SlideShare a Scribd company logo

Taking the Share out of Sharepoint: SharePoint Application Security.

Aspenware
Aspenware

The beauty of SharePoint is you can quickly enable the business to do anything anywhere. That freedom and flexibility can create a serious security risk for your organization. With every service and application you roll out you also roll out new ways for hackers to get at your data. NetSource Secure, HOSTING, and Aspenware are pleased to bring you this critical SharePoint security presentation. In this presentation Senior SharePoint Architect Waughn Hughes and Senior Security Consultant Justin Tibbs will give you the information necessary to assess your SharePoint security risks and develop a plan for mitigating risks.

Technology
1 of 18
Download to read offline
Why Your SharePoint Applications are a Hackers Best Friend
Waughn Hughes Waughn has over 14 years of consulting experience, and has worked extensively with SharePoint for the past seven years as a developer and solutions architect. Solutions Architect | about.me/waughn
Justin Tibbs Justin Tibbs, developed and heads up the security solutions practice at NET Source, Inc, in Littleton Colorado. Prior to NET Source, Justin held positions at Cisco Systems, Lockheed Martin, and others, specializing in the areas of Vulnerability & Threat Research, Exploitation Development, and Secure Architecture Design. NET Source Security Director | about.me/justintibbs
Agenda • Introduction • SharePoint Tips and Tools Why Your SharePoint Applications are a Hackers Best Friend 4
Definitions Security Breach An act from outside an organization that bypasses or contravenes security policies, practices, or procedures. Security Violation An act from inside an organization that bypasses or contravenes security policies, practices, or procedures. Why Your SharePoint Applications are a Hackers Best Friend 5
National Security Agency "This leaker was a sysadmin who was trusted with moving the information to actually make sure that the right information was on the SharePoint servers that NSA Hawaii needed." - National Security Agency Director and the Pentagon's Cyber Command Commander General Keith Alexander Why Your SharePoint Applications are a Hackers Best Friend NSA chief leaks info on data sharing tech: It's SharePoint, By Jack Clark Clear and Present Danger: Cyber-Crime; Cyber-Espionage; Cyber-Terror; and Cyber-War 6
Why SharePoint? Started as a way to simplify document sharing… 12 years and numerous releases later… Evolved into a platform for collaboration, document and file management, intranets, extranets, websites, enterprise search, business intelligence, business process automation, social networks, etc… Used by 78% of the Fortune 500 companies* Why Your SharePoint Applications are a Hackers Best Friend 7 * SharePoint 2010 : The First 10 Years [http://technet.microsoft.com/en-us/magazine/gg981684.aspx]
SharePoint Security Policy Why Your SharePoint Applications are a Hackers Best Friend 8 A recent study by Emedia, covered in full by InfoSecurity magazine in February 2013, found that only about one-third of organizations with 25-5000 users employing SharePoint have security policies covering the platform.
Installation & Configuration • Windows, SQL Server and .NET Stack • Security Patching • Service Accounts • Service Applications • Authentication • Web Applications, Site Collections and Sites Why Your SharePoint Applications are a Hackers Best Friend 9
Installation & Configuration: Tips • Review and install applicable service packs and cumulative updates • Plan for least-privilege administration and do not use single account to run SharePoint farm(s) • Understand the features and configuration options for service applications prior to deployment • Define authentication methods for the various web and extended web applications • Develop and use information architecture to define web applications, site collections and sites • Use metadata to identify data sensitivity Why Your SharePoint Applications are a Hackers Best Friend 10
Access Control • User Permissions • Excessive Access • Administrative Access Why Your SharePoint Applications are a Hackers Best Friend 11
Access Control: Tips • Train end users on the key permission feature within SharePoint (e.g. security groups, permission levels, and permissions inheritance) • Automate the review process to keep rights aligned with business needs • Enable auditing for sites that contain sensitive information • Access the need to use database encryption to protect content Why Your SharePoint Applications are a Hackers Best Friend 12
External Exposure: Demo Why Your SharePoint Applications are a Hackers Best Friend 13
External Exposure: Tips • Use Google or Bing to check for externally exposed information • Google Samples: • inurl:"/_layouts/viewlsts.aspx" • "all site content" filetype:aspx • Use port scanner like nMap to look for open listeners • Management applications • Misconfigured web services • Database listeners (SQL) • Pretend to be a hacker… Try Shodan, a search engine that lets you find specific types of computers using a variety of filters Why Your SharePoint Applications are a Hackers Best Friend 14
Development • Cross-Site Scripting • Cross-Site Request Forgery • Elevation of Privilege • Information Disclosure Why Your SharePoint Applications are a Hackers Best Friend 15
Development: Tips • Understand Code Access Security • Encode output properly using SPHttpUtility methods • Do not allow contributor users to add script to the site • Specify a charset in the Content-Type HTTP response header • Avoid using AllowUnsafeUpdates where possible • Check user permissions appropriately Why Your SharePoint Applications are a Hackers Best Friend 16
Questions? Why Your SharePoint Applications are a Hackers Best Friend 17
6000 Greenwood Plaza Blvd Suite 110 Greenwood Village, CO 80111 303.798.5458 www.aspenware.com Aspenware

Recommended

Developing Secure Web Apps
Developing Secure Web AppsDeveloping Secure Web Apps
Developing Secure Web Apps
Mark Garratt
 
Securing Web Applications
Securing Web ApplicationsSecuring Web Applications
Securing Web Applications
Mark Garratt
 
5 Security Questions To Ask A Cloud Service Provider
5 Security Questions To Ask A Cloud Service Provider5 Security Questions To Ask A Cloud Service Provider
5 Security Questions To Ask A Cloud Service Provider
Tyrone Systems
 
Ayala mar23
Ayala mar23Ayala mar23
Ayala mar23
National Information Standards Organization (NISO)
 
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Ruby Meditation
 
6 Most Surprising SharePoint Security Risks
6 Most Surprising SharePoint Security Risks6 Most Surprising SharePoint Security Risks
6 Most Surprising SharePoint Security Risks
Imperva
 
Cybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityCybersecurity - Mobile Application Security
Cybersecurity - Mobile Application Security
Eryk Budi Pratama
 
Information Security and Forensics
Information Security and ForensicsInformation Security and Forensics
Information Security and Forensics
Tharindu Weerasinghe
 

Recommended

Developing Secure Web Apps
Developing Secure Web AppsDeveloping Secure Web Apps
Developing Secure Web Apps
Mark Garratt
 
Securing Web Applications
Securing Web ApplicationsSecuring Web Applications
Securing Web Applications
Mark Garratt
 
5 Security Questions To Ask A Cloud Service Provider
5 Security Questions To Ask A Cloud Service Provider5 Security Questions To Ask A Cloud Service Provider
5 Security Questions To Ask A Cloud Service Provider
Tyrone Systems
 
Ayala mar23
Ayala mar23Ayala mar23
Ayala mar23
National Information Standards Organization (NISO)
 
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Ruby Meditation
 
6 Most Surprising SharePoint Security Risks
6 Most Surprising SharePoint Security Risks6 Most Surprising SharePoint Security Risks
6 Most Surprising SharePoint Security Risks
Imperva
 
Cybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityCybersecurity - Mobile Application Security
Cybersecurity - Mobile Application Security
Eryk Budi Pratama
 
Information Security and Forensics
Information Security and ForensicsInformation Security and Forensics
Information Security and Forensics
Tharindu Weerasinghe
 
Goans-Helms-IT Security at Georgia Tech Library
Goans-Helms-IT Security at Georgia Tech LibraryGoans-Helms-IT Security at Georgia Tech Library
Goans-Helms-IT Security at Georgia Tech Library
National Information Standards Organization (NISO)
 
SPUnite17 10 Steps to be Successful with Enterprise Search
SPUnite17 10 Steps to be Successful with Enterprise SearchSPUnite17 10 Steps to be Successful with Enterprise Search
SPUnite17 10 Steps to be Successful with Enterprise Search
NCCOMMS
 
OWASP, Application Security
OWASP, Application Security OWASP, Application Security
OWASP, Application Security
Dilip Sharma
 
What is Ethical Hacking?
What is Ethical Hacking? What is Ethical Hacking?
What is Ethical Hacking?
Dignitas Digital Pvt. Ltd.
 
O365Con18 - Protecting your Data in Office 365 - Arjan Cornelissen
O365Con18 - Protecting your Data in Office 365 - Arjan CornelissenO365Con18 - Protecting your Data in Office 365 - Arjan Cornelissen
O365Con18 - Protecting your Data in Office 365 - Arjan Cornelissen
NCCOMMS
 
Red teaming in the cloud
Red teaming in the cloudRed teaming in the cloud
Red teaming in the cloud
Peter Wood
 
Intro to Office 365 Security & Compliance Center
Intro to Office 365 Security & Compliance CenterIntro to Office 365 Security & Compliance Center
Intro to Office 365 Security & Compliance Center
Craig Jahnke
 
Basics of Security Testing
Basics of Security TestingBasics of Security Testing
Basics of Security Testing
KarthikeyanRajendran27
 
Security & Compliance: Core Concepts Explained
Security & Compliance: Core Concepts ExplainedSecurity & Compliance: Core Concepts Explained
Security & Compliance: Core Concepts Explained
Alan Eardley
 
Security as an Enabler for the Digital World - CISO Perspective
Security as an Enabler for the Digital World - CISO PerspectiveSecurity as an Enabler for the Digital World - CISO Perspective
Security as an Enabler for the Digital World - CISO Perspective
Apigee | Google Cloud
 
Logikcull Webinar: Preventing the #1 Litigation Risk
Logikcull Webinar: Preventing the #1 Litigation Risk Logikcull Webinar: Preventing the #1 Litigation Risk
Logikcull Webinar: Preventing the #1 Litigation Risk
Logikcull.com
 
Owasp 2017 oveview
Owasp 2017 oveviewOwasp 2017 oveview
Owasp 2017 oveview
Shreyas N
 
AWS User Group August Edition
AWS User Group August EditionAWS User Group August Edition
AWS User Group August Edition
Andreas Wasita
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
justyogesh
 
OWASP Top Ten 2017
OWASP Top Ten 2017OWASP Top Ten 2017
OWASP Top Ten 2017
Michael Furman
 
Universal Search for Legal Enterprises
Universal Search for Legal EnterprisesUniversal Search for Legal Enterprises
Universal Search for Legal Enterprises
AdhereSolutions
 
Rencore Webinar: Understanding EU GDPR from an Office 365 perspective with Pa...
Rencore Webinar: Understanding EU GDPR from an Office 365 perspective with Pa...Rencore Webinar: Understanding EU GDPR from an Office 365 perspective with Pa...
Rencore Webinar: Understanding EU GDPR from an Office 365 perspective with Pa...
Rencore
 
Ann West- Trust Federations: What We Have In Common
Ann West- Trust Federations: What We Have In CommonAnn West- Trust Federations: What We Have In Common
Ann West- Trust Federations: What We Have In Common
National Information Standards Organization (NISO)
 
Enterprise search
Enterprise searchEnterprise search
Enterprise search
Emrah M. Işık
 
Emerging Technology Risk Series - Internet of Things (IoT)
Emerging Technology Risk Series - Internet of Things (IoT)Emerging Technology Risk Series - Internet of Things (IoT)
Emerging Technology Risk Series - Internet of Things (IoT)
Eryk Budi Pratama
 
SharePoint 2013 governance model
SharePoint 2013 governance modelSharePoint 2013 governance model
SharePoint 2013 governance model
Yash Goley
 
Data Breaches and Security Rights in SharePoint Webinar
Data Breaches and Security Rights in SharePoint WebinarData Breaches and Security Rights in SharePoint Webinar
Data Breaches and Security Rights in SharePoint Webinar
Concept Searching, Inc
 

More Related Content

What's hot

Security as an Enabler for the Digital World - CISO Perspective
Security as an Enabler for the Digital World - CISO PerspectiveSecurity as an Enabler for the Digital World - CISO Perspective
Security as an Enabler for the Digital World - CISO Perspective
Apigee | Google Cloud
 
AWS User Group August Edition
AWS User Group August EditionAWS User Group August Edition
AWS User Group August Edition
Andreas Wasita
 
Rencore Webinar: Understanding EU GDPR from an Office 365 perspective with Pa...
Rencore Webinar: Understanding EU GDPR from an Office 365 perspective with Pa...Rencore Webinar: Understanding EU GDPR from an Office 365 perspective with Pa...
Rencore Webinar: Understanding EU GDPR from an Office 365 perspective with Pa...
Rencore
 

What's hot (20)

Goans-Helms-IT Security at Georgia Tech Library
Goans-Helms-IT Security at Georgia Tech LibraryGoans-Helms-IT Security at Georgia Tech Library
Goans-Helms-IT Security at Georgia Tech Library
 
SPUnite17 10 Steps to be Successful with Enterprise Search
SPUnite17 10 Steps to be Successful with Enterprise SearchSPUnite17 10 Steps to be Successful with Enterprise Search
SPUnite17 10 Steps to be Successful with Enterprise Search
 
OWASP, Application Security
OWASP, Application Security OWASP, Application Security
OWASP, Application Security
 
What is Ethical Hacking?
What is Ethical Hacking? What is Ethical Hacking?
What is Ethical Hacking?
 
O365Con18 - Protecting your Data in Office 365 - Arjan Cornelissen
O365Con18 - Protecting your Data in Office 365 - Arjan CornelissenO365Con18 - Protecting your Data in Office 365 - Arjan Cornelissen
O365Con18 - Protecting your Data in Office 365 - Arjan Cornelissen
 
Red teaming in the cloud
Red teaming in the cloudRed teaming in the cloud
Red teaming in the cloud
 
Intro to Office 365 Security & Compliance Center
Intro to Office 365 Security & Compliance CenterIntro to Office 365 Security & Compliance Center
Intro to Office 365 Security & Compliance Center
 
Basics of Security Testing
Basics of Security TestingBasics of Security Testing
Basics of Security Testing
 
Security & Compliance: Core Concepts Explained
Security & Compliance: Core Concepts ExplainedSecurity & Compliance: Core Concepts Explained
Security & Compliance: Core Concepts Explained
 
Security as an Enabler for the Digital World - CISO Perspective
Security as an Enabler for the Digital World - CISO PerspectiveSecurity as an Enabler for the Digital World - CISO Perspective
Security as an Enabler for the Digital World - CISO Perspective
 
Logikcull Webinar: Preventing the #1 Litigation Risk
Logikcull Webinar: Preventing the #1 Litigation Risk Logikcull Webinar: Preventing the #1 Litigation Risk
Logikcull Webinar: Preventing the #1 Litigation Risk
 
Owasp 2017 oveview
Owasp 2017 oveviewOwasp 2017 oveview
Owasp 2017 oveview
 
AWS User Group August Edition
AWS User Group August EditionAWS User Group August Edition
AWS User Group August Edition
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
OWASP Top Ten 2017
OWASP Top Ten 2017OWASP Top Ten 2017
OWASP Top Ten 2017
 
Universal Search for Legal Enterprises
Universal Search for Legal EnterprisesUniversal Search for Legal Enterprises
Universal Search for Legal Enterprises
 
Rencore Webinar: Understanding EU GDPR from an Office 365 perspective with Pa...
Rencore Webinar: Understanding EU GDPR from an Office 365 perspective with Pa...Rencore Webinar: Understanding EU GDPR from an Office 365 perspective with Pa...
Rencore Webinar: Understanding EU GDPR from an Office 365 perspective with Pa...
 
Ann West- Trust Federations: What We Have In Common
Ann West- Trust Federations: What We Have In CommonAnn West- Trust Federations: What We Have In Common
Ann West- Trust Federations: What We Have In Common
 
Enterprise search
Enterprise searchEnterprise search
Enterprise search
 
Emerging Technology Risk Series - Internet of Things (IoT)
Emerging Technology Risk Series - Internet of Things (IoT)Emerging Technology Risk Series - Internet of Things (IoT)
Emerging Technology Risk Series - Internet of Things (IoT)
 

Similar to Taking the Share out of Sharepoint: SharePoint Application Security.

Data Breaches and Security Rights in SharePoint Webinar
Data Breaches and Security Rights in SharePoint WebinarData Breaches and Security Rights in SharePoint Webinar
Data Breaches and Security Rights in SharePoint Webinar
Concept Searching, Inc
 
Overcoming Security Threats and Vulnerabilities in SharePoint
Overcoming Security Threats and Vulnerabilities in SharePointOvercoming Security Threats and Vulnerabilities in SharePoint
Overcoming Security Threats and Vulnerabilities in SharePoint
AntonioMaio2
 
SharePoint Online vs. On-Premise
SharePoint Online vs. On-PremiseSharePoint Online vs. On-Premise
SharePoint Online vs. On-Premise
Evan Hodges
 
Best practices for security and governance in share point 2013 published
Best practices for security and governance in share point 2013 publishedBest practices for security and governance in share point 2013 published
Best practices for security and governance in share point 2013 published
AntonioMaio2
 
What You Need to Know Before Upgrading to SharePoint 2013
What You Need to Know Before Upgrading to SharePoint 2013What You Need to Know Before Upgrading to SharePoint 2013
What You Need to Know Before Upgrading to SharePoint 2013
Perficient, Inc.
 
Age of Exploration: How to Achieve Enterprise-Wide Discovery
Age of Exploration: How to Achieve Enterprise-Wide DiscoveryAge of Exploration: How to Achieve Enterprise-Wide Discovery
Age of Exploration: How to Achieve Enterprise-Wide Discovery
Inside Analysis
 
Cybersecurity update 12
Cybersecurity update 12Cybersecurity update 12
Cybersecurity update 12
Jim Kaplan CIA CFE
 
Ferraz Itp368 Optmizing Information Security
Ferraz Itp368 Optmizing Information SecurityFerraz Itp368 Optmizing Information Security
Ferraz Itp368 Optmizing Information Security
mferraz
 
4 Security Guidelines for SharePoint Governance
4 Security Guidelines for SharePoint Governance4 Security Guidelines for SharePoint Governance
4 Security Guidelines for SharePoint Governance
Imperva
 

Similar to Taking the Share out of Sharepoint: SharePoint Application Security. (20)

SharePoint 2013 governance model
SharePoint 2013 governance modelSharePoint 2013 governance model
SharePoint 2013 governance model
 
Data Breaches and Security Rights in SharePoint Webinar
Data Breaches and Security Rights in SharePoint WebinarData Breaches and Security Rights in SharePoint Webinar
Data Breaches and Security Rights in SharePoint Webinar
 
Overcoming Security Threats and Vulnerabilities in SharePoint
Overcoming Security Threats and Vulnerabilities in SharePointOvercoming Security Threats and Vulnerabilities in SharePoint
Overcoming Security Threats and Vulnerabilities in SharePoint
 
SharePoint Online vs. On-Premise
SharePoint Online vs. On-PremiseSharePoint Online vs. On-Premise
SharePoint Online vs. On-Premise
 
Best practices for security and governance in share point 2013 published
Best practices for security and governance in share point 2013 publishedBest practices for security and governance in share point 2013 published
Best practices for security and governance in share point 2013 published
 
What You Need to Know Before Upgrading to SharePoint 2013
What You Need to Know Before Upgrading to SharePoint 2013What You Need to Know Before Upgrading to SharePoint 2013
What You Need to Know Before Upgrading to SharePoint 2013
 
SharePpoint Support & Managed Services by Netpeach
SharePpoint Support & Managed Services by NetpeachSharePpoint Support & Managed Services by Netpeach
SharePpoint Support & Managed Services by Netpeach
 
Give Your SharePoint Site a Physical
Give Your SharePoint Site a PhysicalGive Your SharePoint Site a Physical
Give Your SharePoint Site a Physical
 
OSINT: Open Source Intelligence - Rohan Braganza
OSINT: Open Source Intelligence - Rohan BraganzaOSINT: Open Source Intelligence - Rohan Braganza
OSINT: Open Source Intelligence - Rohan Braganza
 
#OCSPUG SharePoint 2013 Best Practices
#OCSPUG SharePoint 2013 Best Practices#OCSPUG SharePoint 2013 Best Practices
#OCSPUG SharePoint 2013 Best Practices
 
Company Profile - NPC with TIBCO Spotfire solution
Company Profile - NPC with TIBCO Spotfire solution Company Profile - NPC with TIBCO Spotfire solution
Company Profile - NPC with TIBCO Spotfire solution
 
Age of Exploration: How to Achieve Enterprise-Wide Discovery
Age of Exploration: How to Achieve Enterprise-Wide DiscoveryAge of Exploration: How to Achieve Enterprise-Wide Discovery
Age of Exploration: How to Achieve Enterprise-Wide Discovery
 
Neo4j GraphTour Santa Monica 2019 - Amundsen Presentation
Neo4j GraphTour Santa Monica 2019 - Amundsen PresentationNeo4j GraphTour Santa Monica 2019 - Amundsen Presentation
Neo4j GraphTour Santa Monica 2019 - Amundsen Presentation
 
D Cornell Securing Share Point
D Cornell Securing Share PointD Cornell Securing Share Point
D Cornell Securing Share Point
 
Cybersecurity update 12
Cybersecurity update 12Cybersecurity update 12
Cybersecurity update 12
 
Security, Administration & Governance for SharePoint On-Prem, Online, & Every...
Security, Administration & Governance for SharePoint On-Prem, Online, & Every...Security, Administration & Governance for SharePoint On-Prem, Online, & Every...
Security, Administration & Governance for SharePoint On-Prem, Online, & Every...
 
Ferraz Itp368 Optmizing Information Security
Ferraz Itp368 Optmizing Information SecurityFerraz Itp368 Optmizing Information Security
Ferraz Itp368 Optmizing Information Security
 
User management - the next-gen of authentication meetup 27012022
User management - the next-gen of authentication meetup 27012022User management - the next-gen of authentication meetup 27012022
User management - the next-gen of authentication meetup 27012022
 
4 Security Guidelines for SharePoint Governance
4 Security Guidelines for SharePoint Governance4 Security Guidelines for SharePoint Governance
4 Security Guidelines for SharePoint Governance
 
Make your Azure PaaS Deployment More Safe
Make your Azure PaaS Deployment More SafeMake your Azure PaaS Deployment More Safe
Make your Azure PaaS Deployment More Safe
 

More from Aspenware

Stop competing and start leading: A user experience case study.
Stop competing and start leading: A user experience case study.Stop competing and start leading: A user experience case study.
Stop competing and start leading: A user experience case study.
Aspenware
 
Tips for building fast multi touch enabled web sites
Tips for building fast multi touch enabled web sites Tips for building fast multi touch enabled web sites
Tips for building fast multi touch enabled web sites
Aspenware
 
Build once deploy everywhere using the telerik platform
Build once deploy everywhere using the telerik platformBuild once deploy everywhere using the telerik platform
Build once deploy everywhere using the telerik platform
Aspenware
 
Implementing Scrum with Microsoft Team Foundation Service (TFS)
Implementing Scrum with Microsoft Team Foundation Service (TFS)Implementing Scrum with Microsoft Team Foundation Service (TFS)
Implementing Scrum with Microsoft Team Foundation Service (TFS)
Aspenware
 
Hate JavaScript? Try TypeScript.
Hate JavaScript? Try TypeScript.Hate JavaScript? Try TypeScript.
Hate JavaScript? Try TypeScript.
Aspenware
 
On Culture and Perks
On Culture and PerksOn Culture and Perks
On Culture and Perks
Aspenware
 
Fast multi touch enabled web sites
Fast multi touch enabled web sitesFast multi touch enabled web sites
Fast multi touch enabled web sites
Aspenware
 
Business considerations for node.js applications
Business considerations for node.js applicationsBusiness considerations for node.js applications
Business considerations for node.js applications
Aspenware
 
Restful web services with nodejs
Restful web services with nodejsRestful web services with nodejs
Restful web services with nodejs
Aspenware
 

More from Aspenware (20)

Playing nice with the MEAN stack
Playing nice with the MEAN stackPlaying nice with the MEAN stack
Playing nice with the MEAN stack
 
Stop competing and start leading: A user experience case study.
Stop competing and start leading: A user experience case study.Stop competing and start leading: A user experience case study.
Stop competing and start leading: A user experience case study.
 
Tips for building fast multi touch enabled web sites
Tips for building fast multi touch enabled web sites Tips for building fast multi touch enabled web sites
Tips for building fast multi touch enabled web sites
 
Build once deploy everywhere using the telerik platform
Build once deploy everywhere using the telerik platformBuild once deploy everywhere using the telerik platform
Build once deploy everywhere using the telerik platform
 
Building web applications using kendo ui and the mvvm pattern
Building web applications using kendo ui and the mvvm patternBuilding web applications using kendo ui and the mvvm pattern
Building web applications using kendo ui and the mvvm pattern
 
Rich Web Applications with Aspenware
Rich Web Applications with AspenwareRich Web Applications with Aspenware
Rich Web Applications with Aspenware
 
Implementing Scrum with Microsoft Team Foundation Service (TFS)
Implementing Scrum with Microsoft Team Foundation Service (TFS)Implementing Scrum with Microsoft Team Foundation Service (TFS)
Implementing Scrum with Microsoft Team Foundation Service (TFS)
 
Implementing Scrum with Microsoft Team Foundation Service (TFS)
Implementing Scrum with Microsoft Team Foundation Service (TFS)Implementing Scrum with Microsoft Team Foundation Service (TFS)
Implementing Scrum with Microsoft Team Foundation Service (TFS)
 
Building a Windows Store App for SharePoint 2013
Building a Windows Store App for SharePoint 2013Building a Windows Store App for SharePoint 2013
Building a Windows Store App for SharePoint 2013
 
Aspenware TechMunch presents: mobile communities of interest
Aspenware TechMunch presents: mobile communities of interestAspenware TechMunch presents: mobile communities of interest
Aspenware TechMunch presents: mobile communities of interest
 
Hate JavaScript? Try TypeScript.
Hate JavaScript? Try TypeScript.Hate JavaScript? Try TypeScript.
Hate JavaScript? Try TypeScript.
 
Understanding Game Mechanics
Understanding Game MechanicsUnderstanding Game Mechanics
Understanding Game Mechanics
 
What people are saying about working with Aspenware.
What people are saying about working with Aspenware.What people are saying about working with Aspenware.
What people are saying about working with Aspenware.
 
Aspenware Customer Labs lift line experience
Aspenware Customer Labs lift line experienceAspenware Customer Labs lift line experience
Aspenware Customer Labs lift line experience
 
Aspenware 2013 consulting program
Aspenware 2013 consulting programAspenware 2013 consulting program
Aspenware 2013 consulting program
 
On Culture and Perks
On Culture and PerksOn Culture and Perks
On Culture and Perks
 
Maintaining Culture and Staying True to Your Values in Times of Change: Tye E...
Maintaining Culture and Staying True to Your Values in Times of Change: Tye E...Maintaining Culture and Staying True to Your Values in Times of Change: Tye E...
Maintaining Culture and Staying True to Your Values in Times of Change: Tye E...
 
Fast multi touch enabled web sites
Fast multi touch enabled web sitesFast multi touch enabled web sites
Fast multi touch enabled web sites
 
Business considerations for node.js applications
Business considerations for node.js applicationsBusiness considerations for node.js applications
Business considerations for node.js applications
 
Restful web services with nodejs
Restful web services with nodejsRestful web services with nodejs
Restful web services with nodejs
 

Recently uploaded

The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 

Recently uploaded (20)

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 

Taking the Share out of Sharepoint: SharePoint Application Security.

  • 1. Why Your SharePoint Applications are a Hackers Best Friend
  • 2. Waughn Hughes Waughn has over 14 years of consulting experience, and has worked extensively with SharePoint for the past seven years as a developer and solutions architect. Solutions Architect | about.me/waughn
  • 3. Justin Tibbs Justin Tibbs, developed and heads up the security solutions practice at NET Source, Inc, in Littleton Colorado. Prior to NET Source, Justin held positions at Cisco Systems, Lockheed Martin, and others, specializing in the areas of Vulnerability & Threat Research, Exploitation Development, and Secure Architecture Design. NET Source Security Director | about.me/justintibbs
  • 4. Agenda • Introduction • SharePoint Tips and Tools Why Your SharePoint Applications are a Hackers Best Friend 4
  • 5. Definitions Security Breach An act from outside an organization that bypasses or contravenes security policies, practices, or procedures. Security Violation An act from inside an organization that bypasses or contravenes security policies, practices, or procedures. Why Your SharePoint Applications are a Hackers Best Friend 5
  • 6. National Security Agency "This leaker was a sysadmin who was trusted with moving the information to actually make sure that the right information was on the SharePoint servers that NSA Hawaii needed." - National Security Agency Director and the Pentagon's Cyber Command Commander General Keith Alexander Why Your SharePoint Applications are a Hackers Best Friend NSA chief leaks info on data sharing tech: It's SharePoint, By Jack Clark Clear and Present Danger: Cyber-Crime; Cyber-Espionage; Cyber-Terror; and Cyber-War 6
  • 7. Why SharePoint? Started as a way to simplify document sharing… 12 years and numerous releases later… Evolved into a platform for collaboration, document and file management, intranets, extranets, websites, enterprise search, business intelligence, business process automation, social networks, etc… Used by 78% of the Fortune 500 companies* Why Your SharePoint Applications are a Hackers Best Friend 7 * SharePoint 2010 : The First 10 Years [http://technet.microsoft.com/en-us/magazine/gg981684.aspx]
  • 8. SharePoint Security Policy Why Your SharePoint Applications are a Hackers Best Friend 8 A recent study by Emedia, covered in full by InfoSecurity magazine in February 2013, found that only about one-third of organizations with 25-5000 users employing SharePoint have security policies covering the platform.
  • 9. Installation & Configuration • Windows, SQL Server and .NET Stack • Security Patching • Service Accounts • Service Applications • Authentication • Web Applications, Site Collections and Sites Why Your SharePoint Applications are a Hackers Best Friend 9
  • 10. Installation & Configuration: Tips • Review and install applicable service packs and cumulative updates • Plan for least-privilege administration and do not use single account to run SharePoint farm(s) • Understand the features and configuration options for service applications prior to deployment • Define authentication methods for the various web and extended web applications • Develop and use information architecture to define web applications, site collections and sites • Use metadata to identify data sensitivity Why Your SharePoint Applications are a Hackers Best Friend 10
  • 11. Access Control • User Permissions • Excessive Access • Administrative Access Why Your SharePoint Applications are a Hackers Best Friend 11
  • 12. Access Control: Tips • Train end users on the key permission feature within SharePoint (e.g. security groups, permission levels, and permissions inheritance) • Automate the review process to keep rights aligned with business needs • Enable auditing for sites that contain sensitive information • Access the need to use database encryption to protect content Why Your SharePoint Applications are a Hackers Best Friend 12
  • 13. External Exposure: Demo Why Your SharePoint Applications are a Hackers Best Friend 13
  • 14. External Exposure: Tips • Use Google or Bing to check for externally exposed information • Google Samples: • inurl:"/_layouts/viewlsts.aspx" • "all site content" filetype:aspx • Use port scanner like nMap to look for open listeners • Management applications • Misconfigured web services • Database listeners (SQL) • Pretend to be a hacker… Try Shodan, a search engine that lets you find specific types of computers using a variety of filters Why Your SharePoint Applications are a Hackers Best Friend 14
  • 15. Development • Cross-Site Scripting • Cross-Site Request Forgery • Elevation of Privilege • Information Disclosure Why Your SharePoint Applications are a Hackers Best Friend 15
  • 16. Development: Tips • Understand Code Access Security • Encode output properly using SPHttpUtility methods • Do not allow contributor users to add script to the site • Specify a charset in the Content-Type HTTP response header • Avoid using AllowUnsafeUpdates where possible • Check user permissions appropriately Why Your SharePoint Applications are a Hackers Best Friend 16
  • 17. Questions? Why Your SharePoint Applications are a Hackers Best Friend 17
  • 18. 6000 Greenwood Plaza Blvd Suite 110 Greenwood Village, CO 80111 303.798.5458 www.aspenware.com Aspenware