SharePoint Hack-ability, How Safe Is Your Environment?

Presented by: Jamie Herman Sergey Polak Kris Wagner

Jamie Herman Manager of Information Security, Ropes & Gray

Sergey Polak Manager of Enterprise Systems, Ropes & Gray

Kris Wagner Chief Architect, MS SharePoint MVP, & MS V-TSP, Project Leadership Associates

Presenters:

Audience Polls

1. What are you using SharePoint for?

2. What version(s) of SharePoint are you running?

3. What type of security monitoring are you doing?

How People Use SharePoint SharePoint…Mr. know it all

Sink your teeth into functionality…

Intranet DMS Workflow Tool Database Public Facing Website Extranet Records Management

System Survey Tool Collaboration Platform

…What are you placing your bets on?

Web App Attack

Any incident in which a web application was the vector of attack. This includes exploits of code level vulnerabilities in the applications as well as thwarting authentication mechanisms. ● Punching bag of the internet ● Defeated in two ways

○ Stolen credentials ○ Exploiting weakness in application

Vulnerabilities

A software vulnerability is a security flaw, glitch or weakness found in software or an operating system that can lead to security concerns.

● SharePoint ● Windows ● Web Parts and 3rd party plug-ins ● Remote access mechanism

SharePoint Vulnerabilities

● Insider threats ● Misconfiguration of access ● Ineffective log management ● Vulnerability in 3rd Party code and web parts ● Data leakage ● Unauthorized access to SQL db’s ● Social Features

Identify insider threats

Identify events that stand out

Foolproof access control

Duct Tape won’t fix this

Where is your data going?

We can write something for that

The Cloud...

What others are saying...

● 97% have security concerns about non-employee SP access ● 76% granted non-employee SharePoint access ● 82% concerned about hosted SharePoint

○ Top concern around documents being copied outside controlled systems

● 42% audit external SharePoint access ● 7% run SharePoint access audit at least weekly

- Dimensional Research 2013 SharePoint and

Security

Encryption Considerations

● Encrypt in the cloud

● Encrypt before data leaves firm

● Encrypt and require access through

appliance (i.e. Vaultive)

● Encrypt/protect at point of data

creation (i.e. Ionic, Microsoft RMS)

● Key Management, Key Management,

Key Management

When your data is in the cloud…

● Consider confidentiality and integrity of data

● Disclose to clients that data resides in the cloud

● Discuss with internal GC or relevant authority on risk for guidance

● Understand increased risk (if any identified) and implement compensating controls before

you migrate, not after

● Audit and treat this hosted data no different than your own onsite data

Attorney Commentary

“If your data is in the cloud (e.g. Amazon, MS) and they receive a subpoena, what do you think the host’s obligation is? What is the firm’s obligation if client data is onsite versus data that’s in the cloud?” What about if there was a data breach? What could/should/would your response be?”

Attorney Commentary, Cont’d

● If the firm (or if hosting agent) received such a subpoena, we would object and seek

protection based on privilege.

● If there is a data breach at the firm, we’ve got a problem. Three step process: (1) stop

the breach; (2) assess the breach; (3) call our (E&O) carrier

● Include language in the client engagement around data and the removal of the firm’s

liability (... firm would be held harmless) related to data loss, or breach.

Resources

SharePoint Web Access User Management (http://connect.iltanet.org/communities/alldiscussions/viewthread/?GroupId=913&MID=483077) Dell SharePoint and Security Survey (http://software.dell.com/documents/sharepoint-and-security-a-survey-of-sharepoint-stakeholders-whitepaper-

27128.pdf)

Questions