This document discusses why SharePoint is considered a hacker's dream. It notes that SharePoint usage has grown exponentially in recent years, with over 85 million users across 17,000 companies in 2009. SharePoint is widely used by Fortune 500 companies and contains valuable data, making it an attractive target. The document outlines some high-profile data breaches in recent years that involved SharePoint, including those by Bradley Manning and Edward Snowden. It stresses the importance of proper information security practices for SharePoint, including understanding threats, classification, and establishing governance to reduce risks and protect sensitive data.
Shining a Light on Cyber Threats from the Dark Web
Hacking_SharePoint_FINAL
1. SharePoint
A Hackers Dream
Ian Naumenko, CISSP
Spot Solutions Ltd.
SharePoint Saturday Vancouver, March 11, 2016 Spot Solutions Ltd.
2. Thanks to all the Sponsors !!!
Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
3. Ian Naumenko, CISSP
WORK
✘ Director IT and Security Operations – Spot Solutions Ltd
BOARDS
✘ Vice President of InfoSecBC
(Vancouver Security Special Interest Group)
✘ President Western Region IAMCP Canada
(International Association of Microsoft Chanel Partners)
✘ Work with POLCYB
(The Society for The Policing of cyberspace)
Education, Certifications
✘ Computer Sciences, CISSP, Various Microsoft Certs, ISO 90001, random
others…
Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
4. I’m not dissing SharePoint…
✘SharePoint is a excellent collaboration platform and overall
Microsoft is doing a great job making the technology secure.
✘It’s not usually the technology that is at fault, it’s how we use the
technology that matters…
Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
6. Why is SharePoint a hackers dream ?
Over the past several years, the uptake of SharePoint has been
considerable. Way back in 2009, it was estimated that SharePoint had
licensed more than 85 million users to an estimated 17,000 companies.
This number has grown exponential in recent years, especially with Microsoft
"Core CALS" (which include SharePoint), and the introduction of SharePoint
online and Office365.
Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
7. Why is it a hackers dream ?
“According to Association for Information and Image Management
(AIIM) one in two corporations are now using SharePoint
Server and in 22% of the companies, every employee uses
this popular Microsoft collaboration tool.” http://www.topsharepoint.com/fortune-
500-companies-using-sharepoint
Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
8. Why is it a hackers dream ?
A vast number of Fortune 500 Private companies use
SharePoint for their internal and external content
UPS Store
Proctor and
Gamble
SC JohnsonBristol-Myers
Squibb
Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
9. Why is it a hackers dream ?
..usage includes Enterprise search, enterprise content management (ECM),
Business Process Management, business intelligence, records management,
archiving, Intranet/Extranet, file sharing to public-facing websites…
Spot Solutions Ltd.SharePoint Saturday Vancouver
Contains lots of valuable data
Making it a big juicy target !!!
Ian Naumenko, CISSP
10. Why do we care…
2015's biggest hacks, breaches
✘Ashley Madison – 37 million “cheaters” records released
✘Vtech – 4.8 million records including info on 200,000 kids
✘70 million prisoner phone records stolen (attorney-client privilege may have been violated )
✘FBI's portal breached, thousands of arrestees' data at risk, including access to CIA director John
Brennan's private email account (widest external breaches of law enforcement this year)
✘Donald Trump's hotel chain hack hit thousands of hotel visitors. (credit card data including security
codes and card numbers)
✘Crowdfunding service Patreon hack led to 15GB data dump
✘Experian breach hit 15 million T-Mobile customers
✘Scottrade hack: Details on 4.6 million customers stolen
✘Excellus BlueCross BlueShield – 10 million records
Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
11. Why do we care…
2015's biggest hacks, breaches
✘Carphone Warehouse tops UK breach list with 2.4 million affected
✘CVS, Walgreens, credit card breach, millions of CC, email, postal codes etc., records leaked
✘UCLA Health failed to encrypt 4.5 million records
✘Hacking Team exploits put hundreds of millions of Flash users at risk
✘OPM breach, which affected 22.1 million US government workers (and counting).
✘LastPass customers at risk after millions of passwords accessed
✘The IRS data breach, stolen tax returns of over 100,000 tax payers
✘Anthem (US healthcare provider) breach affected one-third of Americans
The annual cost of data breaches in the US is estimated to be $100 billion
Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
12. Why do we care…Bradley Manning
Forensics discovered WGET scripts on
Manning’s computer that pointed to a Microsoft
SharePoint server holding the Gitmo documents.
He ran the scripts to download the documents…
Edward Snowden
NSA, General Keith Alexander indicated…
“This leaker was a system administrator who was trusted with moving
the information to actually make sure that the right information was on
the SharePoint servers that NSA Hawaii needed." He then added that
the leak was " ... a huge break in trust and confidence. So there are
issues we have got to fix there.”
Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
13. So, what do we need to do…
To start…
1. We need to understand what Information Security really is all about…
2. We need to understand external and internal threats…
Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
15. Security is not a group in SharePoint…
“To many in the SharePoint world, “SharePoint
security” is synonymous with “SharePoint
permissions” and the Snowden breach is a
great example of how permissions are a single
point of failure but do not (in and of themselves)
equate to a proper security architecture.”
http://www.nothingbutsharepoint.com/2013/08/30/sharepoint-security-impacts-from-snowden-and-wikileaks-
breaches-aspx/
16. Need to understand the CIA …
Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
19. Confidentiality, Integrity and Availability
Confidentiality - Confidentiality refers to limiting information access and disclosure to authorized users -- "the right
people" -- and preventing access by or disclosure to unauthorized ones -- "the wrong people.“
(Think authentication, permissions and groups in SharePoint, who gets to see what…)
Integrity - Integrity refers to the trustworthiness of information resources. It includes the concept of "data
integrity" -- namely, that data have not been changed inappropriately, whether by accident or deliberately malign
activity. It also includes "origin" or "source integrity" -- that is, that the data actually came from the person or
entity you think it did, rather than an imposter.
(Think SharePoint’s “Created by” or “Last modified” each time a document is uploaded/changed)
Availability - Availability refers, unsurprisingly, to the availability of information resources. An information
system that is not available when you need it is almost as bad as none at all. It may be much worse, depending
on how reliant the organization has become on a functioning computer and communications infrastructure.
(Think Disaster recovery, High Available)
Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
20. Information Classification…
Classifying data is the process of categorizing data assets based on nominal values according to
its sensitivity (e.g., impact of applicable laws and regulations).
An example of a Data Classification:
Public - Information that may or must be open to the general public.
Internal - Information that must be guarded due to proprietary, ethical, or privacy
considerations.
Confidential - Highly sensitive data intended for limited, specific use by a workgroup,
department, or group of individuals with a legitimate need-to-know.
Regulatory Data Classification - Information that’s protected by statutes and regulations, and
governed by a regulatory body or council regarding the investigation, response, reporting and
handling of incidents.
Spot Solutions Ltd.SharePoint Saturday Vancouver
21. Understand the b’s and the C’s
Business
✘ Technology and security are there to support the business, not the other way around
✘ Difference between a manufacturer and a Healthcare provider
✘ Government has different drivers since it's goal is to protect public
✘ Understand the actual business need
✘ Add business value
Culture
✘ Heads down, don’t rock the boat
✘ Where's my bonus
Assets
✘ Are we spending a Lonnie to save a dime?
✘ What is our risk appetite?
✘ Risk avoidance, reduction, transfer, acceptance
✘ Risk = Likelihood x Impact
Business
Security
Technology
Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
22. Security basics: definitions of threat, attack and risk
Definition of threat: an object, person, or other entity that represents a constant danger to
an asset
Definition of vulnerability: a weakness that makes targets susceptible to an attack.
Definition of attack: an action taken against a target with the intention of doing harm.
Definition of risk: the likelihood of being targeted by a given attack, of an attack being
successful, and general exposure to a given threat.
Source: Excerpt from CISSP Guide to Security Essentials, chapter 10
Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
25. Internal Threats…“Most data security threats are internal”
internal vulnerabilities in some form or
another responsible for a total of 70 percent
of breaches Forrester
✘Employees (The ones you always do, but shouldn't trust)
✘Developers (No-one trust these guys)
✘Administrators (All powerful)
Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
26. Internal
✘ lost or stolen devices account for 31
percent of all data security breaches
✘ accidental misuse by an employee accounted
for another 27 percent of incidents
✘ 12 percent of breaches were caused by
malicious insiders
✘ 22 percent of incidents involved either
customer or employee data. In addition to
reputational damage
✘ 19 percent of breaches involved intellectual
property
http://blog.trendmicro.com/most-data-security-threats-are-internal-forrester-says/
threats…
Spot Solutions Ltd.SharePoint Saturday Vancouver
27. Pieces of a puzzle….
Hackers don’t wave a magic wand and voila, there in…. If organized, Information is gathered over time from multiple sources and
techniques, then slowly assembled like a puzzle
• BotNets
• Hacking
• Malware
• Pharming
• Phishing
• Ransomware
• Spam
• Spoofing
• Spyware
• Trojan Horses
• Viruses
• Worms
• WiFi
Eavesdropping
• Email scams
• Phishing and
Smishing scams
• Contests and
Scams
• Online dating
scams
• Social network
scams
• Fraudulent calls
• Social engineering
Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
29. ✘ Don’t assume that just because you have some SP permissions setup
that your data is “automatically” safe, this applies on premise,
hosted solutions and Office 365
✘ We need to start treating SharePoint as a business critical
repository of important, sensitive business information
✘ Security is not just a checklist, it’s a strategy”
✘ Threats are not just external…
✘ SharePoint Security only stands a chance if there is governance
Spot Solutions Ltd.
can be
vulnerable if we
are not carefulis
Ian Naumenko, CISSPSharePoint Saturday Vancouver
30. Governance is the key
✘ “Governance for SharePoint could be defined as your strategy for delivering the business
solutions your end users want, within the scope of the technology and security considerations, while
maintaining those business constraints.”
✘ Reducing risk – “just over 43 percent claimed they do not regularly run audits on usage, security,
content or permissions, which is frightening to say the least. A governance plan that protects business
IP and is aligned with the appropriate compliance regulations helps reduce potentially devastating risk
and losses in the future.“
✘ “Governance actually enables business agility and protects the business from data leaks, risk and
lost resources”
Great free resource all above quotes from Metalogix ebook – SharePoint Governance best practices by SharePoint MVP Christian Buckly
Spot Solutions Ltd.Ian Naumenko, CISSPSharePoint Saturday Vancouver
32. On-Premise
✘ Pros
• All corporate data is kept onsite, in-house
• Data sovereignty (i.e. keeping content within the country)
• More ability for customization (farm solutions) – don’t have to rely on JavaScript
• Knowing your sysadmin team and those who have the key’s to your kingdom
• CIA - Confidentiality and Integrity
✘Cons
• Less or no internal “security minded” resources available
• Limited or over stretched sysadmin resources
• More upkeep and maintenance costs for infrastructure
• Developers of farm solutions need to follow SSDLC and need to understand the potential impacts of custom code.
• CIA - Availability
Deployments…
Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
33. Cloud
✘ Pros
• Little or no internal infrastructure
• Vast Microsoft infrastructure and security resources
• Automated backup
• Scalability
• CIA - Availability
✘Cons
• If internet is down or inaccessible, so is your data
• All data is available externally
• Data is stored wherever Microsoft decides
• Data sovereignty – even if in a Canadian Data center, operations owned by a foreign country
• Adequately secure against rogue systems administrators and insiders…
• CIA – Confidentiality, Availability
Deplolyments…
Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
36. Three click attack…
SharePoint Hacking Diggity Project – Bishop Fox
http://www.bishopfox.com/resources/tools/sharepoint-hacking-diggity/attack-tools/
✘ UserDispEnum
• UserDispEnum is a SharePoint user enumeration tool that exploits insecure access controls to the
/_layouts/UserDisp.aspx?ID=1 page. This utility cycles through the integer ID values from 1 onward to identify
valid users, account names, and other related profile information that can easily be extracted from the SharePoint
user profiles.
Paste this into your browser: http://www.google.com/#q=inurl:”/_layouts/userdisp.aspx
Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
42. Also many technical vulnerabilities…
✘ Microsoft Security Bulletin MS15-036 - Elevation of Privilege
• April 14, 2015: - The attacker who successfully exploited these vulnerabilities could then perform cross-site
scripting attacks on affected systems and run script in the security context of the current user. These attacks
could allow the attacker to read content that the attacker is not authorized to read, use the victim's identity to take
actions on the SharePoint site on behalf of the victim, such as change permissions and delete content, and inject
malicious content in the victim’s browser.
✘ Microsoft SharePoint Online (cloud) - filter bypass & persistent vulnerability
• Aug 18, 2015: - It is possible to evade the current security controls on Microsoft SharePoint Online 2013 Web
Application by simply adding a blank iframe in the HTML through `embed code` feature. It does not matter what
policies have been implemented through the `HTML Field Security` feature. All filters / policies are easily evaded
using the above mentioned filter bypass technique and this should be fixed immediately. Please note, once the
filter is evaded, it is possible to inject malicious script code without any restrictions and it doesn`t get stripped /
filtered even after publishing. Successful exploitation of the vulnerability results in filter evasion of all SharePoint
security policies for the websites and allows execution of persistent script code that can result in session
hijacking, persistent phishing, stable external redirect, stable external malware loads and persistent vulnerable
module context manipulation.
Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
43. Microsoft SharePoint Online (cloud) - filter bypass & persistent vulnerability
Proof of Concept (PoC):
=======================
The persistent input validation web vulnerability can be exploited by remote attackers with low required user
interaction and (restricted) privileged SharePoint cloud application user account. For security demonstration or to
reproduce the vulnerability follow the provided information and steps below.
1. Register an office and SharePoint online 2013 account
2. Login to the SharePoint portal as admin
3. Goto your Site and click on Edit
4. Goto Insert and include "embed code"
5. in the Input box, enter the given "Payload"
6. Click Insert and then Save
7. Upon being redirected to the index page, a javascript box should pop up proving the existence of this vulnerability
http://www.vulnerability-lab.com/get_content.php?id=1024
SharePoint Saturday Vancouver Ian Naumenko, CISSP Spot Solutions Ltd.
44. WGET Script
✘ What is WGET ?
• It's a command-line tool to download webpages and their assets
✘ Why does it matter….
• Mass content download !
The following command will download all the content from SharePoint to static pages using WGET. WGET even
fixes all links so that most navigation still works.
wget -r --no-parent --convert-links -P c:temp<my local folder> --http-user=<domainusername> --http-
passwd=<password> http://<path to sharepoint>
✘ What can we do to prevent it’s use…
• WGET respects passwords
• wget respects, by default, your robots.txt file
• webservers can be set up to deny WGET’s default user agent
• All that being said, it’s really hard to block
SharePoint Saturday Vancouver Ian Naumenko, CISSP Spot Solutions Ltd.
45. What can we do ?SharePoint Saturday Vancouver Spot Solutions Ltd.Ian Naumenko, CISSP
46. Vulnerability assessment tools and resources…
✘ Assessment tools from vendors such
Metalogix - Free Insider Threat Vulnerability tool
ShareGate – SharePoint Security Tool
AveDoc – Governance Automation
✘ OWASP top 10
✘ KALI disc (pen testing)
✘ Microsoft Security Center – Security bulletins
https://technet.microsoft.com/en-us/library/security/dn631937.aspx
✘ Common Vulnerabilities and Exposures Database
http://www.cve.mitre.org/find/index.html
Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
47. Points to remember…
✘ SharePoint doesn’t matter, the business matters. (quoted from metalogix Governave Best Practices ebook)
✘ We have to approach cloud services by assuming that your data is being looked at
by third parties, including cloud systems administrators, and by governmental
agencies…
✘ Most IT platforms, and particularly collaboration-oriented platforms, are challenged
to adequately secure against rogue systems administrators and insiders. The
solution to securing SharePoint and other IT platforms against insiders will always
boil down to careful application of security controls, which are not all ways
technical…
http://www.nothingbutsharepoint.com/2013/08/30/sharepoint-security-impacts-from-snowden-and-wikileaks-breaches-aspx/
Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
48. Points to remember… (cont…)
✘Don’t take the technology for granted.
✘Governance is most important. “Its not a checklist, it’s a strategy”
✘Educate staff in simple language they can understand and relate
✘Don’t fall into “Tikcky box security”
✘Understand the business needs and culture
✘Carefull with custom code. Always use SSDLC techniques
✘Teach your staff about “Social engineering”
✘Deploy of Defense-in-Depth protection
Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
49. Mike Fleck, Co-Founder of CipherPoint Software wrote…
”If your house gets broken into, but you like the house,
keep the house and buy a security system. People love
SharePoint for the collaboration efficiencies the platform
brings to the enterprise. Add to SharePoint the right set
of administrative and technical security controls, and
you’ve got a winning combination. It is possible to use
the SharePoint platform for use cases involving highly
sensitive data!”
Conclusion…
Ian Naumenko, CISSP, Spot Solutions Ltd.
50. thanks!
Any questions?
You can find me at
ian@spotsolutions.com
https://www.linkedin.com/in/iannaumenko
@ignhot
Credits
Special thanks to all the people who made and released these awesome slides for free:
Presentation template by SlidesCarnival
Photographs by Unsplash
SharePoint Saturday Vancouver
Hinweis der Redaktion
We as administrators of business, and of the technology that supports business need to be concerned….
Seen SP sites locked down to the point that it can’t be used
Story about reading clients emails
/_layouts/settings.aspx
Interoperability (pronounced IHN-tuhr-AHP-uhr-uh-BIHL-ih-tee) is a property of a product or system, whose interfaces are completely understood, to work with other products or systems, present or future, without any restricted access or implementation
Some SP installations are not useable because there is too much security