Más contenido relacionado La actualidad más candente (20) Similar a Protecting Against Vulnerabilities in SharePoint Add-ons (20) Protecting Against Vulnerabilities in SharePoint Add-ons2. Agenda
1. SharePoint Background
2. Understanding SharePoint Add-ons
3. Add-On Vulnerabilities
4. How Hackers Attack SharePoint Add-ons
5. How to Protect Against Add-on Vulnerabilities
2
© 2013 Imperva, Inc. All rights reserved.
Confidential
3. Carrie McDaniel – File Security Team
§ Product Marketing Manager for File
Security; focus on SharePoint security
§ Previously held product marketing
position at Moody’s Analytics in San
Francisco
§ Past experience in finance and tech
industries at Wells Fargo and NetApp
§ Holds degrees in Marketing and French
from Santa Clara University
3
© 2013 Imperva, Inc. All rights reserved.
4. Top SharePoint Uses
§ Internal collaboration
§ Content management
§ Project management
§ Records management
§ Corporate intranet
§ File share replacement
Source: AIIM
4
© 2013 Imperva, Inc. All rights reserved.
Confidential
5. Sensitive Data Lives in SharePoint
Regulated
Financial information
Personally Identifiable Information (PII)
Personal Health Information (PHI)
Sensitive
Legal documents
Intellectual property
Business or Product plans
Deal data
5
© 2013 Imperva, Inc. All rights reserved.
Confidential
6. Implementation is Progressive…
Intranet
-Internal file sharing
-Collaboration
Extranet
-Board of Directors site
-External portal for employees, partners,
alumni, etc.
Public-facing
Website
6
© 2013 Imperva, Inc. All rights reserved.
-Corporate website
-E-commerce site
-Microsite
Confidential
7. More than half of organizations use or are
“…planning to use third-party add-on
products in order to enhance functionality.
Only a third thinks they will stick with the
vanilla product.”
AIIM (Association for Information and Image Management)
2012 Industry Watch Survey
7
© 2013 Imperva, Inc. All rights reserved.
Confidential
8. Add-ons Defined…
Web Part
Plug-in
A stand-alone application that is embedded into SharePoint
that pulls in useful information from other Websites.
A software component that adds additional functionality
to the larger SharePoint system.
Example: Twitter feed
Example: SharePoint Outlook Integration
Optimus.com
8
© 2013 Imperva, Inc. All rights reserved.
Confidential
10. Most Popular SharePoint Plug-ins and Web Parts
Source: PortalFront
10
© 2013 Imperva, Inc. All rights reserved.
Confidential
11. Business Justification
§ Custom coding is expensive and takes time; stakeholders
seek rapid results
11
© 2013 Imperva, Inc. All rights reserved.
Confidential
12. 3rd Party
According to Veracode:
• “Up to 70% of internally developed code originates outside of the
development team”
• 28% of assessed applications are identified as created by a 3rd
party
12
© 2013 Imperva, Inc. All rights reserved.
Confidential
13. IT and security teams should always assume that third-party code
present in SharePoint applications contain significant vulnerabilities.
What’s the risk?
You can’t fix code you don’t own.
Organizations won’t be protected
until that third-party addresses the
vulnerabilities.
13
© 2013 Imperva, Inc. All rights reserved.
Confidential
14. 3rd Party Code Driven Incidents
Yahoo’s 3rd party hack as detailed in Imperva’s January HII report.
HII Report: http://www.imperva.com/docs/HII_Lessons_Learned_From_the_Yahoo_Hack.pdf
14
© 2013 Imperva, Inc. All rights reserved.
Confidential
15. OWASP Top 10 – 2013 Update
New, A9 - Using Known Vulnerable Components
15
© 2013 Imperva, Inc. All rights reserved.
Confidential
16. Who’s Doing It and Why
Governments
Stealing Intellectual Property (IP) and raw data, and spying
§ Motivated by: Policy, politics, and nationalism
§ Preferred Methods: Targeted attacks
Organized Crime
Stealing IP and data
§ Motivated by: Profit
§ Preferred Methods: Targeted attacks, fraud
Hacktivists
Exposing IP and data, and compromising the infrastructure
§ Motivated by: Political causes, ideology, personal agendas
§ Preferred Methods: Targeted attacks, Denial of Service attacks
16
© 2013 Imperva, Inc. All rights reserved.
Confidential
17. Classic Web Site Hacking
Single Site Attack
Hacking
1. Identify Target
2. Find Vulnerability
3. Exploit
17
© 2013 Imperva, Inc. All rights reserved.
Confidential
18. Classic Web Site Hacking
Multiple Site Attacks
Hacking
1.
2.
3.
Identify Target
Find Vulnerability
Exploit
Hacking
1.
2.
3.
Identify Target
Find Vulnerability
Exploit
Hacking
1.
2.
3.
Identify Target
Find Vulnerability
Exploit
Hacking
1.
2.
3.
Identify Target
Find Vulnerability
Exploit
Hacking
1.
2.
3.
18
© 2013 Imperva, Inc. All rights reserved.
Identify Target
Find Vulnerability
Exploit
Confidential
20. Security Risks
SharePoint Building Blocks
Visual C#, Visual Basic
ASP.NET
Document Object Model
§ Cross-site scripting
Microsoft .NET
Silverlight
§ SQL injection
HTML.CSS
§ Directory (or path) traversal
Microsoft SQL Server
Internet Explorer
§ Remote file inclusion (RFI)
Active Directory integration
Microsoft has reported over 300 vulnerabilities in SharePoint Server
and related products since it’s release.
20
© 2013 Imperva, Inc. All rights reserved.
Confidential
21. CMS Mass Hacking
Step 1: Find a vulnerability in a CMS platform
Source: www.exploit-db.com
Even public vulnerability databases, contain thousands
of CMS related vulnerabilities.
21
© 2013 Imperva, Inc. All rights reserved.
Confidential
22. Data Extraction Techniques by Hackers:
2005-2011
Other
17%
SQL Injection
83%
Total = 315,424,147 records
(856 breaches)
Source: Privacy Rights Clearinghouse
22
© 2013 Imperva, Inc. All rights reserved.
Confidential
26. Gartner’s Take:
NG Firewall vs. Web Application Firewall
“NGFW vendors… are mostly about controlling
external applications, such as Facebook and
peer-to-peer (P2P) file sharing.”
WAFs are different: [they]…are concerned with
custom internal Web applications.”
Magic Quadrant for Enterprise Network Firewalls
Gartner, Inc., February 7, 2013
26
© 2013 Imperva, Inc. All rights reserved.
Confidential
27. Technical Recommendations
IT and security teams should always assume that third-party code
present in SharePoint applications contain significant vulnerabilities.
§ Pen test before deployment to identify
these issues
§ Deploy the application behind a WAF to
• Virtually patch pen test findings
• Mitigate new risks (unknown on the pen test time)
• Mitigate issues the pen tester missed
• Use cloud WAF for remotely hosted applications
§ Virtually patch newly discovered CVEs
• Requires a robust security update service
27
© 2013 Imperva, Inc. All rights reserved.
Confidential
28. Web Application Firewall
§ Virtually patch vulnerabilities until a fix is issued
§ Detect and block attacks
28
© 2013 Imperva, Inc. All rights reserved.
Confidential
30. Protection Tailored to SharePoint
SecureSphere for SharePoint
Web Application Firewall
§ Protection against Web-based attacks
§ Tuned for Microsoft SharePoint traffic
§ Fraud prevention and reputation controls available
File Activity Monitoring
§ Monitor and audit file activity
§ Comprehensive user rights management
§ Enforce file access control policies
Database Firewall
§ Protect against changes to SQL server that would
render it unsupportable by Microsoft
§ Enforce separation of duties
§ Prevent unauthorized access and fraudulent activity
30
© 2013 Imperva, Inc. All rights reserved.
Confidential
31. Layers of SharePoint Protection
Administrators
Unauthorized
Changes
DB Activity Monitoring
& Access Control
Web-Application
Firewall
Activity Monitoring &
User Rights Management
Excessive
Rights
XSS
Audit
The Internet
Audit
SQL
Injection
Enterprise Users
IIS Web
Servers
Unauthorized
Access
31
Application
Servers
© 2013 Imperva, Inc. All rights reserved.
Confidential
MS SQL
Databases