protecting against vulnerabilities in sharepoint add-ons

33
© 2013 Imperva, Inc. All rights reserved. Protecting Against Vulnerabilities in SharePoint Add-ons Webinar Confidential 1 Carrie McDaniel – File Security Product Team

Upload: imperva

Post on 09-May-2015

747 views

Category:

Technology


1 download

DESCRIPTION

As the pace of Microsoft SharePoint adoption continues, most organizations are turning to third party add-ons to support demands for functionality. It's for these reasons that experts compare SharePoint without add-ons to an iPhone without apps. Third party add-ons, however, arrive pre-packaged with unique security risks -- vulnerabilities that IT cannot directly fix. This presentation will (1) identify risks associated with using SharePoint plug-ins and web parts developed by third parties (2) describe how hackers target and exploit third-party code using attacks such as SQL injection (3) Introduce a three-layered approach to securing SharePoint.

TRANSCRIPT

Page 1: Protecting Against Vulnerabilities in SharePoint Add-ons

© 2013 Imperva, Inc. All rights reserved.

Protecting Against Vulnerabilities in SharePoint Add-ons Webinar

Confidential 1

Carrie McDaniel – File Security Product Team

Page 2: Protecting Against Vulnerabilities in SharePoint Add-ons

© 2013 Imperva, Inc. All rights reserved.

Agenda

Confidential 2

1.  SharePoint Background 2.  Understanding SharePoint Add-ons 3.  Add-On Vulnerabilities 4.  How Hackers Attack SharePoint Add-ons 5.  How to Protect Against Add-on Vulnerabilities

Page 3: Protecting Against Vulnerabilities in SharePoint Add-ons

© 2013 Imperva, Inc. All rights reserved.

Carrie McDaniel – File Security Team

3

§ Product Marketing Manager for File Security; focus on SharePoint security

§ Previously held product marketing position at Moody’s Analytics in San Francisco

§ Past experience in finance and tech industries at Wells Fargo and NetApp

§ Holds degrees in Marketing and French from Santa Clara University

Page 4: Protecting Against Vulnerabilities in SharePoint Add-ons

© 2013 Imperva, Inc. All rights reserved.

Top SharePoint Uses

Confidential 4

§  Internal collaboration

§ Content management

§ Project management

§ Records management

§ Corporate intranet

§  File share replacement Source: AIIM

Page 5: Protecting Against Vulnerabilities in SharePoint Add-ons

© 2013 Imperva, Inc. All rights reserved.

Sensitive Data Lives in SharePoint

Confidential 5

Financial information

Personal Health Information (PHI) Legal documents

Intellectual property

Personally Identifiable Information (PII)

Business or Product plans

Deal data

Regulated

Sensitive

Page 6: Protecting Against Vulnerabilities in SharePoint Add-ons

© 2013 Imperva, Inc. All rights reserved.

Implementation is Progressive…

Confidential 6

Intranet

Extranet

Public-facing Website

-Internal file sharing -Collaboration

-Corporate website -E-commerce site -Microsite

-Board of Directors site -External portal for employees, partners, alumni, etc.

Page 7: Protecting Against Vulnerabilities in SharePoint Add-ons

© 2013 Imperva, Inc. All rights reserved. Confidential 7

More than half of organizations use or are “…planning to use third-party add-on

products in order to enhance functionality.

Only a third thinks they will stick with the vanilla product.”

AIIM (Association for Information and Image Management) 2012 Industry Watch Survey

Page 8: Protecting Against Vulnerabilities in SharePoint Add-ons

© 2013 Imperva, Inc. All rights reserved.

Add-ons Defined…

Confidential 8

Plug-in

A software component that adds additional functionality to the larger SharePoint system.

Example: SharePoint Outlook Integration

Web Part

A stand-alone application that is embedded into SharePoint that pulls in useful information from other Websites.

Example: Twitter feed

Optimus.com

Page 9: Protecting Against Vulnerabilities in SharePoint Add-ons

© 2013 Imperva, Inc. All rights reserved. Confidential 9

Convenience

Collaboration

Productivity

Ease-of-use

Page 10: Protecting Against Vulnerabilities in SharePoint Add-ons

© 2013 Imperva, Inc. All rights reserved.

Most Popular SharePoint Plug-ins and Web Parts

Confidential 10

Source: PortalFront

Page 11: Protecting Against Vulnerabilities in SharePoint Add-ons

© 2013 Imperva, Inc. All rights reserved.

Business Justification

Confidential 11

§ Custom coding is expensive and takes time; stakeholders seek rapid results

Page 12: Protecting Against Vulnerabilities in SharePoint Add-ons

© 2013 Imperva, Inc. All rights reserved. 12

3rd Party

According to Veracode: •  “Up to 70% of internally developed code originates outside of the

development team” •  28% of assessed applications are identified as created by a 3rd

party

Confidential

Page 13: Protecting Against Vulnerabilities in SharePoint Add-ons

© 2013 Imperva, Inc. All rights reserved. Confidential 13

IT and security teams should always assume that third-party code present in SharePoint applications contain significant vulnerabilities.

You can’t fix code you don’t own.

Organizations won’t be protected until that third-party addresses the

vulnerabilities.

What’s the risk?

Page 14: Protecting Against Vulnerabilities in SharePoint Add-ons

© 2013 Imperva, Inc. All rights reserved.

3rd Party Code Driven Incidents

Confidential 14

Yahoo’s 3rd party hack as detailed in Imperva’s January HII report.

HII Report: http://www.imperva.com/docs/HII_Lessons_Learned_From_the_Yahoo_Hack.pdf

Page 15: Protecting Against Vulnerabilities in SharePoint Add-ons

© 2013 Imperva, Inc. All rights reserved. 15

OWASP Top 10 – 2013 Update

New, A9 - Using Known Vulnerable Components

Confidential

Page 16: Protecting Against Vulnerabilities in SharePoint Add-ons

© 2013 Imperva, Inc. All rights reserved.

Who’s Doing It and Why

Confidential 16

Governments Stealing Intellectual Property (IP) and raw data, and spying §  Motivated by: Policy, politics, and nationalism §  Preferred Methods: Targeted attacks

Organized Crime Stealing IP and data §  Motivated by: Profit §  Preferred Methods: Targeted attacks, fraud

Hacktivists Exposing IP and data, and compromising the infrastructure §  Motivated by: Political causes, ideology, personal agendas §  Preferred Methods: Targeted attacks, Denial of Service attacks

Page 17: Protecting Against Vulnerabilities in SharePoint Add-ons

© 2013 Imperva, Inc. All rights reserved.

Classic Web Site Hacking

Confidential 17

Hacking 1.  Identify Target 2.  Find Vulnerability 3.  Exploit

Single Site Attack

Page 18: Protecting Against Vulnerabilities in SharePoint Add-ons

© 2013 Imperva, Inc. All rights reserved.

Classic Web Site Hacking

Confidential 18

Hacking

1.  Identify Target 2.  Find Vulnerability 3.  Exploit

Hacking

1.  Identify Target 2.  Find Vulnerability 3.  Exploit

Hacking

1.  Identify Target 2.  Find Vulnerability 3.  Exploit

Hacking

1.  Identify Target 2.  Find Vulnerability 3.  Exploit

Hacking

1.  Identify Target 2.  Find Vulnerability 3.  Exploit

Multiple Site Attacks

Page 19: Protecting Against Vulnerabilities in SharePoint Add-ons

© 2013 Imperva, Inc. All rights reserved.

SharePoint Application Hacking

Confidential 19

Hacking

1.  Identify add-on 2.  Find Vulnerability 3.  Exploit

Page 20: Protecting Against Vulnerabilities in SharePoint Add-ons

© 2013 Imperva, Inc. All rights reserved.

Security Risks

Microsoft has reported over 300 vulnerabilities in SharePoint Server and related products since it’s release.

§  Cross-site scripting

§  SQL injection

§  Directory (or path) traversal

§  Remote file inclusion (RFI)

Document Object Model

Microsoft .NET

SharePoint Building Blocks Visual C#, Visual Basic

Silverlight

Active Directory integration

ASP.NET

20 Confidential

HTML.CSS

Microsoft SQL Server Internet Explorer

Page 21: Protecting Against Vulnerabilities in SharePoint Add-ons

© 2013 Imperva, Inc. All rights reserved.

CMS Mass Hacking

Confidential 21

Source: www.exploit-db.com

Step 1: Find a vulnerability in a CMS platform

Even public vulnerability databases, contain thousands of CMS related vulnerabilities.

Page 22: Protecting Against Vulnerabilities in SharePoint Add-ons

© 2013 Imperva, Inc. All rights reserved.

Data Extraction Techniques by Hackers: 2005-2011

22

SQL Injection 83%

Other 17%

Total = 315,424,147 records (856 breaches)

Source: Privacy Rights Clearinghouse

Confidential

Page 23: Protecting Against Vulnerabilities in SharePoint Add-ons

© 2013 Imperva, Inc. All rights reserved.

Main Automated Attack Tools

23

SQLmap

Havij

Confidential

Page 24: Protecting Against Vulnerabilities in SharePoint Add-ons

© 2013 Imperva, Inc. All rights reserved. 24

The Attacker’s Focus

Server Takeover

Direct Data Theft

Confidential

Page 25: Protecting Against Vulnerabilities in SharePoint Add-ons

© 2013 Imperva, Inc. All rights reserved.

Rebalance Your Security Portfolio

Confidential 25

Page 26: Protecting Against Vulnerabilities in SharePoint Add-ons

© 2013 Imperva, Inc. All rights reserved.

Gartner’s Take: NG Firewall vs. Web Application Firewall

Confidential 26

“NGFW vendors… are mostly about controlling external applications, such as Facebook and peer-to-peer (P2P) file sharing.” WAFs are different: [they]…are concerned with custom internal Web applications.”

Magic Quadrant for Enterprise Network Firewalls Gartner, Inc., February 7, 2013

Page 27: Protecting Against Vulnerabilities in SharePoint Add-ons

© 2013 Imperva, Inc. All rights reserved.

§  Pen test before deployment to identify these issues

§  Deploy the application behind a WAF to •  Virtually patch pen test findings •  Mitigate new risks (unknown on the pen test time)

•  Mitigate issues the pen tester missed •  Use cloud WAF for remotely hosted applications

§  Virtually patch newly discovered CVEs •  Requires a robust security update service

Technical Recommendations

27 Confidential 27

IT and security teams should always assume that third-party code present in SharePoint applications contain significant vulnerabilities.

Page 28: Protecting Against Vulnerabilities in SharePoint Add-ons

© 2013 Imperva, Inc. All rights reserved.

Web Application Firewall

Confidential 28

§ Virtually patch vulnerabilities until a fix is issued § Detect and block attacks

Page 29: Protecting Against Vulnerabilities in SharePoint Add-ons

© 2013 Imperva, Inc. All rights reserved.

SecureSphere for SharePoint

Confidential 29

Page 30: Protecting Against Vulnerabilities in SharePoint Add-ons

© 2013 Imperva, Inc. All rights reserved.

Protection Tailored to SharePoint

Confidential 30

Web Application Firewall

File Activity Monitoring

Database Firewall

§  Protection against Web-based attacks

§  Tuned for Microsoft SharePoint traffic

§  Fraud prevention and reputation controls available

§  Protect against changes to SQL server that would render it unsupportable by Microsoft

§  Enforce separation of duties

§  Prevent unauthorized access and fraudulent activity

§  Monitor and audit file activity

§  Comprehensive user rights management

§  Enforce file access control policies

Secu

reSp

here

for S

hare

Poin

t

Page 31: Protecting Against Vulnerabilities in SharePoint Add-ons

© 2013 Imperva, Inc. All rights reserved.

Audit

Enterprise Users

The Internet

SQL Injection

XSS

IIS Web Servers

Application Servers

MS SQL Databases

Web-Application Firewall

Activity Monitoring & User Rights Management

Excessive Rights

Administrators

DB Activity Monitoring & Access Control

Unauthorized Changes

Audit

Unauthorized Access

Layers of SharePoint Protection

Confidential 31

Page 32: Protecting Against Vulnerabilities in SharePoint Add-ons

© 2013 Imperva, Inc. All rights reserved.

Additional Resource

Confidential 32

Download White Paper

Page 33: Protecting Against Vulnerabilities in SharePoint Add-ons

© 2013 Imperva, Inc. All rights reserved.

www.imperva.com

33 Confidential