sharepoint hack-ability, how safe is your...
TRANSCRIPT
SharePoint Hack-ability, How Safe Is Your Environment?
Presented by: Jamie Herman Sergey Polak Kris Wagner
Jamie Herman Manager of Information Security, Ropes & Gray
Sergey Polak Manager of Enterprise Systems, Ropes & Gray
Kris Wagner Chief Architect, MS SharePoint MVP, & MS V-TSP, Project Leadership Associates
Presenters:
Audience Polls
1. What are you using SharePoint for?
2. What version(s) of SharePoint are you running?
3. What type of security monitoring are you doing?
How People Use SharePoint SharePoint…Mr. know it all
Sink your teeth into functionality…
Intranet DMS Workflow Tool Database Public Facing Website Extranet Records Management
System Survey Tool Collaboration Platform
…What are you placing your bets on?
Web App Attack
Any incident in which a web application was the vector of attack. This includes exploits of code level vulnerabilities in the applications as well as thwarting authentication mechanisms. ● Punching bag of the internet ● Defeated in two ways
○ Stolen credentials ○ Exploiting weakness in application
Vulnerabilities
A software vulnerability is a security flaw, glitch or weakness found in software or an operating system that can lead to security concerns.
● SharePoint ● Windows ● Web Parts and 3rd party plug-ins ● Remote access mechanism
SharePoint Vulnerabilities
● Insider threats ● Misconfiguration of access ● Ineffective log management ● Vulnerability in 3rd Party code and web parts ● Data leakage ● Unauthorized access to SQL db’s ● Social Features
Identify insider threats
Identify events that stand out
Foolproof access control
Duct Tape won’t fix this
Where is your data going?
We can write something for that
The Cloud...
What others are saying...
● 97% have security concerns about non-employee SP access ● 76% granted non-employee SharePoint access ● 82% concerned about hosted SharePoint
○ Top concern around documents being copied outside controlled systems
● 42% audit external SharePoint access ● 7% run SharePoint access audit at least weekly
- Dimensional Research 2013 SharePoint and
Security
Encryption Considerations
● Encrypt in the cloud
● Encrypt before data leaves firm
● Encrypt and require access through
appliance (i.e. Vaultive)
● Encrypt/protect at point of data
creation (i.e. Ionic, Microsoft RMS)
● Key Management, Key Management,
Key Management
When your data is in the cloud…
● Consider confidentiality and integrity of data
● Disclose to clients that data resides in the cloud
● Discuss with internal GC or relevant authority on risk for guidance
● Understand increased risk (if any identified) and implement compensating controls before
you migrate, not after
● Audit and treat this hosted data no different than your own onsite data
Attorney Commentary
“If your data is in the cloud (e.g. Amazon, MS) and they receive a subpoena, what do you think the host’s obligation is? What is the firm’s obligation if client data is onsite versus data that’s in the cloud?” What about if there was a data breach? What could/should/would your response be?”
Attorney Commentary, Cont’d
● If the firm (or if hosting agent) received such a subpoena, we would object and seek
protection based on privilege.
● If there is a data breach at the firm, we’ve got a problem. Three step process: (1) stop
the breach; (2) assess the breach; (3) call our (E&O) carrier
● Include language in the client engagement around data and the removal of the firm’s
liability (... firm would be held harmless) related to data loss, or breach.
Resources
SharePoint Web Access User Management (http://connect.iltanet.org/communities/alldiscussions/viewthread/?GroupId=913&MID=483077) Dell SharePoint and Security Survey (http://software.dell.com/documents/sharepoint-and-security-a-survey-of-sharepoint-stakeholders-whitepaper-
27128.pdf)
Questions