SlideShare ist ein Scribd-Unternehmen logo

Protecting Against Vulnerabilities in SharePoint Add-ons

Imperva
Imperva

As the pace of Microsoft SharePoint adoption continues, most organizations are turning to third party add-ons to support demands for functionality. It's for these reasons that experts compare SharePoint without add-ons to an iPhone without apps. Third party add-ons, however, arrive pre-packaged with unique security risks -- vulnerabilities that IT cannot directly fix. This presentation will (1) identify risks associated with using SharePoint plug-ins and web parts developed by third parties (2) describe how hackers target and exploit third-party code using attacks such as SQL injection (3) Introduce a three-layered approach to securing SharePoint.

Technologie
1 von 33
Downloaden Sie, um offline zu lesen
Protecting Against Vulnerabilities in SharePoint Add-ons Webinar Carrie McDaniel – File Security Product Team 1 © 2013 Imperva, Inc. All rights reserved. Confidential
Agenda 1.  SharePoint Background 2.  Understanding SharePoint Add-ons 3.  Add-On Vulnerabilities 4.  How Hackers Attack SharePoint Add-ons 5.  How to Protect Against Add-on Vulnerabilities 2 © 2013 Imperva, Inc. All rights reserved. Confidential
Carrie McDaniel – File Security Team §  Product Marketing Manager for File Security; focus on SharePoint security §  Previously held product marketing position at Moody’s Analytics in San Francisco §  Past experience in finance and tech industries at Wells Fargo and NetApp §  Holds degrees in Marketing and French from Santa Clara University 3 © 2013 Imperva, Inc. All rights reserved.
Top SharePoint Uses §  Internal collaboration §  Content management §  Project management §  Records management §  Corporate intranet §  File share replacement Source: AIIM 4 © 2013 Imperva, Inc. All rights reserved. Confidential
Sensitive Data Lives in SharePoint Regulated Financial information Personally Identifiable Information (PII) Personal Health Information (PHI) Sensitive Legal documents Intellectual property Business or Product plans Deal data 5 © 2013 Imperva, Inc. All rights reserved. Confidential
Implementation is Progressive… Intranet -Internal file sharing -Collaboration Extranet -Board of Directors site -External portal for employees, partners, alumni, etc. Public-facing Website 6 © 2013 Imperva, Inc. All rights reserved. -Corporate website -E-commerce site -Microsite Confidential
More than half of organizations use or are “…planning to use third-party add-on products in order to enhance functionality. Only a third thinks they will stick with the vanilla product.” AIIM (Association for Information and Image Management) 2012 Industry Watch Survey 7 © 2013 Imperva, Inc. All rights reserved. Confidential
Add-ons Defined… Web Part Plug-in A stand-alone application that is embedded into SharePoint that pulls in useful information from other Websites. A software component that adds additional functionality to the larger SharePoint system. Example: Twitter feed Example: SharePoint Outlook Integration Optimus.com 8 © 2013 Imperva, Inc. All rights reserved. Confidential
Convenience Ease-of-use Collaboration Productivity 9 © 2013 Imperva, Inc. All rights reserved. Confidential
Most Popular SharePoint Plug-ins and Web Parts Source: PortalFront 10 © 2013 Imperva, Inc. All rights reserved. Confidential
Business Justification §  Custom coding is expensive and takes time; stakeholders seek rapid results 11 © 2013 Imperva, Inc. All rights reserved. Confidential
3rd Party According to Veracode: •  “Up to 70% of internally developed code originates outside of the development team” •  28% of assessed applications are identified as created by a 3rd party 12 © 2013 Imperva, Inc. All rights reserved. Confidential
IT and security teams should always assume that third-party code present in SharePoint applications contain significant vulnerabilities. What’s the risk? You can’t fix code you don’t own. Organizations won’t be protected until that third-party addresses the vulnerabilities. 13 © 2013 Imperva, Inc. All rights reserved. Confidential
3rd Party Code Driven Incidents Yahoo’s 3rd party hack as detailed in Imperva’s January HII report. HII Report: http://www.imperva.com/docs/HII_Lessons_Learned_From_the_Yahoo_Hack.pdf 14 © 2013 Imperva, Inc. All rights reserved. Confidential
OWASP Top 10 – 2013 Update New, A9 - Using Known Vulnerable Components 15 © 2013 Imperva, Inc. All rights reserved. Confidential
Who’s Doing It and Why Governments Stealing Intellectual Property (IP) and raw data, and spying §  Motivated by: Policy, politics, and nationalism §  Preferred Methods: Targeted attacks Organized Crime Stealing IP and data §  Motivated by: Profit §  Preferred Methods: Targeted attacks, fraud Hacktivists Exposing IP and data, and compromising the infrastructure §  Motivated by: Political causes, ideology, personal agendas §  Preferred Methods: Targeted attacks, Denial of Service attacks 16 © 2013 Imperva, Inc. All rights reserved. Confidential
Classic Web Site Hacking Single Site Attack Hacking 1.  Identify Target 2.  Find Vulnerability 3.  Exploit 17 © 2013 Imperva, Inc. All rights reserved. Confidential
Classic Web Site Hacking Multiple Site Attacks Hacking 1.  2.  3.  Identify Target Find Vulnerability Exploit Hacking 1.  2.  3.  Identify Target Find Vulnerability Exploit Hacking 1.  2.  3.  Identify Target Find Vulnerability Exploit Hacking 1.  2.  3.  Identify Target Find Vulnerability Exploit Hacking 1.  2.  3.  18 © 2013 Imperva, Inc. All rights reserved. Identify Target Find Vulnerability Exploit Confidential
SharePoint Application Hacking Hacking 1.  Identify add-on 2.  Find Vulnerability 3.  Exploit 19 © 2013 Imperva, Inc. All rights reserved. Confidential
Security Risks SharePoint Building Blocks Visual C#, Visual Basic ASP.NET Document Object Model §  Cross-site scripting Microsoft .NET Silverlight §  SQL injection HTML.CSS §  Directory (or path) traversal Microsoft SQL Server Internet Explorer §  Remote file inclusion (RFI) Active Directory integration Microsoft has reported over 300 vulnerabilities in SharePoint Server and related products since it’s release. 20 © 2013 Imperva, Inc. All rights reserved. Confidential
CMS Mass Hacking Step 1: Find a vulnerability in a CMS platform Source: www.exploit-db.com Even public vulnerability databases, contain thousands of CMS related vulnerabilities. 21 © 2013 Imperva, Inc. All rights reserved. Confidential
Data Extraction Techniques by Hackers: 2005-2011 Other 17% SQL Injection 83% Total = 315,424,147 records (856 breaches) Source: Privacy Rights Clearinghouse 22 © 2013 Imperva, Inc. All rights reserved. Confidential
Main Automated Attack Tools SQLmap Havij 23 © 2013 Imperva, Inc. All rights reserved. Confidential
The Attacker’s Focus Server Takeover Direct Data Theft 24 © 2013 Imperva, Inc. All rights reserved. Confidential
Rebalance Your Security Portfolio 25 © 2013 Imperva, Inc. All rights reserved. Confidential
Gartner’s Take: NG Firewall vs. Web Application Firewall “NGFW vendors… are mostly about controlling external applications, such as Facebook and peer-to-peer (P2P) file sharing.” WAFs are different: [they]…are concerned with custom internal Web applications.” Magic Quadrant for Enterprise Network Firewalls Gartner, Inc., February 7, 2013 26 © 2013 Imperva, Inc. All rights reserved. Confidential
Technical Recommendations IT and security teams should always assume that third-party code present in SharePoint applications contain significant vulnerabilities. §  Pen test before deployment to identify these issues §  Deploy the application behind a WAF to •  Virtually patch pen test findings •  Mitigate new risks (unknown on the pen test time) •  Mitigate issues the pen tester missed •  Use cloud WAF for remotely hosted applications §  Virtually patch newly discovered CVEs •  Requires a robust security update service 27 © 2013 Imperva, Inc. All rights reserved. Confidential
Web Application Firewall §  Virtually patch vulnerabilities until a fix is issued §  Detect and block attacks 28 © 2013 Imperva, Inc. All rights reserved. Confidential
SecureSphere for SharePoint 29 © 2013 Imperva, Inc. All rights reserved. Confidential
Protection Tailored to SharePoint SecureSphere for SharePoint Web Application Firewall §  Protection against Web-based attacks §  Tuned for Microsoft SharePoint traffic §  Fraud prevention and reputation controls available File Activity Monitoring §  Monitor and audit file activity §  Comprehensive user rights management §  Enforce file access control policies Database Firewall §  Protect against changes to SQL server that would render it unsupportable by Microsoft §  Enforce separation of duties §  Prevent unauthorized access and fraudulent activity 30 © 2013 Imperva, Inc. All rights reserved. Confidential
Layers of SharePoint Protection Administrators Unauthorized Changes DB Activity Monitoring & Access Control Web-Application Firewall Activity Monitoring & User Rights Management Excessive Rights XSS Audit The Internet Audit SQL Injection Enterprise Users IIS Web Servers Unauthorized Access 31 Application Servers © 2013 Imperva, Inc. All rights reserved. Confidential MS SQL Databases
Additional Resource Download White Paper 32 © 2013 Imperva, Inc. All rights reserved. Confidential
www.imperva.com 33 © 2013 Imperva, Inc. All rights reserved. Confidential

Empfohlen

Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)Prathan Phongthiproek
 
Cyber Kill Chain: Web Application Exploitation
Cyber Kill Chain: Web Application ExploitationCyber Kill Chain: Web Application Exploitation
Cyber Kill Chain: Web Application ExploitationPrathan Phongthiproek
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10NowSecure
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and AwarenessAbdul Rahman Sherzad
 
OWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-DiveOWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-DivePrathan Phongthiproek
 
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksOWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksAll Things Open
 
How can you deliver a secure product
How can you deliver a secure productHow can you deliver a secure product
How can you deliver a secure productMichael Furman
 
Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?centralohioissa
 

Weitere ähnliche Inhalte

Was ist angesagt?

Cloud security: Industry Trends and Research Challenges
Cloud security: Industry Trends and Research ChallengesCloud security: Industry Trends and Research Challenges
Cloud security: Industry Trends and Research ChallengesDr. Rajesh P Barnwal
 
Passwords are passé. WebAuthn is simpler, stronger and ready to go
Passwords are passé. WebAuthn is simpler, stronger and ready to goPasswords are passé. WebAuthn is simpler, stronger and ready to go
Passwords are passé. WebAuthn is simpler, stronger and ready to goMichael Furman
 
API Security: the full story
API Security: the full storyAPI Security: the full story
API Security: the full story42Crunch
 
Oh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsOh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsTechWell
 
Owasp 2017 oveview
Owasp 2017 oveviewOwasp 2017 oveview
Owasp 2017 oveviewShreyas N
 
Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threatsVishal Kumar
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017HackerOne
 
Mobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic MenaceMobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic MenaceNowSecure
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples42Crunch
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsCenzic
 
Web application security
Web application securityWeb application security
Web application securityKapil Sharma
 
Addressing the OWASP Mobile Security Threats using Xamarin
Addressing the OWASP Mobile Security Threats using XamarinAddressing the OWASP Mobile Security Threats using Xamarin
Addressing the OWASP Mobile Security Threats using XamarinAlec Tucker
 
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionOwasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionAnant Shrivastava
 
The New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the ChaseThe New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the ChaseSecurity Innovation
 
OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure! OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure! Prathan Phongthiproek
 

Was ist angesagt? (20)

Cloud security: Industry Trends and Research Challenges
Cloud security: Industry Trends and Research ChallengesCloud security: Industry Trends and Research Challenges
Cloud security: Industry Trends and Research Challenges
 
Mobile App Hacking In A Nutshell
Mobile App Hacking In A NutshellMobile App Hacking In A Nutshell
Mobile App Hacking In A Nutshell
 
Passwords are passé. WebAuthn is simpler, stronger and ready to go
Passwords are passé. WebAuthn is simpler, stronger and ready to goPasswords are passé. WebAuthn is simpler, stronger and ready to go
Passwords are passé. WebAuthn is simpler, stronger and ready to go
 
API Security: the full story
API Security: the full storyAPI Security: the full story
API Security: the full story
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
 
Oh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsOh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web Apps
 
Owasp 2017 oveview
Owasp 2017 oveviewOwasp 2017 oveview
Owasp 2017 oveview
 
Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threats
 
Jump-Start The MASVS
Jump-Start The MASVSJump-Start The MASVS
Jump-Start The MASVS
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017
 
Mobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic MenaceMobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic Menace
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples
 
Owasp
Owasp Owasp
Owasp
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud apps
 
Web application security
Web application securityWeb application security
Web application security
 
Addressing the OWASP Mobile Security Threats using Xamarin
Addressing the OWASP Mobile Security Threats using XamarinAddressing the OWASP Mobile Security Threats using Xamarin
Addressing the OWASP Mobile Security Threats using Xamarin
 
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionOwasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
 
OWASP Top 10 for Mobile
OWASP Top 10 for MobileOWASP Top 10 for Mobile
OWASP Top 10 for Mobile
 
The New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the ChaseThe New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the Chase
 
OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure! OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure!
 

Ähnlich wie Protecting Against Vulnerabilities in SharePoint Add-ons

6 Most Surprising SharePoint Security Risks
6 Most Surprising SharePoint Security Risks6 Most Surprising SharePoint Security Risks
6 Most Surprising SharePoint Security RisksImperva
 
A Blueprint for Web Attack Survival
A Blueprint for Web Attack SurvivalA Blueprint for Web Attack Survival
A Blueprint for Web Attack SurvivalImperva
 
Detect & Remediate Malware & Advanced Targeted Attacks
Detect & Remediate Malware & Advanced Targeted AttacksDetect & Remediate Malware & Advanced Targeted Attacks
Detect & Remediate Malware & Advanced Targeted AttacksImperva
 
Imperva - Hacking encounters of the 3rd kind
Imperva - Hacking encounters of the 3rd kindImperva - Hacking encounters of the 3rd kind
Imperva - Hacking encounters of the 3rd kindBarry Shteiman
 
Hiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesHiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesImperva
 
Hacking Encounters of the 3rd Kind
Hacking Encounters of the 3rd KindHacking Encounters of the 3rd Kind
Hacking Encounters of the 3rd KindImperva
 
4 Security Guidelines for SharePoint Governance
4 Security Guidelines for SharePoint Governance4 Security Guidelines for SharePoint Governance
4 Security Guidelines for SharePoint GovernanceImperva
 
CMS Hacking 101
CMS Hacking 101CMS Hacking 101
CMS Hacking 101Imperva
 
CHap 13 and 12winsec3e_ppt_ch12(1).pptxSecurity Strategies
CHap 13 and 12winsec3e_ppt_ch12(1).pptxSecurity Strategies CHap 13 and 12winsec3e_ppt_ch12(1).pptxSecurity Strategies
CHap 13 and 12winsec3e_ppt_ch12(1).pptxSecurity Strategies MorganLudwig40
 
Threat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsThreat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsEric Vétillard
 
Security Testing for Test Professionals
Security Testing for Test ProfessionalsSecurity Testing for Test Professionals
Security Testing for Test ProfessionalsTechWell
 
Security Testing for Testing Professionals
Security Testing for Testing ProfessionalsSecurity Testing for Testing Professionals
Security Testing for Testing ProfessionalsTechWell
 
Tips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile AppsTips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile AppsTechWell
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application SecurityNicholas Davis
 
Top Security Trends for 2014
Top Security Trends for 2014Top Security Trends for 2014
Top Security Trends for 2014Imperva
 
Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)Wail Hassan
 
Being more secure using Microsoft 365 Business
Being more secure using Microsoft 365 BusinessBeing more secure using Microsoft 365 Business
Being more secure using Microsoft 365 BusinessRobert Crane
 

Ähnlich wie Protecting Against Vulnerabilities in SharePoint Add-ons (20)

6 Most Surprising SharePoint Security Risks
6 Most Surprising SharePoint Security Risks6 Most Surprising SharePoint Security Risks
6 Most Surprising SharePoint Security Risks
 
A Blueprint for Web Attack Survival
A Blueprint for Web Attack SurvivalA Blueprint for Web Attack Survival
A Blueprint for Web Attack Survival
 
Detect & Remediate Malware & Advanced Targeted Attacks
Detect & Remediate Malware & Advanced Targeted AttacksDetect & Remediate Malware & Advanced Targeted Attacks
Detect & Remediate Malware & Advanced Targeted Attacks
 
Imperva - Hacking encounters of the 3rd kind
Imperva - Hacking encounters of the 3rd kindImperva - Hacking encounters of the 3rd kind
Imperva - Hacking encounters of the 3rd kind
 
Hiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesHiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known Vulnerabilities
 
Hacking Encounters of the 3rd Kind
Hacking Encounters of the 3rd KindHacking Encounters of the 3rd Kind
Hacking Encounters of the 3rd Kind
 
4 Security Guidelines for SharePoint Governance
4 Security Guidelines for SharePoint Governance4 Security Guidelines for SharePoint Governance
4 Security Guidelines for SharePoint Governance
 
CMS Hacking
CMS Hacking CMS Hacking
CMS Hacking
 
CMS Hacking 101
CMS Hacking 101CMS Hacking 101
CMS Hacking 101
 
CHap 13 and 12winsec3e_ppt_ch12(1).pptxSecurity Strategies
CHap 13 and 12winsec3e_ppt_ch12(1).pptxSecurity Strategies CHap 13 and 12winsec3e_ppt_ch12(1).pptxSecurity Strategies
CHap 13 and 12winsec3e_ppt_ch12(1).pptxSecurity Strategies
 
Application security
Application securityApplication security
Application security
 
Threat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsThreat Modeling for the Internet of Things
Threat Modeling for the Internet of Things
 
Security Testing for Test Professionals
Security Testing for Test ProfessionalsSecurity Testing for Test Professionals
Security Testing for Test Professionals
 
Security Testing for Testing Professionals
Security Testing for Testing ProfessionalsSecurity Testing for Testing Professionals
Security Testing for Testing Professionals
 
Tips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile AppsTips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile Apps
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application Security
 
Top Security Trends for 2014
Top Security Trends for 2014Top Security Trends for 2014
Top Security Trends for 2014
 
Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)
 
Being more secure using Microsoft 365 Business
Being more secure using Microsoft 365 BusinessBeing more secure using Microsoft 365 Business
Being more secure using Microsoft 365 Business
 
Secure remote work
Secure remote workSecure remote work
Secure remote work
 

Mehr von Imperva

Cybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 SurveyCybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 SurveyImperva
 
API Security Survey
API Security SurveyAPI Security Survey
API Security SurveyImperva
 
Imperva ppt
Imperva pptImperva ppt
Imperva pptImperva
 
Beyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked accountBeyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked accountImperva
 
Research: From zero to phishing in 60 seconds
Research: From zero to phishing in 60 seconds Research: From zero to phishing in 60 seconds
Research: From zero to phishing in 60 seconds Imperva
 
Making Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to NarrativesMaking Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to NarrativesImperva
 
How We Blocked a 650Gb DDoS Attack Over Lunch
How We Blocked a 650Gb DDoS Attack Over LunchHow We Blocked a 650Gb DDoS Attack Over Lunch
How We Blocked a 650Gb DDoS Attack Over LunchImperva
 
Survey: Insider Threats and Cyber Security
Survey: Insider Threats and Cyber SecuritySurvey: Insider Threats and Cyber Security
Survey: Insider Threats and Cyber SecurityImperva
 
Companies Aware, but Not Prepared for GDPR
Companies Aware, but Not Prepared for GDPRCompanies Aware, but Not Prepared for GDPR
Companies Aware, but Not Prepared for GDPRImperva
 
Rise of Ransomware
Rise of Ransomware Rise of Ransomware
Rise of Ransomware Imperva
 
7 Tips to Protect Your Data from Contractors and Privileged Vendors
7 Tips to Protect Your Data from Contractors and Privileged Vendors7 Tips to Protect Your Data from Contractors and Privileged Vendors
7 Tips to Protect Your Data from Contractors and Privileged VendorsImperva
 
SEO Botnet Sophistication
SEO Botnet SophisticationSEO Botnet Sophistication
SEO Botnet SophisticationImperva
 
Phishing Made Easy
Phishing Made EasyPhishing Made Easy
Phishing Made EasyImperva
 
Imperva 2017 Cyber Threat Defense Report
Imperva 2017 Cyber Threat Defense ReportImperva 2017 Cyber Threat Defense Report
Imperva 2017 Cyber Threat Defense ReportImperva
 
Combat Payment Card Attacks with WAF and Threat Intelligence
Combat Payment Card Attacks with WAF and Threat IntelligenceCombat Payment Card Attacks with WAF and Threat Intelligence
Combat Payment Card Attacks with WAF and Threat IntelligenceImperva
 
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing ExponentiallyHTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing ExponentiallyImperva
 
Get Going With Your GDPR Plan
Get Going With Your GDPR PlanGet Going With Your GDPR Plan
Get Going With Your GDPR PlanImperva
 
Cyber Criminal's Path To Your Data
Cyber Criminal's Path To Your DataCyber Criminal's Path To Your Data
Cyber Criminal's Path To Your DataImperva
 
Combat Today's Threats With A Single Platform For App and Data Security
Combat Today's Threats With A Single Platform For App and Data SecurityCombat Today's Threats With A Single Platform For App and Data Security
Combat Today's Threats With A Single Platform For App and Data SecurityImperva
 
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation FoundationHacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation FoundationImperva
 

Mehr von Imperva (20)

Cybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 SurveyCybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 Survey
 
API Security Survey
API Security SurveyAPI Security Survey
API Security Survey
 
Imperva ppt
Imperva pptImperva ppt
Imperva ppt
 
Beyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked accountBeyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked account
 
Research: From zero to phishing in 60 seconds
Research: From zero to phishing in 60 seconds Research: From zero to phishing in 60 seconds
Research: From zero to phishing in 60 seconds
 
Making Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to NarrativesMaking Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to Narratives
 
How We Blocked a 650Gb DDoS Attack Over Lunch
How We Blocked a 650Gb DDoS Attack Over LunchHow We Blocked a 650Gb DDoS Attack Over Lunch
How We Blocked a 650Gb DDoS Attack Over Lunch
 
Survey: Insider Threats and Cyber Security
Survey: Insider Threats and Cyber SecuritySurvey: Insider Threats and Cyber Security
Survey: Insider Threats and Cyber Security
 
Companies Aware, but Not Prepared for GDPR
Companies Aware, but Not Prepared for GDPRCompanies Aware, but Not Prepared for GDPR
Companies Aware, but Not Prepared for GDPR
 
Rise of Ransomware
Rise of Ransomware Rise of Ransomware
Rise of Ransomware
 
7 Tips to Protect Your Data from Contractors and Privileged Vendors
7 Tips to Protect Your Data from Contractors and Privileged Vendors7 Tips to Protect Your Data from Contractors and Privileged Vendors
7 Tips to Protect Your Data from Contractors and Privileged Vendors
 
SEO Botnet Sophistication
SEO Botnet SophisticationSEO Botnet Sophistication
SEO Botnet Sophistication
 
Phishing Made Easy
Phishing Made EasyPhishing Made Easy
Phishing Made Easy
 
Imperva 2017 Cyber Threat Defense Report
Imperva 2017 Cyber Threat Defense ReportImperva 2017 Cyber Threat Defense Report
Imperva 2017 Cyber Threat Defense Report
 
Combat Payment Card Attacks with WAF and Threat Intelligence
Combat Payment Card Attacks with WAF and Threat IntelligenceCombat Payment Card Attacks with WAF and Threat Intelligence
Combat Payment Card Attacks with WAF and Threat Intelligence
 
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing ExponentiallyHTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
 
Get Going With Your GDPR Plan
Get Going With Your GDPR PlanGet Going With Your GDPR Plan
Get Going With Your GDPR Plan
 
Cyber Criminal's Path To Your Data
Cyber Criminal's Path To Your DataCyber Criminal's Path To Your Data
Cyber Criminal's Path To Your Data
 
Combat Today's Threats With A Single Platform For App and Data Security
Combat Today's Threats With A Single Platform For App and Data SecurityCombat Today's Threats With A Single Platform For App and Data Security
Combat Today's Threats With A Single Platform For App and Data Security
 
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation FoundationHacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
 

Kürzlich hochgeladen

Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...itnewsafrica
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...Karmanjay Verma
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...itnewsafrica
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...panagenda
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxAna-Maria Mihalceanu
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Jeffrey Haguewood
 
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sectoritnewsafrica
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 

Kürzlich hochgeladen (20)

Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance Toolbox
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
 
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 

Protecting Against Vulnerabilities in SharePoint Add-ons

  • 1. Protecting Against Vulnerabilities in SharePoint Add-ons Webinar Carrie McDaniel – File Security Product Team 1 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 2. Agenda 1.  SharePoint Background 2.  Understanding SharePoint Add-ons 3.  Add-On Vulnerabilities 4.  How Hackers Attack SharePoint Add-ons 5.  How to Protect Against Add-on Vulnerabilities 2 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 3. Carrie McDaniel – File Security Team §  Product Marketing Manager for File Security; focus on SharePoint security §  Previously held product marketing position at Moody’s Analytics in San Francisco §  Past experience in finance and tech industries at Wells Fargo and NetApp §  Holds degrees in Marketing and French from Santa Clara University 3 © 2013 Imperva, Inc. All rights reserved.
  • 4. Top SharePoint Uses §  Internal collaboration §  Content management §  Project management §  Records management §  Corporate intranet §  File share replacement Source: AIIM 4 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 5. Sensitive Data Lives in SharePoint Regulated Financial information Personally Identifiable Information (PII) Personal Health Information (PHI) Sensitive Legal documents Intellectual property Business or Product plans Deal data 5 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 6. Implementation is Progressive… Intranet -Internal file sharing -Collaboration Extranet -Board of Directors site -External portal for employees, partners, alumni, etc. Public-facing Website 6 © 2013 Imperva, Inc. All rights reserved. -Corporate website -E-commerce site -Microsite Confidential
  • 7. More than half of organizations use or are “…planning to use third-party add-on products in order to enhance functionality. Only a third thinks they will stick with the vanilla product.” AIIM (Association for Information and Image Management) 2012 Industry Watch Survey 7 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 8. Add-ons Defined… Web Part Plug-in A stand-alone application that is embedded into SharePoint that pulls in useful information from other Websites. A software component that adds additional functionality to the larger SharePoint system. Example: Twitter feed Example: SharePoint Outlook Integration Optimus.com 8 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 10. Most Popular SharePoint Plug-ins and Web Parts Source: PortalFront 10 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 11. Business Justification §  Custom coding is expensive and takes time; stakeholders seek rapid results 11 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 12. 3rd Party According to Veracode: •  “Up to 70% of internally developed code originates outside of the development team” •  28% of assessed applications are identified as created by a 3rd party 12 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 13. IT and security teams should always assume that third-party code present in SharePoint applications contain significant vulnerabilities. What’s the risk? You can’t fix code you don’t own. Organizations won’t be protected until that third-party addresses the vulnerabilities. 13 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 14. 3rd Party Code Driven Incidents Yahoo’s 3rd party hack as detailed in Imperva’s January HII report. HII Report: http://www.imperva.com/docs/HII_Lessons_Learned_From_the_Yahoo_Hack.pdf 14 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 15. OWASP Top 10 – 2013 Update New, A9 - Using Known Vulnerable Components 15 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 16. Who’s Doing It and Why Governments Stealing Intellectual Property (IP) and raw data, and spying §  Motivated by: Policy, politics, and nationalism §  Preferred Methods: Targeted attacks Organized Crime Stealing IP and data §  Motivated by: Profit §  Preferred Methods: Targeted attacks, fraud Hacktivists Exposing IP and data, and compromising the infrastructure §  Motivated by: Political causes, ideology, personal agendas §  Preferred Methods: Targeted attacks, Denial of Service attacks 16 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 17. Classic Web Site Hacking Single Site Attack Hacking 1.  Identify Target 2.  Find Vulnerability 3.  Exploit 17 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 18. Classic Web Site Hacking Multiple Site Attacks Hacking 1.  2.  3.  Identify Target Find Vulnerability Exploit Hacking 1.  2.  3.  Identify Target Find Vulnerability Exploit Hacking 1.  2.  3.  Identify Target Find Vulnerability Exploit Hacking 1.  2.  3.  Identify Target Find Vulnerability Exploit Hacking 1.  2.  3.  18 © 2013 Imperva, Inc. All rights reserved. Identify Target Find Vulnerability Exploit Confidential
  • 19. SharePoint Application Hacking Hacking 1.  Identify add-on 2.  Find Vulnerability 3.  Exploit 19 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 20. Security Risks SharePoint Building Blocks Visual C#, Visual Basic ASP.NET Document Object Model §  Cross-site scripting Microsoft .NET Silverlight §  SQL injection HTML.CSS §  Directory (or path) traversal Microsoft SQL Server Internet Explorer §  Remote file inclusion (RFI) Active Directory integration Microsoft has reported over 300 vulnerabilities in SharePoint Server and related products since it’s release. 20 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 21. CMS Mass Hacking Step 1: Find a vulnerability in a CMS platform Source: www.exploit-db.com Even public vulnerability databases, contain thousands of CMS related vulnerabilities. 21 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 22. Data Extraction Techniques by Hackers: 2005-2011 Other 17% SQL Injection 83% Total = 315,424,147 records (856 breaches) Source: Privacy Rights Clearinghouse 22 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 23. Main Automated Attack Tools SQLmap Havij 23 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 24. The Attacker’s Focus Server Takeover Direct Data Theft 24 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 25. Rebalance Your Security Portfolio 25 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 26. Gartner’s Take: NG Firewall vs. Web Application Firewall “NGFW vendors… are mostly about controlling external applications, such as Facebook and peer-to-peer (P2P) file sharing.” WAFs are different: [they]…are concerned with custom internal Web applications.” Magic Quadrant for Enterprise Network Firewalls Gartner, Inc., February 7, 2013 26 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 27. Technical Recommendations IT and security teams should always assume that third-party code present in SharePoint applications contain significant vulnerabilities. §  Pen test before deployment to identify these issues §  Deploy the application behind a WAF to •  Virtually patch pen test findings •  Mitigate new risks (unknown on the pen test time) •  Mitigate issues the pen tester missed •  Use cloud WAF for remotely hosted applications §  Virtually patch newly discovered CVEs •  Requires a robust security update service 27 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 28. Web Application Firewall §  Virtually patch vulnerabilities until a fix is issued §  Detect and block attacks 28 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 29. SecureSphere for SharePoint 29 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 30. Protection Tailored to SharePoint SecureSphere for SharePoint Web Application Firewall §  Protection against Web-based attacks §  Tuned for Microsoft SharePoint traffic §  Fraud prevention and reputation controls available File Activity Monitoring §  Monitor and audit file activity §  Comprehensive user rights management §  Enforce file access control policies Database Firewall §  Protect against changes to SQL server that would render it unsupportable by Microsoft §  Enforce separation of duties §  Prevent unauthorized access and fraudulent activity 30 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 31. Layers of SharePoint Protection Administrators Unauthorized Changes DB Activity Monitoring & Access Control Web-Application Firewall Activity Monitoring & User Rights Management Excessive Rights XSS Audit The Internet Audit SQL Injection Enterprise Users IIS Web Servers Unauthorized Access 31 Application Servers © 2013 Imperva, Inc. All rights reserved. Confidential MS SQL Databases
  • 32. Additional Resource Download White Paper 32 © 2013 Imperva, Inc. All rights reserved. Confidential
  • 33. www.imperva.com 33 © 2013 Imperva, Inc. All rights reserved. Confidential