susceptible to an attack. Definition of attack: an action taken against a target with the intention of doing harm. Definition of risk: the likelihood of being targeted by a given attack, of an attack being successful, and general exposure to a given threat. Source: Excerpt from CISSP Guide to Security Essentials, chapter 10 Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
2. External and Internal Threats ? Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
External Threats… ✘Hacktivist ✘Bragging Rights ✘Monetary Gain . ✘Criminal Groups ✘Thrill Seekers ✘Terrorists ✘State Sponsored ✘Organized Crime ✘Industrial Spies Spot Solutions Ltd.
Internal Threats…“Most data security threats are internal” internal vulnerabilities in some form or another responsible for a total of 70 percent of breaches Forrester ✘Employees (The ones you always do, but shouldn't trust) ✘Developers (No-one trust these guys) ✘Administrators (All powerful) Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
Internal ✘ lost or stolen devices account for 31 percent of all data security breaches ✘ accidental misuse by an employee accounted for another 27 percent of incidents ✘ 12 percent of breaches were caused by malicious insiders ✘ 22 percent of incidents involved either customer or employee data. In addition to reputational damage ✘ 19 percent of breaches involved intellectual property http://blog.trendmicro.com/most-data-security-threats-are-internal-forrester-says/ threats… Spot Solutions Ltd.SharePoint Saturday Vancouver
Pieces of a puzzle…. Hackers don’t wave a magic wand and voila, there in…. If organized, Information is gathered over time from multiple sources and techniques, then slowly assembled like a puzzle • BotNets • Hacking • Malware • Pharming • Phishing • Ransomware • Spam • Spoofing • Spyware • Trojan Horses • Viruses • Worms • WiFi Eavesdropping • Email scams • Phishing and Smishing scams • Contests and Scams • Online dating scams • Social network scams • Fraudulent calls • Social engineering Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
for SharePoint Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
✘ Don’t assume that just because you have some SP permissions setup that your data is “automatically” safe, this applies on premise, hosted solutions and Office 365 ✘ We need to start treating SharePoint as a business critical repository of important, sensitive business information ✘ Security is not just a checklist, it’s a strategy” ✘ Threats are not just external… ✘ SharePoint Security only stands a chance if there is governance Spot Solutions Ltd. can be vulnerable if we are not carefulis Ian Naumenko, CISSPSharePoint Saturday Vancouver
Governance is the key ✘ “Governance for SharePoint could be defined as your strategy for delivering the business solutions your end users want, within the scope of the technology and security considerations, while maintaining those business constraints.” ✘ Reducing risk – “just over 43 percent claimed they do not regularly run audits on usage, security, content or permissions, which is frightening to say the least. A governance plan that protects business IP and is aligned with the appropriate compliance regulations helps reduce potentially devastating risk and losses in the future.“ ✘ “Governance actually enables business agility and protects the business from data leaks, risk and lost resources” Great free resource all above quotes from Metalogix ebook – SharePoint Governance best practices by SharePoint MVP Christian Buckly Spot Solutions Ltd.Ian Naumenko, CISSPSharePoint Saturday Vancouver
On-Premise vs Cloud deployments? Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
On-Premise ✘ Pros • All corporate data is kept onsite, in-house • Data sovereignty (i.e. keeping content within the country) • More ability for customization (farm solutions) – don’t have to rely on JavaScript • Knowing your sysadmin team and those who have the key’s to your kingdom • CIA - Confidentiality and Integrity ✘Cons • Less or no internal “security minded” resources available • Limited or over stretched sysadmin resources • More upkeep and maintenance costs for infrastructure • Developers of farm solutions need to follow SSDLC and need to understand the potential impacts of custom code. • CIA - Availability Deployments… Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
Cloud ✘ Pros • Little or no internal infrastructure • Vast Microsoft infrastructure and security resources • Automated backup • Scalability • CIA - Availability ✘Cons • If internet is down or inaccessible, so is your data • All data is available externally • Data is stored wherever Microsoft decides • Data sovereignty – even if in a Canadian Data center, operations owned by a foreign country • Adequately secure against rogue systems administrators and insiders… • CIA – Confidentiality, Availability Deplolyments… Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
Finally the good stuff…
SharePoint EndPoints Administrative;;inurl:"/_layouts/AdminRecycleBin.aspx" Administrative;;inurl:"/_layouts/bpcf.aspx" Administrative;;inurl:"/_layouts/create.aspx" Administrative;;inurl:"/_layouts/listfeed.aspx" Administrative;;inurl:"/_layouts/managefeatures.aspx" Administrative;;inurl:"/_layouts/mcontent.aspx" Administrative;;inurl:"/_layouts/mngsiteadmin.aspx" Administrative;;inurl:"/_layouts/mngsubwebs.aspx" Administrative;;inurl:"/_layouts/newsbweb.aspx" Administrative;;inurl:"/_layouts/PageSettings.aspx" Administrative;;inurl:"/_layouts/policy.aspx" Administrative;;inurl:"/_layouts/policyconfig.aspx" Administrative;;inurl:"/_layouts/policycts.aspx" Administrative;;inurl:"/_layouts/Policylist.aspx" Administrative;;inurl:"/_layouts/recyclebin.aspx" Administrative;;inurl:"/_layouts/settings.aspx" Administrative;;inurl:"/_layouts/sitemanager.aspx" Administrative;;inurl:"/_layouts/storman.aspx" Administrative;;inurl:"/_layouts/vsubwebs.aspx" Administrative;;inurl:"/_layouts/wrkmng.aspx" Administrative;;inurl:"_admin" inurl:"aspx" Administrative;;inurl:"admin/_layouts" Forms;;inurl:"/_layouts/listedit.aspx" filetype:aspx Forms;;inurl:"/forms/allitems.aspx" filetype:aspx Forms;;inurl:"/pages/forms/allitems.aspx" Forms;;inurl:"Forms" inurl:"allitems.aspx" filetype:aspx Forms;;inurl:"Forms" inurl:"dispform.aspx" filetype:aspx Forms;;inurl:"Forms" inurl:"editform.aspx" filetype:aspx Forms;;inurl:"Forms" inurl:"myitems.aspx" filetype:aspx Forms;;inurl:"Forms" inurl:"newform.aspx" filetype:aspx Forms;;inurl:lists inurl:allitems.aspx Forms;;inurl:lists inurl:editform.aspx Galleries;;inurl:"/_catalogs/" inurl:forms Galleries;;inurl:"/_catalogs/lt/" Galleries;;inurl:"/_catalogs/masterpage" Galleries;;inurl:"/_catalogs/masterpage/forms/allitems.aspx" Galleries;;inurl:"/_catalogs/wp/" Galleries;;inurl:"/_catalogs/wp/forms/" Galleries;;inurl:"/_catalogs/wp/forms/allitems.aspx" Galleries;;inurl:"/_catalogs/wt/" Galleries;;inurl:"/_layouts/1033" Galleries;;inurl:"/_layouts/AreaTemplateSettings.aspx" Galleries;;inurl:"/_layouts/ChangeSiteMasterPage.aspx" Galleries;;inurl:"/_layouts/images/" Galleries;;inurl:"/_layouts/mngctype.aspx" Galleries;;inurl:"/_layouts/mngfield.aspx" Galleries;;inurl:"_catalogs/lt/forms/allitems.aspx" Help Pages;;inurl:"/_layouts/help.aspx" ext:aspx Help Pages;;inurl:"_layouts/help.aspx" inurl:"cid0=" ext:aspx Lists;;inurl:"/_layouts/viewlsts.aspx" Lists;;inurl:"/_layouts/mobile/mbllists.aspx" ext:aspx Lists;;inurl:/_layouts/listedit.aspx" Login;;inurl:"/_Layouts" inurl:"authenticate.aspx" filetype:aspx Login;;inurl:"/_Layouts/authenticate.aspx" filetype:aspx Login;;inurl:"/pages/login.aspx" LookNFeel;;inurl:"/_layouts/areanavigationsettings.aspx" LookNFeel;;inurl:"/_layouts/AreaWelcomePage.aspx" LookNFeel;;inurl:"/_layouts/navoptions.aspx" LookNFeel;;inurl:"/_layouts/prjsetng.aspx" LookNFeel;;inurl:"/_layouts/quiklnch.aspx" LookNFeel;;inurl:"/_layouts/themeweb.aspx" LookNFeel;;inurl:"/_layouts/topnav.aspx" Other;;"all site content" site:.com filetype:aspx Other;;"view all site content" "sign in" "people and groups" filetype:aspx Other;;inanchor:"shared documents" inurl:"shared documents" inurl:"forms/" Other;;inanchor:"shared documents" inurl:"shared documents" inurl:"forms/" filetype:aspx Other;;intext:"this blog is powered by microsoft sharepoint server 2010" Other;;inurl:"/_layouts" inurl:"allitems.aspx" Other;;inurl:"/_Layouts" inurl:"RedirectPage.aspx" filetype:aspx Other;;inurl:"/_layouts/" filetype:aspx Other;;inurl:"/directory/_layouts/" filetype:aspx Other;;inurl:"/pages/default.aspx" UsersGroups;;inurl:"/_layouts" inurl:"useredit.aspx" UsersGroups;;inurl:"/_layouts/aclinv.aspx" UsersGroups;;inurl:"/_layouts/addrole.aspx" UsersGroups;;inurl:"/_layouts/associatedgroups.aspx" UsersGroups;;inurl:"/_layouts/editgrp.aspx" UsersGroups;;inurl:"/_layouts/editprms.aspx" UsersGroups;;inurl:"/_layouts/groups.aspx" UsersGroups;;inurl:"/_layouts/myinfo.aspx" UsersGroups;;inurl:"/_layouts/MyPage.aspx" UsersGroups;;inurl:"/_layouts/MyTasks.aspx" UsersGroups;;inurl:"/_layouts/newgrp.aspx" UsersGroups;;inurl:"/_layouts/people.aspx" UsersGroups;;inurl:"/_layouts/permsetup.aspx" UsersGroups;;inurl:"/_layouts/picker.aspx" UsersGroups;;inurl:"/_layouts/role.aspx" UsersGroups;;inurl:"/_layouts/user.aspx" UsersGroups;;inurl:"/_layouts/userdisp.aspx" UsersGroups;;inurl:"/_layouts/userdisp.aspx" filetype:aspx UsersGroups;;inurl:"/_layouts/useredit.aspx" UsersGroups;;inurl:"/_layouts/viewgrouppermissions.aspx" WebParts;;inurl:"/_layouts/NewDwp.aspx" WebParts;;inurl:"/_layouts/spcf.aspx" WebParts;;inurl:"/WPPrevw.aspx" WebServices;;intext:"http://schemas.microsoft.com/sharepoint/" filetype:asmx WebServices;;intext:"soapAction=" intext:"http://microsoft.com/webservices/OfficeServer/" filetype:asmx WebServices;;inurl:"/_vti_bin/alerts.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/copy.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/dspsts.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/forms.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/lists.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/people.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/Permissions.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/search.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/sitedata.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/sites.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/usergroup.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/versions.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/views.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/webpartpages.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/webs.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/spsdisco.aspx" filetype:aspx WebServices;;inurl:"/_vti_bin/SharepointEmailWS.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/BusinessDataCatalog.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/ExcelService.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/UserProfileService.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/spscrawl.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/AreaService.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/WebPartPages.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/spsearch.asmx" filetype:asmx Spot Solutions Ltd.Ian Naumenko, CISSP
Three click attack… SharePoint Hacking Diggity Project – Bishop Fox http://www.bishopfox.com/resources/tools/sharepoint-hacking-diggity/attack-tools/ ✘ UserDispEnum • UserDispEnum is a SharePoint user enumeration tool that exploits insecure access controls to the /_layouts/UserDisp.aspx?ID=1 page. This utility cycles through the integer ID values from 1 onward to identify valid users, account names, and other related profile information that can easily be extracted from the SharePoint user profiles. Paste this into your browser: http://www.google.com/#q=inurl:”/_layouts/userdisp.aspx Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
SharePoint UserDispEnum Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
SharePoint UserDispEnum Spot Solutions Ltd.Ian Naumenko, CISSPSharePoint Saturday Vancouver
SharePoint UserDispEnum Spot Solutions Ltd.Ian Naumenko, CISSPSharePoint Saturday Vancouver
SharePoint UserDispEnum Spot Solutions Ltd.Ian Naumenko, CISSPSharePoint Saturday Vancouver
SharePoint UserDispEnum Spot Solutions Ltd.Ian Naumenko, CISSPSharePoint Saturday Vancouver
Also many technical vulnerabilities… ✘ Microsoft Security Bulletin MS15-036 - Elevation of Privilege • April 14, 2015: - The attacker who successfully exploited these vulnerabilities could then perform cross-site scripting attacks on affected systems and run script in the security context of the current user. These attacks could allow the attacker to read content that the attacker is not authorized to read, use the victim's identity to take actions on the SharePoint site on behalf of the victim, such as change permissions and delete content, and inject malicious content in the victim’s browser. ✘ Microsoft SharePoint Online (cloud) - filter bypass & persistent vulnerability • Aug 18, 2015: - It is possible to evade the current security controls on Microsoft SharePoint Online 2013 Web Application by simply adding a blank iframe in the HTML through `embed code` feature. It does not matter what policies have been implemented through the `HTML Field Security` feature. All filters / policies are easily evaded using the above mentioned filter bypass technique and this should be fixed immediately. Please note, once the filter is evaded, it is possible to inject malicious script code without any restrictions and it doesn`t get stripped / filtered even after publishing. Successful exploitation of the vulnerability results in filter evasion of all SharePoint security policies for the websites and allows execution of persistent script code that can result in session hijacking, persistent phishing, stable external redirect, stable external malware loads and persistent vulnerable module context manipulation. Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
Microsoft SharePoint Online (cloud) - filter bypass & persistent vulnerability Proof of Concept (PoC): ======================= The persistent input validation web vulnerability can be exploited by remote attackers with low required user interaction and (restricted) privileged SharePoint cloud application user account. For security demonstration or to reproduce the vulnerability follow the provided information and steps below. 1. Register an office and SharePoint online 2013 account 2. Login to the SharePoint portal as admin 3. Goto your Site and click on Edit 4. Goto Insert and include "embed code" 5. in the Input box, enter the given "Payload" 6. Click Insert and then Save 7. Upon being redirected to the index page, a javascript box should pop up proving the existence of this vulnerability http://www.vulnerability-lab.com/get_content.php?id=1024 SharePoint Saturday Vancouver Ian Naumenko, CISSP Spot Solutions Ltd.
WGET Script ✘ What is WGET ? • It's a command-line tool to download webpages and their assets ✘ Why does it matter…. • Mass content download ! The following command will download all the content from SharePoint to static pages using WGET. WGET even fixes all links so that most navigation still works. wget -r --no-parent --convert-links -P c:temp<my local folder> --http-user=<domainusername> --http- passwd=<password> http://<path to sharepoint> ✘ What can we do to prevent it’s use… • WGET respects passwords • wget respects, by default, your robots.txt file • webservers can be set up to deny WGET’s default user agent • All that being said, it’s really hard to block  SharePoint Saturday Vancouver Ian Naumenko, CISSP Spot Solutions Ltd.
What can we do ?SharePoint Saturday Vancouver Spot Solutions Ltd.Ian Naumenko, CISSP
Vulnerability assessment tools and resources… ✘ Assessment tools from vendors such Metalogix - Free Insider Threat Vulnerability tool ShareGate – SharePoint Security Tool AveDoc – Governance Automation ✘ OWASP top 10 ✘ KALI disc (pen testing) ✘ Microsoft Security Center – Security bulletins https://technet.microsoft.com/en-us/library/security/dn631937.aspx ✘ Common Vulnerabilities and Exposures Database http://www.cve.mitre.org/find/index.html Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
Points to remember… ✘ SharePoint doesn’t matter, the business matters. (quoted from metalogix Governave Best Practices ebook) ✘ We have to approach cloud services by assuming that your data is being looked at by third parties, including cloud systems administrators, and by governmental agencies… ✘ Most IT platforms, and particularly collaboration-oriented platforms, are challenged to adequately secure against rogue systems administrators and insiders. The solution to securing SharePoint and other IT platforms against insiders will always boil down to careful application of security controls, which are not all ways technical… http://www.nothingbutsharepoint.com/2013/08/30/sharepoint-security-impacts-from-snowden-and-wikileaks-breaches-aspx/ Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
Points to remember… (cont…) ✘Don’t take the technology for granted. ✘Governance is most important. “Its not a checklist, it’s a strategy” ✘Educate staff in simple language they can understand and relate ✘Don’t fall into “Tikcky box security” ✘Understand the business needs and culture ✘Carefull with custom code. Always use SSDLC techniques ✘Teach your staff about “Social engineering” ✘Deploy of Defense-in-Depth protection Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
Mike Fleck, Co-Founder of CipherPoint Software wrote… ”If your house gets broken into, but you like the house, keep the house and buy a security system. People love SharePoint for the collaboration efficiencies the platform brings to the enterprise. Add to SharePoint the right set of administrative and technical security controls, and you’ve got a winning combination. It is possible to use the SharePoint platform for use cases involving highly sensitive data!” Conclusion… Ian Naumenko, CISSP, Spot Solutions Ltd.
thanks! Any questions? You can find me at ian@spotsolutions.com https://www.linkedin.com/in/iannaumenko @ignhot Credits Special thanks to all the people who made and released these awesome slides for free: Presentation template by SlidesCarnival Photographs by Unsplash SharePoint Saturday Vancouver

Recommended

Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threats
Vishal Kumar
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurations
Megha Sahu
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
Paul Ionescu
 
OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)
Michael Furman
 
Local File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code ExecutionLocal File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code Execution
n|u - The Open Security Community
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
Security Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMESecurity Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SME
AlienVault
 

Recommended

Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threats
Vishal Kumar
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurations
Megha Sahu
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
Paul Ionescu
 
OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)
Michael Furman
 
Local File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code ExecutionLocal File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code Execution
n|u - The Open Security Community
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
Security Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMESecurity Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SME
AlienVault
 
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
Edureka!
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10
Linh Hoang
 
From OSINT to Phishing presentation
From OSINT to Phishing presentationFrom OSINT to Phishing presentation
From OSINT to Phishing presentation
Jesse Ratcliffe, OSCP
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
TzahiArabov
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation center
Muhammad Sahputra
 
Threat Intelligence
Threat IntelligenceThreat Intelligence
Threat Intelligence
Deepak Kumar (D3)
 
Threat Hunting Playbook.pdf
Threat Hunting Playbook.pdfThreat Hunting Playbook.pdf
Threat Hunting Playbook.pdf
laibaarsyila
 
Web PenTest Sample Report
Web PenTest Sample ReportWeb PenTest Sample Report
Web PenTest Sample ReportOctogence
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration
Tariq Islam
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
Michael Furman
 
How to Prevent RFI and LFI Attacks
How to Prevent RFI and LFI AttacksHow to Prevent RFI and LFI Attacks
How to Prevent RFI and LFI Attacks
Imperva
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
Priyanka Aash
 
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault
 
A Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityA Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications security
Mikhail Egorov
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
bilcorry
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
Abraham Aranguren
 
Learn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPLearn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAP
Paul Ionescu
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
Jannis Kirschner
 
Client-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationClient-Side Penetration Testing Presentation
Client-Side Penetration Testing Presentation
Chris Gates
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & Recommendations
Ulf Mattsson
 
Cyber speed – the unknown velocity component
Cyber speed – the unknown velocity componentCyber speed – the unknown velocity component
Cyber speed – the unknown velocity component
Jonathan Sinclair
 

More Related Content

What's hot

What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
Edureka!
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10
Linh Hoang
 
From OSINT to Phishing presentation
From OSINT to Phishing presentationFrom OSINT to Phishing presentation
From OSINT to Phishing presentation
Jesse Ratcliffe, OSCP
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
TzahiArabov
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation center
Muhammad Sahputra
 
Threat Intelligence
Threat IntelligenceThreat Intelligence
Threat Intelligence
Deepak Kumar (D3)
 
Threat Hunting Playbook.pdf
Threat Hunting Playbook.pdfThreat Hunting Playbook.pdf
Threat Hunting Playbook.pdf
laibaarsyila
 
Web PenTest Sample Report
Web PenTest Sample ReportWeb PenTest Sample Report
Web PenTest Sample ReportOctogence
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration
Tariq Islam
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
Michael Furman
 
How to Prevent RFI and LFI Attacks
How to Prevent RFI and LFI AttacksHow to Prevent RFI and LFI Attacks
How to Prevent RFI and LFI Attacks
Imperva
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
Priyanka Aash
 
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault
 
A Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityA Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications security
Mikhail Egorov
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
bilcorry
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
Abraham Aranguren
 
Learn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPLearn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAP
Paul Ionescu
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
Jannis Kirschner
 
Client-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationClient-Side Penetration Testing Presentation
Client-Side Penetration Testing Presentation
Chris Gates
 

What's hot (20)

What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10
 
From OSINT to Phishing presentation
From OSINT to Phishing presentationFrom OSINT to Phishing presentation
From OSINT to Phishing presentation
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation center
 
Threat Intelligence
Threat IntelligenceThreat Intelligence
Threat Intelligence
 
Threat Hunting Playbook.pdf
Threat Hunting Playbook.pdfThreat Hunting Playbook.pdf
Threat Hunting Playbook.pdf
 
Web PenTest Sample Report
Web PenTest Sample ReportWeb PenTest Sample Report
Web PenTest Sample Report
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
 
How to Prevent RFI and LFI Attacks
How to Prevent RFI and LFI AttacksHow to Prevent RFI and LFI Attacks
How to Prevent RFI and LFI Attacks
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
 
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
 
A Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityA Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications security
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
 
Learn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPLearn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAP
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
 
Client-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationClient-Side Penetration Testing Presentation
Client-Side Penetration Testing Presentation
 

Similar to Hacking_SharePoint_FINAL

Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & Recommendations
Ulf Mattsson
 
Cyber speed – the unknown velocity component
Cyber speed – the unknown velocity componentCyber speed – the unknown velocity component
Cyber speed – the unknown velocity component
Jonathan Sinclair
 
Cyber Risk Management in 2017 - Challenges & Recommendations
Cyber Risk Management in 2017 - Challenges & RecommendationsCyber Risk Management in 2017 - Challenges & Recommendations
Cyber Risk Management in 2017 - Challenges & Recommendations
Ulf Mattsson
 
Showreel ICSA Technology Conference
Showreel ICSA Technology ConferenceShowreel ICSA Technology Conference
Showreel ICSA Technology Conference
Institute of Chartered Secretaries and Administrators
 
What is Information Security and why you should care ...
What is Information Security and why you should care ...What is Information Security and why you should care ...
What is Information Security and why you should care ...
James Mulhern
 
Netwatcher Credit Union Tech Talk
Netwatcher Credit Union Tech TalkNetwatcher Credit Union Tech Talk
Netwatcher Credit Union Tech Talk
NetWatcher
 
How big is your shadow?
How big is your shadow?How big is your shadow?
How big is your shadow?
digital_shadows
 
Quantifying Cyber Risk, Insurance and The Value of Personal Data
Quantifying Cyber Risk, Insurance and The Value of Personal DataQuantifying Cyber Risk, Insurance and The Value of Personal Data
Quantifying Cyber Risk, Insurance and The Value of Personal Data
Steven Schwartz
 
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
Casey Ellis
 
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Casey Ellis
 
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
bugcrowd
 
Sensecy cti vs cti
Sensecy cti vs cti Sensecy cti vs cti
Sensecy cti vs cti
Dori Fisher
 
Edith Turuka: Cyber-Security, An Eye Opener to the Society
Edith Turuka: Cyber-Security, An Eye Opener to the SocietyEdith Turuka: Cyber-Security, An Eye Opener to the Society
Edith Turuka: Cyber-Security, An Eye Opener to the SocietyHamisi Kibonde
 
A handbook of the threat intelligence tools your company needs
A handbook of the threat intelligence tools your company needsA handbook of the threat intelligence tools your company needs
A handbook of the threat intelligence tools your company needs
Securaa
 
Why do women love chasing down bad guys?
Why do women love chasing down bad guys? Why do women love chasing down bad guys?
Why do women love chasing down bad guys?
SITA
 
Cybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONS
Cybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONSCybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONS
Cybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONS
Randall Chase
 
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...
Rishi Singh
 
11 19-2015 - iasaca membership conference - the state of security
11 19-2015 - iasaca membership conference - the state of security11 19-2015 - iasaca membership conference - the state of security
11 19-2015 - iasaca membership conference - the state of security
Matthew Pascucci
 
Shining a Light on Cyber Threats from the Dark Web
Shining a Light on Cyber Threats from the Dark WebShining a Light on Cyber Threats from the Dark Web
Shining a Light on Cyber Threats from the Dark Web
SurfWatch Labs
 

Similar to Hacking_SharePoint_FINAL (20)

Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & Recommendations
 
Cyber speed – the unknown velocity component
Cyber speed – the unknown velocity componentCyber speed – the unknown velocity component
Cyber speed – the unknown velocity component
 
Cyber Risk Management in 2017 - Challenges & Recommendations
Cyber Risk Management in 2017 - Challenges & RecommendationsCyber Risk Management in 2017 - Challenges & Recommendations
Cyber Risk Management in 2017 - Challenges & Recommendations
 
Showreel ICSA Technology Conference
Showreel ICSA Technology ConferenceShowreel ICSA Technology Conference
Showreel ICSA Technology Conference
 
What is Information Security and why you should care ...
What is Information Security and why you should care ...What is Information Security and why you should care ...
What is Information Security and why you should care ...
 
Netwatcher Credit Union Tech Talk
Netwatcher Credit Union Tech TalkNetwatcher Credit Union Tech Talk
Netwatcher Credit Union Tech Talk
 
How big is your shadow?
How big is your shadow?How big is your shadow?
How big is your shadow?
 
Quantifying Cyber Risk, Insurance and The Value of Personal Data
Quantifying Cyber Risk, Insurance and The Value of Personal DataQuantifying Cyber Risk, Insurance and The Value of Personal Data
Quantifying Cyber Risk, Insurance and The Value of Personal Data
 
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
 
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
 
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
 
Spo2 t17
Spo2 t17Spo2 t17
Spo2 t17
 
Sensecy cti vs cti
Sensecy cti vs cti Sensecy cti vs cti
Sensecy cti vs cti
 
Edith Turuka: Cyber-Security, An Eye Opener to the Society
Edith Turuka: Cyber-Security, An Eye Opener to the SocietyEdith Turuka: Cyber-Security, An Eye Opener to the Society
Edith Turuka: Cyber-Security, An Eye Opener to the Society
 
A handbook of the threat intelligence tools your company needs
A handbook of the threat intelligence tools your company needsA handbook of the threat intelligence tools your company needs
A handbook of the threat intelligence tools your company needs
 
Why do women love chasing down bad guys?
Why do women love chasing down bad guys? Why do women love chasing down bad guys?
Why do women love chasing down bad guys?
 
Cybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONS
Cybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONSCybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONS
Cybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONS
 
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...
 
11 19-2015 - iasaca membership conference - the state of security
11 19-2015 - iasaca membership conference - the state of security11 19-2015 - iasaca membership conference - the state of security
11 19-2015 - iasaca membership conference - the state of security
 
Shining a Light on Cyber Threats from the Dark Web
Shining a Light on Cyber Threats from the Dark WebShining a Light on Cyber Threats from the Dark Web
Shining a Light on Cyber Threats from the Dark Web
 

Hacking_SharePoint_FINAL

  • 1. SharePoint A Hackers Dream Ian Naumenko, CISSP Spot Solutions Ltd. SharePoint Saturday Vancouver, March 11, 2016 Spot Solutions Ltd.
  • 2. Thanks to all the Sponsors !!! Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
  • 3. Ian Naumenko, CISSP WORK ✘ Director IT and Security Operations – Spot Solutions Ltd BOARDS ✘ Vice President of InfoSecBC (Vancouver Security Special Interest Group) ✘ President Western Region IAMCP Canada (International Association of Microsoft Chanel Partners) ✘ Work with POLCYB (The Society for The Policing of cyberspace) Education, Certifications ✘ Computer Sciences, CISSP, Various Microsoft Certs, ISO 90001, random others… Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
  • 4. I’m not dissing SharePoint… ✘SharePoint is a excellent collaboration platform and overall Microsoft is doing a great job making the technology secure. ✘It’s not usually the technology that is at fault, it’s how we use the technology that matters… Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
  • 5. Sorry to disappoint… We are not actually going to hack anything today…
  • 6. Why is SharePoint a hackers dream ? Over the past several years, the uptake of SharePoint has been considerable. Way back in 2009, it was estimated that SharePoint had licensed more than 85 million users to an estimated 17,000 companies. This number has grown exponential in recent years, especially with Microsoft "Core CALS" (which include SharePoint), and the introduction of SharePoint online and Office365. Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
  • 7. Why is it a hackers dream ? “According to Association for Information and Image Management (AIIM) one in two corporations are now using SharePoint Server and in 22% of the companies, every employee uses this popular Microsoft collaboration tool.” http://www.topsharepoint.com/fortune- 500-companies-using-sharepoint Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
  • 8. Why is it a hackers dream ? A vast number of Fortune 500 Private companies use SharePoint for their internal and external content UPS Store Proctor and Gamble SC JohnsonBristol-Myers Squibb Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
  • 9. Why is it a hackers dream ? ..usage includes Enterprise search, enterprise content management (ECM), Business Process Management, business intelligence, records management, archiving, Intranet/Extranet, file sharing to public-facing websites… Spot Solutions Ltd.SharePoint Saturday Vancouver Contains lots of valuable data Making it a big juicy target !!! Ian Naumenko, CISSP
  • 10. Why do we care… 2015's biggest hacks, breaches ✘Ashley Madison – 37 million “cheaters” records released ✘Vtech – 4.8 million records including info on 200,000 kids ✘70 million prisoner phone records stolen (attorney-client privilege may have been violated ) ✘FBI's portal breached, thousands of arrestees' data at risk, including access to CIA director John Brennan's private email account (widest external breaches of law enforcement this year) ✘Donald Trump's hotel chain hack hit thousands of hotel visitors. (credit card data including security codes and card numbers) ✘Crowdfunding service Patreon hack led to 15GB data dump ✘Experian breach hit 15 million T-Mobile customers ✘Scottrade hack: Details on 4.6 million customers stolen ✘Excellus BlueCross BlueShield – 10 million records Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
  • 11. Why do we care… 2015's biggest hacks, breaches ✘Carphone Warehouse tops UK breach list with 2.4 million affected ✘CVS, Walgreens, credit card breach, millions of CC, email, postal codes etc., records leaked ✘UCLA Health failed to encrypt 4.5 million records ✘Hacking Team exploits put hundreds of millions of Flash users at risk ✘OPM breach, which affected 22.1 million US government workers (and counting). ✘LastPass customers at risk after millions of passwords accessed ✘The IRS data breach, stolen tax returns of over 100,000 tax payers ✘Anthem (US healthcare provider) breach affected one-third of Americans The annual cost of data breaches in the US is estimated to be $100 billion Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
  • 12. Why do we care…Bradley Manning Forensics discovered WGET scripts on Manning’s computer that pointed to a Microsoft SharePoint server holding the Gitmo documents. He ran the scripts to download the documents… Edward Snowden NSA, General Keith Alexander indicated… “This leaker was a system administrator who was trusted with moving the information to actually make sure that the right information was on the SharePoint servers that NSA Hawaii needed." He then added that the leak was " ... a huge break in trust and confidence. So there are issues we have got to fix there.” Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
  • 13. So, what do we need to do… To start… 1. We need to understand what Information Security really is all about… 2. We need to understand external and internal threats… Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
  • 14. 1. Information Security 101 Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
  • 15. Security is not a group in SharePoint… “To many in the SharePoint world, “SharePoint security” is synonymous with “SharePoint permissions” and the Snowden breach is a great example of how permissions are a single point of failure but do not (in and of themselves) equate to a proper security architecture.” http://www.nothingbutsharepoint.com/2013/08/30/sharepoint-security-impacts-from-snowden-and-wikileaks- breaches-aspx/
  • 16. Need to understand the CIA … Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
  • 17. Confidentiality, Integrity and Availability Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
  • 18. Confidentiality, Integrity and Availability Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
  • 19. Confidentiality, Integrity and Availability Confidentiality - Confidentiality refers to limiting information access and disclosure to authorized users -- "the right people" -- and preventing access by or disclosure to unauthorized ones -- "the wrong people.“ (Think authentication, permissions and groups in SharePoint, who gets to see what…) Integrity - Integrity refers to the trustworthiness of information resources. It includes the concept of "data integrity" -- namely, that data have not been changed inappropriately, whether by accident or deliberately malign activity. It also includes "origin" or "source integrity" -- that is, that the data actually came from the person or entity you think it did, rather than an imposter. (Think SharePoint’s “Created by” or “Last modified” each time a document is uploaded/changed) Availability - Availability refers, unsurprisingly, to the availability of information resources. An information system that is not available when you need it is almost as bad as none at all. It may be much worse, depending on how reliant the organization has become on a functioning computer and communications infrastructure. (Think Disaster recovery, High Available) Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
  • 20. Information Classification… Classifying data is the process of categorizing data assets based on nominal values according to its sensitivity (e.g., impact of applicable laws and regulations). An example of a Data Classification: Public - Information that may or must be open to the general public. Internal - Information that must be guarded due to proprietary, ethical, or privacy considerations. Confidential - Highly sensitive data intended for limited, specific use by a workgroup, department, or group of individuals with a legitimate need-to-know. Regulatory Data Classification - Information that’s protected by statutes and regulations, and governed by a regulatory body or council regarding the investigation, response, reporting and handling of incidents. Spot Solutions Ltd.SharePoint Saturday Vancouver
  • 21. Understand the b’s and the C’s Business ✘ Technology and security are there to support the business, not the other way around ✘ Difference between a manufacturer and a Healthcare provider ✘ Government has different drivers since it's goal is to protect public ✘ Understand the actual business need ✘ Add business value Culture ✘ Heads down, don’t rock the boat ✘ Where's my bonus Assets ✘ Are we spending a Lonnie to save a dime? ✘ What is our risk appetite? ✘ Risk avoidance, reduction, transfer, acceptance ✘ Risk = Likelihood x Impact Business Security Technology Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
  • 22. Security basics: definitions of threat, attack and risk Definition of threat: an object, person, or other entity that represents a constant danger to an asset Definition of vulnerability: a weakness that makes targets susceptible to an attack. Definition of attack: an action taken against a target with the intention of doing harm. Definition of risk: the likelihood of being targeted by a given attack, of an attack being successful, and general exposure to a given threat. Source: Excerpt from CISSP Guide to Security Essentials, chapter 10 Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
  • 23. 2. External and Internal Threats ? Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
  • 24. External Threats… ✘Hacktivist ✘Bragging Rights ✘Monetary Gain . ✘Criminal Groups ✘Thrill Seekers ✘Terrorists ✘State Sponsored ✘Organized Crime ✘Industrial Spies Spot Solutions Ltd.
  • 25. Internal Threats…“Most data security threats are internal” internal vulnerabilities in some form or another responsible for a total of 70 percent of breaches Forrester ✘Employees (The ones you always do, but shouldn't trust) ✘Developers (No-one trust these guys) ✘Administrators (All powerful) Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
  • 26. Internal ✘ lost or stolen devices account for 31 percent of all data security breaches ✘ accidental misuse by an employee accounted for another 27 percent of incidents ✘ 12 percent of breaches were caused by malicious insiders ✘ 22 percent of incidents involved either customer or employee data. In addition to reputational damage ✘ 19 percent of breaches involved intellectual property http://blog.trendmicro.com/most-data-security-threats-are-internal-forrester-says/ threats… Spot Solutions Ltd.SharePoint Saturday Vancouver
  • 27. Pieces of a puzzle…. Hackers don’t wave a magic wand and voila, there in…. If organized, Information is gathered over time from multiple sources and techniques, then slowly assembled like a puzzle • BotNets • Hacking • Malware • Pharming • Phishing • Ransomware • Spam • Spoofing • Spyware • Trojan Horses • Viruses • Worms • WiFi Eavesdropping • Email scams • Phishing and Smishing scams • Contests and Scams • Online dating scams • Social network scams • Fraudulent calls • Social engineering Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
  • 28. for SharePoint Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
  • 29. ✘ Don’t assume that just because you have some SP permissions setup that your data is “automatically” safe, this applies on premise, hosted solutions and Office 365 ✘ We need to start treating SharePoint as a business critical repository of important, sensitive business information ✘ Security is not just a checklist, it’s a strategy” ✘ Threats are not just external… ✘ SharePoint Security only stands a chance if there is governance Spot Solutions Ltd. can be vulnerable if we are not carefulis Ian Naumenko, CISSPSharePoint Saturday Vancouver
  • 30. Governance is the key ✘ “Governance for SharePoint could be defined as your strategy for delivering the business solutions your end users want, within the scope of the technology and security considerations, while maintaining those business constraints.” ✘ Reducing risk – “just over 43 percent claimed they do not regularly run audits on usage, security, content or permissions, which is frightening to say the least. A governance plan that protects business IP and is aligned with the appropriate compliance regulations helps reduce potentially devastating risk and losses in the future.“ ✘ “Governance actually enables business agility and protects the business from data leaks, risk and lost resources” Great free resource all above quotes from Metalogix ebook – SharePoint Governance best practices by SharePoint MVP Christian Buckly Spot Solutions Ltd.Ian Naumenko, CISSPSharePoint Saturday Vancouver
  • 31. On-Premise vs Cloud deployments? Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
  • 32. On-Premise ✘ Pros • All corporate data is kept onsite, in-house • Data sovereignty (i.e. keeping content within the country) • More ability for customization (farm solutions) – don’t have to rely on JavaScript • Knowing your sysadmin team and those who have the key’s to your kingdom • CIA - Confidentiality and Integrity ✘Cons • Less or no internal “security minded” resources available • Limited or over stretched sysadmin resources • More upkeep and maintenance costs for infrastructure • Developers of farm solutions need to follow SSDLC and need to understand the potential impacts of custom code. • CIA - Availability Deployments… Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
  • 33. Cloud ✘ Pros • Little or no internal infrastructure • Vast Microsoft infrastructure and security resources • Automated backup • Scalability • CIA - Availability ✘Cons • If internet is down or inaccessible, so is your data • All data is available externally • Data is stored wherever Microsoft decides • Data sovereignty – even if in a Canadian Data center, operations owned by a foreign country • Adequately secure against rogue systems administrators and insiders… • CIA – Confidentiality, Availability Deplolyments… Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
  • 34. Finally the good stuff…
  • 35. SharePoint EndPoints Administrative;;inurl:"/_layouts/AdminRecycleBin.aspx" Administrative;;inurl:"/_layouts/bpcf.aspx" Administrative;;inurl:"/_layouts/create.aspx" Administrative;;inurl:"/_layouts/listfeed.aspx" Administrative;;inurl:"/_layouts/managefeatures.aspx" Administrative;;inurl:"/_layouts/mcontent.aspx" Administrative;;inurl:"/_layouts/mngsiteadmin.aspx" Administrative;;inurl:"/_layouts/mngsubwebs.aspx" Administrative;;inurl:"/_layouts/newsbweb.aspx" Administrative;;inurl:"/_layouts/PageSettings.aspx" Administrative;;inurl:"/_layouts/policy.aspx" Administrative;;inurl:"/_layouts/policyconfig.aspx" Administrative;;inurl:"/_layouts/policycts.aspx" Administrative;;inurl:"/_layouts/Policylist.aspx" Administrative;;inurl:"/_layouts/recyclebin.aspx" Administrative;;inurl:"/_layouts/settings.aspx" Administrative;;inurl:"/_layouts/sitemanager.aspx" Administrative;;inurl:"/_layouts/storman.aspx" Administrative;;inurl:"/_layouts/vsubwebs.aspx" Administrative;;inurl:"/_layouts/wrkmng.aspx" Administrative;;inurl:"_admin" inurl:"aspx" Administrative;;inurl:"admin/_layouts" Forms;;inurl:"/_layouts/listedit.aspx" filetype:aspx Forms;;inurl:"/forms/allitems.aspx" filetype:aspx Forms;;inurl:"/pages/forms/allitems.aspx" Forms;;inurl:"Forms" inurl:"allitems.aspx" filetype:aspx Forms;;inurl:"Forms" inurl:"dispform.aspx" filetype:aspx Forms;;inurl:"Forms" inurl:"editform.aspx" filetype:aspx Forms;;inurl:"Forms" inurl:"myitems.aspx" filetype:aspx Forms;;inurl:"Forms" inurl:"newform.aspx" filetype:aspx Forms;;inurl:lists inurl:allitems.aspx Forms;;inurl:lists inurl:editform.aspx Galleries;;inurl:"/_catalogs/" inurl:forms Galleries;;inurl:"/_catalogs/lt/" Galleries;;inurl:"/_catalogs/masterpage" Galleries;;inurl:"/_catalogs/masterpage/forms/allitems.aspx" Galleries;;inurl:"/_catalogs/wp/" Galleries;;inurl:"/_catalogs/wp/forms/" Galleries;;inurl:"/_catalogs/wp/forms/allitems.aspx" Galleries;;inurl:"/_catalogs/wt/" Galleries;;inurl:"/_layouts/1033" Galleries;;inurl:"/_layouts/AreaTemplateSettings.aspx" Galleries;;inurl:"/_layouts/ChangeSiteMasterPage.aspx" Galleries;;inurl:"/_layouts/images/" Galleries;;inurl:"/_layouts/mngctype.aspx" Galleries;;inurl:"/_layouts/mngfield.aspx" Galleries;;inurl:"_catalogs/lt/forms/allitems.aspx" Help Pages;;inurl:"/_layouts/help.aspx" ext:aspx Help Pages;;inurl:"_layouts/help.aspx" inurl:"cid0=" ext:aspx Lists;;inurl:"/_layouts/viewlsts.aspx" Lists;;inurl:"/_layouts/mobile/mbllists.aspx" ext:aspx Lists;;inurl:/_layouts/listedit.aspx" Login;;inurl:"/_Layouts" inurl:"authenticate.aspx" filetype:aspx Login;;inurl:"/_Layouts/authenticate.aspx" filetype:aspx Login;;inurl:"/pages/login.aspx" LookNFeel;;inurl:"/_layouts/areanavigationsettings.aspx" LookNFeel;;inurl:"/_layouts/AreaWelcomePage.aspx" LookNFeel;;inurl:"/_layouts/navoptions.aspx" LookNFeel;;inurl:"/_layouts/prjsetng.aspx" LookNFeel;;inurl:"/_layouts/quiklnch.aspx" LookNFeel;;inurl:"/_layouts/themeweb.aspx" LookNFeel;;inurl:"/_layouts/topnav.aspx" Other;;"all site content" site:.com filetype:aspx Other;;"view all site content" "sign in" "people and groups" filetype:aspx Other;;inanchor:"shared documents" inurl:"shared documents" inurl:"forms/" Other;;inanchor:"shared documents" inurl:"shared documents" inurl:"forms/" filetype:aspx Other;;intext:"this blog is powered by microsoft sharepoint server 2010" Other;;inurl:"/_layouts" inurl:"allitems.aspx" Other;;inurl:"/_Layouts" inurl:"RedirectPage.aspx" filetype:aspx Other;;inurl:"/_layouts/" filetype:aspx Other;;inurl:"/directory/_layouts/" filetype:aspx Other;;inurl:"/pages/default.aspx" UsersGroups;;inurl:"/_layouts" inurl:"useredit.aspx" UsersGroups;;inurl:"/_layouts/aclinv.aspx" UsersGroups;;inurl:"/_layouts/addrole.aspx" UsersGroups;;inurl:"/_layouts/associatedgroups.aspx" UsersGroups;;inurl:"/_layouts/editgrp.aspx" UsersGroups;;inurl:"/_layouts/editprms.aspx" UsersGroups;;inurl:"/_layouts/groups.aspx" UsersGroups;;inurl:"/_layouts/myinfo.aspx" UsersGroups;;inurl:"/_layouts/MyPage.aspx" UsersGroups;;inurl:"/_layouts/MyTasks.aspx" UsersGroups;;inurl:"/_layouts/newgrp.aspx" UsersGroups;;inurl:"/_layouts/people.aspx" UsersGroups;;inurl:"/_layouts/permsetup.aspx" UsersGroups;;inurl:"/_layouts/picker.aspx" UsersGroups;;inurl:"/_layouts/role.aspx" UsersGroups;;inurl:"/_layouts/user.aspx" UsersGroups;;inurl:"/_layouts/userdisp.aspx" UsersGroups;;inurl:"/_layouts/userdisp.aspx" filetype:aspx UsersGroups;;inurl:"/_layouts/useredit.aspx" UsersGroups;;inurl:"/_layouts/viewgrouppermissions.aspx" WebParts;;inurl:"/_layouts/NewDwp.aspx" WebParts;;inurl:"/_layouts/spcf.aspx" WebParts;;inurl:"/WPPrevw.aspx" WebServices;;intext:"http://schemas.microsoft.com/sharepoint/" filetype:asmx WebServices;;intext:"soapAction=" intext:"http://microsoft.com/webservices/OfficeServer/" filetype:asmx WebServices;;inurl:"/_vti_bin/alerts.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/copy.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/dspsts.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/forms.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/lists.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/people.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/Permissions.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/search.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/sitedata.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/sites.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/usergroup.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/versions.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/views.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/webpartpages.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/webs.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/spsdisco.aspx" filetype:aspx WebServices;;inurl:"/_vti_bin/SharepointEmailWS.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/BusinessDataCatalog.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/ExcelService.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/UserProfileService.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/spscrawl.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/AreaService.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/WebPartPages.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/spsearch.asmx" filetype:asmx Spot Solutions Ltd.Ian Naumenko, CISSP
  • 36. Three click attack… SharePoint Hacking Diggity Project – Bishop Fox http://www.bishopfox.com/resources/tools/sharepoint-hacking-diggity/attack-tools/ ✘ UserDispEnum • UserDispEnum is a SharePoint user enumeration tool that exploits insecure access controls to the /_layouts/UserDisp.aspx?ID=1 page. This utility cycles through the integer ID values from 1 onward to identify valid users, account names, and other related profile information that can easily be extracted from the SharePoint user profiles. Paste this into your browser: http://www.google.com/#q=inurl:”/_layouts/userdisp.aspx Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
  • 37. SharePoint UserDispEnum Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
  • 38. SharePoint UserDispEnum Spot Solutions Ltd.Ian Naumenko, CISSPSharePoint Saturday Vancouver
  • 39. SharePoint UserDispEnum Spot Solutions Ltd.Ian Naumenko, CISSPSharePoint Saturday Vancouver
  • 40. SharePoint UserDispEnum Spot Solutions Ltd.Ian Naumenko, CISSPSharePoint Saturday Vancouver
  • 41. SharePoint UserDispEnum Spot Solutions Ltd.Ian Naumenko, CISSPSharePoint Saturday Vancouver
  • 42. Also many technical vulnerabilities… ✘ Microsoft Security Bulletin MS15-036 - Elevation of Privilege • April 14, 2015: - The attacker who successfully exploited these vulnerabilities could then perform cross-site scripting attacks on affected systems and run script in the security context of the current user. These attacks could allow the attacker to read content that the attacker is not authorized to read, use the victim's identity to take actions on the SharePoint site on behalf of the victim, such as change permissions and delete content, and inject malicious content in the victim’s browser. ✘ Microsoft SharePoint Online (cloud) - filter bypass & persistent vulnerability • Aug 18, 2015: - It is possible to evade the current security controls on Microsoft SharePoint Online 2013 Web Application by simply adding a blank iframe in the HTML through `embed code` feature. It does not matter what policies have been implemented through the `HTML Field Security` feature. All filters / policies are easily evaded using the above mentioned filter bypass technique and this should be fixed immediately. Please note, once the filter is evaded, it is possible to inject malicious script code without any restrictions and it doesn`t get stripped / filtered even after publishing. Successful exploitation of the vulnerability results in filter evasion of all SharePoint security policies for the websites and allows execution of persistent script code that can result in session hijacking, persistent phishing, stable external redirect, stable external malware loads and persistent vulnerable module context manipulation. Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
  • 43. Microsoft SharePoint Online (cloud) - filter bypass & persistent vulnerability Proof of Concept (PoC): ======================= The persistent input validation web vulnerability can be exploited by remote attackers with low required user interaction and (restricted) privileged SharePoint cloud application user account. For security demonstration or to reproduce the vulnerability follow the provided information and steps below. 1. Register an office and SharePoint online 2013 account 2. Login to the SharePoint portal as admin 3. Goto your Site and click on Edit 4. Goto Insert and include "embed code" 5. in the Input box, enter the given "Payload" 6. Click Insert and then Save 7. Upon being redirected to the index page, a javascript box should pop up proving the existence of this vulnerability http://www.vulnerability-lab.com/get_content.php?id=1024 SharePoint Saturday Vancouver Ian Naumenko, CISSP Spot Solutions Ltd.
  • 44. WGET Script ✘ What is WGET ? • It's a command-line tool to download webpages and their assets ✘ Why does it matter…. • Mass content download ! The following command will download all the content from SharePoint to static pages using WGET. WGET even fixes all links so that most navigation still works. wget -r --no-parent --convert-links -P c:temp<my local folder> --http-user=<domainusername> --http- passwd=<password> http://<path to sharepoint> ✘ What can we do to prevent it’s use… • WGET respects passwords • wget respects, by default, your robots.txt file • webservers can be set up to deny WGET’s default user agent • All that being said, it’s really hard to block  SharePoint Saturday Vancouver Ian Naumenko, CISSP Spot Solutions Ltd.
  • 45. What can we do ?SharePoint Saturday Vancouver Spot Solutions Ltd.Ian Naumenko, CISSP
  • 46. Vulnerability assessment tools and resources… ✘ Assessment tools from vendors such Metalogix - Free Insider Threat Vulnerability tool ShareGate – SharePoint Security Tool AveDoc – Governance Automation ✘ OWASP top 10 ✘ KALI disc (pen testing) ✘ Microsoft Security Center – Security bulletins https://technet.microsoft.com/en-us/library/security/dn631937.aspx ✘ Common Vulnerabilities and Exposures Database http://www.cve.mitre.org/find/index.html Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
  • 47. Points to remember… ✘ SharePoint doesn’t matter, the business matters. (quoted from metalogix Governave Best Practices ebook) ✘ We have to approach cloud services by assuming that your data is being looked at by third parties, including cloud systems administrators, and by governmental agencies… ✘ Most IT platforms, and particularly collaboration-oriented platforms, are challenged to adequately secure against rogue systems administrators and insiders. The solution to securing SharePoint and other IT platforms against insiders will always boil down to careful application of security controls, which are not all ways technical… http://www.nothingbutsharepoint.com/2013/08/30/sharepoint-security-impacts-from-snowden-and-wikileaks-breaches-aspx/ Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
  • 48. Points to remember… (cont…) ✘Don’t take the technology for granted. ✘Governance is most important. “Its not a checklist, it’s a strategy” ✘Educate staff in simple language they can understand and relate ✘Don’t fall into “Tikcky box security” ✘Understand the business needs and culture ✘Carefull with custom code. Always use SSDLC techniques ✘Teach your staff about “Social engineering” ✘Deploy of Defense-in-Depth protection Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
  • 49. Mike Fleck, Co-Founder of CipherPoint Software wrote… ”If your house gets broken into, but you like the house, keep the house and buy a security system. People love SharePoint for the collaboration efficiencies the platform brings to the enterprise. Add to SharePoint the right set of administrative and technical security controls, and you’ve got a winning combination. It is possible to use the SharePoint platform for use cases involving highly sensitive data!” Conclusion… Ian Naumenko, CISSP, Spot Solutions Ltd.
  • 50. thanks! Any questions? You can find me at ian@spotsolutions.com https://www.linkedin.com/in/iannaumenko @ignhot Credits Special thanks to all the people who made and released these awesome slides for free: Presentation template by SlidesCarnival Photographs by Unsplash SharePoint Saturday Vancouver

Editor's Notes

  1. We as administrators of business, and of the technology that supports business need to be concerned….
  2. Seen SP sites locked down to the point that it can’t be used
  3. Story about reading clients emails
  4. /_layouts/settings.aspx
  5. Interoperability (pronounced IHN-tuhr-AHP-uhr-uh-BIHL-ih-tee) is a property of a product or system, whose interfaces are completely understood, to work with other products or systems, present or future, without any restricted access or implementation
  6. Some SP installations are not useable because there is too much security