protecting against vulnerabilities in sharepoint add-ons
DESCRIPTION
As the pace of Microsoft SharePoint adoption continues, most organizations are turning to third party add-ons to support demands for functionality. It's for these reasons that experts compare SharePoint without add-ons to an iPhone without apps. Third party add-ons, however, arrive pre-packaged with unique security risks -- vulnerabilities that IT cannot directly fix. This presentation will (1) identify risks associated with using SharePoint plug-ins and web parts developed by third parties (2) describe how hackers target and exploit third-party code using attacks such as SQL injection (3) Introduce a three-layered approach to securing SharePoint.TRANSCRIPT
© 2013 Imperva, Inc. All rights reserved.
Protecting Against Vulnerabilities in SharePoint Add-ons Webinar
Confidential 1
Carrie McDaniel – File Security Product Team
© 2013 Imperva, Inc. All rights reserved.
Agenda
Confidential 2
1. SharePoint Background 2. Understanding SharePoint Add-ons 3. Add-On Vulnerabilities 4. How Hackers Attack SharePoint Add-ons 5. How to Protect Against Add-on Vulnerabilities
© 2013 Imperva, Inc. All rights reserved.
Carrie McDaniel – File Security Team
3
§ Product Marketing Manager for File Security; focus on SharePoint security
§ Previously held product marketing position at Moody’s Analytics in San Francisco
§ Past experience in finance and tech industries at Wells Fargo and NetApp
§ Holds degrees in Marketing and French from Santa Clara University
© 2013 Imperva, Inc. All rights reserved.
Top SharePoint Uses
Confidential 4
§ Internal collaboration
§ Content management
§ Project management
§ Records management
§ Corporate intranet
§ File share replacement Source: AIIM
© 2013 Imperva, Inc. All rights reserved.
Sensitive Data Lives in SharePoint
Confidential 5
Financial information
Personal Health Information (PHI) Legal documents
Intellectual property
Personally Identifiable Information (PII)
Business or Product plans
Deal data
Regulated
Sensitive
© 2013 Imperva, Inc. All rights reserved.
Implementation is Progressive…
Confidential 6
Intranet
Extranet
Public-facing Website
-Internal file sharing -Collaboration
-Corporate website -E-commerce site -Microsite
-Board of Directors site -External portal for employees, partners, alumni, etc.
© 2013 Imperva, Inc. All rights reserved. Confidential 7
More than half of organizations use or are “…planning to use third-party add-on
products in order to enhance functionality.
Only a third thinks they will stick with the vanilla product.”
AIIM (Association for Information and Image Management) 2012 Industry Watch Survey
© 2013 Imperva, Inc. All rights reserved.
Add-ons Defined…
Confidential 8
Plug-in
A software component that adds additional functionality to the larger SharePoint system.
Example: SharePoint Outlook Integration
Web Part
A stand-alone application that is embedded into SharePoint that pulls in useful information from other Websites.
Example: Twitter feed
Optimus.com
© 2013 Imperva, Inc. All rights reserved. Confidential 9
Convenience
Collaboration
Productivity
Ease-of-use
© 2013 Imperva, Inc. All rights reserved.
Most Popular SharePoint Plug-ins and Web Parts
Confidential 10
Source: PortalFront
© 2013 Imperva, Inc. All rights reserved.
Business Justification
Confidential 11
§ Custom coding is expensive and takes time; stakeholders seek rapid results
© 2013 Imperva, Inc. All rights reserved. 12
3rd Party
According to Veracode: • “Up to 70% of internally developed code originates outside of the
development team” • 28% of assessed applications are identified as created by a 3rd
party
Confidential
© 2013 Imperva, Inc. All rights reserved. Confidential 13
IT and security teams should always assume that third-party code present in SharePoint applications contain significant vulnerabilities.
You can’t fix code you don’t own.
Organizations won’t be protected until that third-party addresses the
vulnerabilities.
What’s the risk?
© 2013 Imperva, Inc. All rights reserved.
3rd Party Code Driven Incidents
Confidential 14
Yahoo’s 3rd party hack as detailed in Imperva’s January HII report.
HII Report: http://www.imperva.com/docs/HII_Lessons_Learned_From_the_Yahoo_Hack.pdf
© 2013 Imperva, Inc. All rights reserved. 15
OWASP Top 10 – 2013 Update
New, A9 - Using Known Vulnerable Components
Confidential
© 2013 Imperva, Inc. All rights reserved.
Who’s Doing It and Why
Confidential 16
Governments Stealing Intellectual Property (IP) and raw data, and spying § Motivated by: Policy, politics, and nationalism § Preferred Methods: Targeted attacks
Organized Crime Stealing IP and data § Motivated by: Profit § Preferred Methods: Targeted attacks, fraud
Hacktivists Exposing IP and data, and compromising the infrastructure § Motivated by: Political causes, ideology, personal agendas § Preferred Methods: Targeted attacks, Denial of Service attacks
© 2013 Imperva, Inc. All rights reserved.
Classic Web Site Hacking
Confidential 17
Hacking 1. Identify Target 2. Find Vulnerability 3. Exploit
Single Site Attack
© 2013 Imperva, Inc. All rights reserved.
Classic Web Site Hacking
Confidential 18
Hacking
1. Identify Target 2. Find Vulnerability 3. Exploit
Hacking
1. Identify Target 2. Find Vulnerability 3. Exploit
Hacking
1. Identify Target 2. Find Vulnerability 3. Exploit
Hacking
1. Identify Target 2. Find Vulnerability 3. Exploit
Hacking
1. Identify Target 2. Find Vulnerability 3. Exploit
Multiple Site Attacks
© 2013 Imperva, Inc. All rights reserved.
SharePoint Application Hacking
Confidential 19
Hacking
1. Identify add-on 2. Find Vulnerability 3. Exploit
© 2013 Imperva, Inc. All rights reserved.
Security Risks
Microsoft has reported over 300 vulnerabilities in SharePoint Server and related products since it’s release.
§ Cross-site scripting
§ SQL injection
§ Directory (or path) traversal
§ Remote file inclusion (RFI)
Document Object Model
Microsoft .NET
SharePoint Building Blocks Visual C#, Visual Basic
Silverlight
Active Directory integration
ASP.NET
20 Confidential
HTML.CSS
Microsoft SQL Server Internet Explorer
© 2013 Imperva, Inc. All rights reserved.
CMS Mass Hacking
Confidential 21
Source: www.exploit-db.com
Step 1: Find a vulnerability in a CMS platform
Even public vulnerability databases, contain thousands of CMS related vulnerabilities.
© 2013 Imperva, Inc. All rights reserved.
Data Extraction Techniques by Hackers: 2005-2011
22
SQL Injection 83%
Other 17%
Total = 315,424,147 records (856 breaches)
Source: Privacy Rights Clearinghouse
Confidential
© 2013 Imperva, Inc. All rights reserved.
Main Automated Attack Tools
23
SQLmap
Havij
Confidential
© 2013 Imperva, Inc. All rights reserved. 24
The Attacker’s Focus
Server Takeover
Direct Data Theft
Confidential
© 2013 Imperva, Inc. All rights reserved.
Rebalance Your Security Portfolio
Confidential 25
© 2013 Imperva, Inc. All rights reserved.
Gartner’s Take: NG Firewall vs. Web Application Firewall
Confidential 26
“NGFW vendors… are mostly about controlling external applications, such as Facebook and peer-to-peer (P2P) file sharing.” WAFs are different: [they]…are concerned with custom internal Web applications.”
Magic Quadrant for Enterprise Network Firewalls Gartner, Inc., February 7, 2013
© 2013 Imperva, Inc. All rights reserved.
§ Pen test before deployment to identify these issues
§ Deploy the application behind a WAF to • Virtually patch pen test findings • Mitigate new risks (unknown on the pen test time)
• Mitigate issues the pen tester missed • Use cloud WAF for remotely hosted applications
§ Virtually patch newly discovered CVEs • Requires a robust security update service
Technical Recommendations
27 Confidential 27
IT and security teams should always assume that third-party code present in SharePoint applications contain significant vulnerabilities.
© 2013 Imperva, Inc. All rights reserved.
Web Application Firewall
Confidential 28
§ Virtually patch vulnerabilities until a fix is issued § Detect and block attacks
© 2013 Imperva, Inc. All rights reserved.
SecureSphere for SharePoint
Confidential 29
© 2013 Imperva, Inc. All rights reserved.
Protection Tailored to SharePoint
Confidential 30
Web Application Firewall
File Activity Monitoring
Database Firewall
§ Protection against Web-based attacks
§ Tuned for Microsoft SharePoint traffic
§ Fraud prevention and reputation controls available
§ Protect against changes to SQL server that would render it unsupportable by Microsoft
§ Enforce separation of duties
§ Prevent unauthorized access and fraudulent activity
§ Monitor and audit file activity
§ Comprehensive user rights management
§ Enforce file access control policies
Secu
reSp
here
for S
hare
Poin
t
© 2013 Imperva, Inc. All rights reserved.
Audit
Enterprise Users
The Internet
SQL Injection
XSS
IIS Web Servers
Application Servers
MS SQL Databases
Web-Application Firewall
Activity Monitoring & User Rights Management
Excessive Rights
Administrators
DB Activity Monitoring & Access Control
Unauthorized Changes
Audit
Unauthorized Access
Layers of SharePoint Protection
Confidential 31
© 2013 Imperva, Inc. All rights reserved.
Additional Resource
Confidential 32
Download White Paper
© 2013 Imperva, Inc. All rights reserved.
www.imperva.com
33 Confidential