® A SharePoint Administrator’s Practical Guide to Cybersecurity 1060/CN/A.1/207/— Course 1060 Contributing Author: Aaron Kraus, Certified Information System Security Professional (CISSP), CompTIA Security+ CE
®
A SharePoint Administrator’s
Practical Guide to Cybersecurity
1060/CN/A.1/207/—
Course 1060
Contributing Author:
Aaron Kraus, Certified Information System Security Professional (CISSP),
CompTIA Security+CE
© 2012 Learning Tree International, Inc. All rights reserved, Inc. Not to be reproduced without prior written consent.®
1060-2
To Join the Audio Conference
• For today’s session, we’re using a conference bridge to eliminate the need
for microphones and system validations
• From a direct line
1. Enter your directly dialed
telephone number (no
extensions) into the Join
Teleconference dialog box
2. Click Call My Phone
• From an internal extension line
or from outside the U.S. or Canada
1. Dial:
2. Enter *5555#Note: To redisplay the Join
Teleconference dialog box, click
the Audio Conference Options
button at the bottom of the
Attendee List and select Call Me
1
2
© 2012 Learning Tree International, Inc. All rights reserved, Inc. Not to be reproduced without prior written consent.®
1060-3
Learning Tree AnyWareTM: Quick Tour
• To ask questions
— Click the Chime In button icon and we’ll unmute your audio
• AnyWare status symbols
— Agree/Disagree
• Chat
— Use to share information via a
text message
— Click the drop-down arrow to
select the recipient
• Private messages
— Use to send a private message
to your instructor
— Displays in red text
© 2012 Learning Tree International, Inc. All rights reserved, Inc. Not to be reproduced without prior written consent.®
1060-4
Learning Tree AnyWareTM: Quick Tour
(continued)
• Technical support
— If you need technical assistance,
click the Get Assistance button
to initiate a chat session with an
AnyWare support technician
— Enter your question and click the
Send Message button
— An AnyWare support technician
will provide the assistance that
you need
— Once your issue is resolved, the
technician will close the ticket
© 2012 Learning Tree International, Inc. All rights reserved, Inc. Not to be reproduced without prior written consent.®
1060-5
About Learning Tree International
• Learning Tree International was founded in 1974
— More than 2.1 million technology professionals and managers from over
65,000 organizations trained to date
• In-depth course curriculum—more than 235 titles and growing
— Includes more than 90 management titles
• Courses are developed and taught by technology and business
professionals actively working in the field
• Public and on-site courses are available at Learning Tree and client
locations worldwide
• This course is being delivered using Learning Tree AnyWare™
— Our (patent pending) training delivery solution that connects online
participants to a live, instructor-led classroom
© 2012 Learning Tree International, Inc. All rights reserved, Inc. Not to be reproduced without prior written consent.®
1060-6
About Your Instructor
• Background and education
• Current position
• Experience
Poll
© 2012 Learning Tree International, Inc. All rights reserved, Inc. Not to be reproduced without prior written consent.®
1060-7
Session Objectives
In this presentation, we will
• Define cybersecurity and its importance to SharePoint admins
• Plan for SharePoint security by integrating security throughout the SDLC
— Explore a real-world case study involving a SharePoint data breach
• Address security requirements at various layers of a SharePoint
deployment
— Server and farm layer
— Network and perimeter defenses
— End-user layer
• This presentation will be sent to all attendees following this course
© 2012 Learning Tree International, Inc. All rights reserved, Inc. Not to be reproduced without prior written consent.®
1060-8
SharePoint Security Best Practices
SharePoint is a team tool: Security may not be your responsibility, but
you can advocate for proper security measures
Establish a SharePoint steering committee to involve all stakeholders,
such as IT security, network, and business users
Start with a secure core of hardened infrastructure
Create unique credentials for SharePoint installation account
Create non-obvious user IDs and strong passwords for service accounts
Change SharePoint service account passwords regularly
Document SharePoint security/usage policies, and train your users
Provide additional training to users with escalated privileges, such as site
administrators and designers
Audit critical items, such as remote access, device configurations, and
user management
© 2012 Learning Tree International, Inc. All rights reserved, Inc. Not to be reproduced without prior written consent.®
1060-9
A SharePoint Administrator’s Practical Guide
to Cybersecurity
Define Cybersecurity
Plan for SharePoint Security by Integrating
Security Throughout the SDLC
Address Security Requirements at Various
Layers of a SharePoint Deployment
© 2012 Learning Tree International, Inc. All rights reserved, Inc. Not to be reproduced without prior written consent.®
1060-10
What Is Cybersecurity?
• The ability to protect and defend critical Information Technology (IT)
systems, preserving CIA:
— Confidentiality: to ensure that only authorized users have access
— Integrity: to ensure that only approved changes are made
— Availability: to ensure that critical resources are accessible when and where
needed
• SharePoint requires a multidisciplinary approach
to security, because
— It encompasses a broad range of technologies
— It places a great deal of power in the hands of
end users, including security decisions
―Cyber threat is one of the most serious economic
and national security challenges we face.‖
—President Barack Obama
© 2012 Learning Tree International, Inc. All rights reserved, Inc. Not to be reproduced without prior written consent.®
1060-11
Data Breaches Are Costly
• Data breaches are costly and can carry significant legal or regulatory
consequences
— The average cost of a data breach to an organization is $7.3 million per
breach ($214 per compromised record)*
— Attacks against the Sony PlayStation network were estimated to cost more
than $178 million in 2011**
– Costs for lost business, loss of goodwill,
etc., are impossible to calculate
• Cybersecurity concerns for SharePoint admins
— Control user access
— Enforce restrictions on user actions
— Secure infrastructure and access methods
• The goal of a SharePoint security program is to safeguard data!
*bit.ly/eiz9Ec
**bit.ly/LSjbpw
© 2012 Learning Tree International, Inc. All rights reserved, Inc. Not to be reproduced without prior written consent.®
1060-12
Standards, Laws, and Regulations
• Securing SharePoint may require adherence to or implementation of
— Standards
– ISO/IEC 27000-defined Information Security Management System
– NIST Special Publication (SP) Series / DOD DIACAP Framework
– ITIL® V3 Information Security Management (ISM)
— Laws
– Federal Information Security Management Act (FISMA)
– Health Insurance Portability and Accountability Act (HIPAA)
– Sarbanes-OXley (SOX)
– EU Data Protection Directive/Regulation
— Industry regulation
– Payment Card Industry Data Security Standard (PCI DSS)
ISO/IEC = International Organization for Standardization/International Electrotechnical Commission
ITIL = Information Technology Infrastructure Library
NIST = National Institute for Standards and Technology
ITIL® is a Registered Trade Mark of the Cabinet Office.
© 2012 Learning Tree International, Inc. All rights reserved, Inc. Not to be reproduced without prior written consent.®
1060-13
A SharePoint Administrator’s Practical Guide
to Cybersecurity
Define Cybersecurity
Plan for SharePoint Security by Integrating
Security Throughout the SDLC
Address Security Requirements at Various
Layers of a SharePoint Deployment
© 2012 Learning Tree International, Inc. All rights reserved, Inc. Not to be reproduced without prior written consent.®
1060-14
SharePoint Is Multilayered
• A SharePoint ecosystem is composed of many elements, each with unique
security concerns
— Windows Server, MS SQL Server, .NET, IIS, ASP
— A variety of end-user access protocols, devices, and client programs
• Administrative responsibility is often split across the organization,
including server admins, SharePoint admins, and individual site admins
— Security should start before you install and deploy SharePoint
— Properly securing SharePoint is a multidisciplinary, collaborative effort
• SharePoint is a collaborative and user-empowering technology
— The majority of security decisions fall to end users
— The tool is designed to facilitate information sharing, making it a virtual
goldmine for hackers
© 2012 Learning Tree International, Inc. All rights reserved, Inc. Not to be reproduced without prior written consent.®
1060-15
A Plan is Required
• Cost-effective controls should be chosen
— Control cost should never exceed the value of the asset being safeguarded
— Categorize the data and access to the system to guide control selection
• Security is most easily achieved when security requirements and tasks are
integrated throughout the SDLC
— For existing deployments, secure as much as possible, and utilize upgrades
to enhance security
SDLC = System Development Lifecycle
InitiationDevelopment /
AcquisitionImplementation
Operation / Maintenance
Disposal
Poll
© 2012 Learning Tree International, Inc. All rights reserved, Inc. Not to be reproduced without prior written consent.®
1060-16
Planning for Security
• Utilize a well-defined SDLC methodology, such as that defined in NIST SP
800-63 Security Considerations in the System Development Lifecycle
InitiationDevelopment /
AcquisitionImplementation
Operation / Maintenance
Disposal
• Advocate for
security
resources
and budget
• Assist in
determining
information
and system
security
requirements
• Analyze
requirements
• Perform and
support
security
testing
• Secure key
system
components
• Deploy
SharePoint
solution
using secure
plan
• Create and
implement
policies for
secure use
• Train users
• Audit to
ensure
compliance
• Archive and
secure
sensitive
information
before
disposal
© 2012 Learning Tree International, Inc. All rights reserved, Inc. Not to be reproduced without prior written consent.®
1060-17
A Case Study
• Let’s investigate a real data breach in a SharePoint environment
— Identify the issues that led to the failure
— Determine actions to mitigate similar breaches in your environment
• The goal of SharePoint is to facilitate frictionless information sharing
— If malicious users gain access, SharePoint provides no defenses
• Case study source:
— SC Magazine, published October 2010
— bit.ly/M3iziY
Poll
© 2012 Learning Tree International, Inc. All rights reserved, Inc. Not to be reproduced without prior written consent.®
1060-18
Case Study: Mississippi National Guard
• The public-facing SharePoint site of the state’s National Guard
— Hosted PII of nearly 3,000 guard members, including name, rank, and SSN
— Did not enforce authentication for access to the site
— Made this information available for more than a month, until it was reported
by a third party
• Issues:
— User(s) inappropriately uploaded sensitive records to a public-facing site
— Auditing was insufficient for the organization to find the mistake
• To avoid similar incidents, you can
— Train your users on SharePoint usage and sensitive data-handling policies
— Implement content management controls
— Implement audit and monitoring tools for oversight of your SharePoint
environment
PII = personally identifiable information
© 2012 Learning Tree International, Inc. All rights reserved, Inc. Not to be reproduced without prior written consent.®
1060-19
A SharePoint Administrator’s Practical Guide
to Cybersecurity
Define Cybersecurity
Plan for SharePoint Security by Integrating
Security Throughout the SDLC
Address Security Requirements at Various
Layers of a SharePoint Deployment
© 2012 Learning Tree International, Inc. All rights reserved, Inc. Not to be reproduced without prior written consent.®
1060-20
Modeling SharePoint
• A simplified model of a typical SharePoint deployment can
— Assist in gathering security requirements
— Delineate responsibility across the organization
• SharePoint’s multilayered nature requires the involvement of many groups
within an organization
• A useful model is a three-tiered structure, depicting your relative
responsibility as a SharePoint admin
Server and farm
Poll
© 2012 Learning Tree International, Inc. All rights reserved, Inc. Not to be reproduced without prior written consent.®
1060-21
Securing the Server and Farm
• Key roles and tasks for admins at this layer:
— Configure and harden server and database infrastructure
— Secure database access privileges and roles
— Deploy SharePoint, including initial setup of accounts used for ongoing
SharePoint operations
— After deployment, support continuous monitoring and auditing
Server and farm
© 2012 Learning Tree International, Inc. All rights reserved, Inc. Not to be reproduced without prior written consent.®
1060-22
SharePoint Central Admin
• Manage security settings through SharePoint Central Administration
© 2012 Learning Tree International, Inc. All rights reserved, Inc. Not to be reproduced without prior written consent.®
1060-23
Securing Core Infrastructure
• Start by segregating server admin duties
— Prevents any one user from compromising an entire system
— Target critical roles: Windows Server, database, and SharePoint admins
— Create unique accounts with strong passwords for SharePoint admin and
service accounts
• Harden core infrastructure
— Implement recognized guides such as CIS
Benchmarks or DISA STIGs
— Utilize validated security settings, such as
Windows FIPS mode, whenever possible
— Implement routine patching schedule
CIS = Center for Internet Security
DISA STIG = Defense Information Systems Agency Security Implementation Technical Guide
FIPS = Federal Information Processing Standard
Insider threats are becoming
both more costly and more
sophisticated; pressures such
as financial hardship and
foreign espionage are
increasing the risk of trusted
employees willingly stealing
business data.
Source: Carnegie Mellon CERT
© 2012 Learning Tree International, Inc. All rights reserved, Inc. Not to be reproduced without prior written consent.®
1060-24
Maintain an Asset Inventory
• SharePoint database
— Will encryption be used?
• Access control
— How will you verify and authenticate authorized
users?
• Replication and search indexing
— Can sensitive data be accessed through alternate means
or channels?
• Backup and continuity
— How will the environment be recovered in the event of a disaster?
— Is backup media secured to prevent data loss?
• Separate sensitive information
— Does the data sensitivity warrant creation of separate environments?
© 2012 Learning Tree International, Inc. All rights reserved, Inc. Not to be reproduced without prior written consent.®
1060-25
Server and Farm Audit Considerations
• At this layer, several audit tasks are important
• Regularly— Audit system configurations against documented baselines
— Review access logs
— Audit and verify accounts,
users, and permissions
— Change passwords for
service accounts
© 2012 Learning Tree International, Inc. All rights reserved, Inc. Not to be reproduced without prior written consent.®
1060-26
Securing the Network and Perimeter
• Network and perimeter controls may not be under the purview of the
SharePoint admins
— Coordination with appropriate network or security personnel is key
• Key roles and tasks for admins at this layer:
— Coordinate with other organizational stakeholders
— Where encryption is used, implement FIPS-compliant or -validated solutions
— Encrypt data transmissions with SSL/TLS
— Provide secure remote access with VPN, Microsoft Forefront Threat
Management Gateway, etc.
© 2012 Learning Tree International, Inc. All rights reserved, Inc. Not to be reproduced without prior written consent.®
1060-27
Network Design and Perimeter Defense
• Deploy a defense-in-depth strategy of layered security controls
— Boundary routers, firewalls, network IDS/IPS
• Harden network devices using recognized guides such as CIS Benchmarks
or DISA STIGs
• Place SharePoint according to access needs
— Anonymous users: SharePoint-powered external Web site (www.marines.mil)
— Corporate extranet: Authenticated users must have access
— No access: SharePoint resources may be logically or physically separated
from external contact
• Consider additional controls if SharePoint data is sensitive
— Network-monitoring tools and more rigorous audits
— Penetration testing to identify gaps
IDS/IPS = intrusion detection system / intrusion prevention system
© 2012 Learning Tree International, Inc. All rights reserved, Inc. Not to be reproduced without prior written consent.®
1060-28
Network and Perimeter Audit Considerations
• At this layer, several audit tasks are important
• Regularly— Coordinate with appropriate organizational stakeholders who are
responsible for network and perimeter security, to verify that they
– Audit network device configurations against expected baselines
– Review and verify access control lists and rule sets for network devices
– Monitor traffic for unusual or suspicious activity
– Devote adequate resources to monitor output from network-monitoring
devices
© 2012 Learning Tree International, Inc. All rights reserved, Inc. Not to be reproduced without prior written consent.®
1060-29
Securing the End User
• SharePoint empowers users
— This power to effortlessly share information comes with great responsibility
• Key roles:
— Site collection administrators: Configure and maintain general standards
for use, user groups, and monitor usage
— Site administrators: Configure and maintain standards for granular items
such as list/document library permissions, monitor content
• Key tasks for admins at this layer:
— Permissions should be managed at the
highest level possible (via groups)
— Policies for SharePoint usage
should be carefully planned,
published, and disseminated
© 2012 Learning Tree International, Inc. All rights reserved, Inc. Not to be reproduced without prior written consent.®
1060-30
Managing Users and Sites
• End-user controls may not be under the purview of the SharePoint admins
— Coordination with appropriate business leaders, user communities, and
security personnel is key
— End-user management strategies
must align IT management with
business objectives
• Users’ access to and use of
information must be controlled
— Protecting SharePoint data
means managing
– Authorization: Who can see
it?
– Permissions: What can they
do with it?
Poll
© 2012 Learning Tree International, Inc. All rights reserved, Inc. Not to be reproduced without prior written consent.®
1060-31
Policy Considerations
• Develop and publish policy to guide use of SharePoint in your organization
— Information/data classification policy
— SharePoint usage policy (what may/may not be
stored in a site)
— User management policy
• SharePoint is an IT asset and a business enabler
— Coordination must happen between IT asset owners and relevant business
users/owners
— Poorly designed policies will be circumvented/ignored
• Compile policies, procedures, and other documentation into a SharePoint
governance plan
© 2012 Learning Tree International, Inc. All rights reserved, Inc. Not to be reproduced without prior written consent.®
1060-32
Train Your Users
• Ensure that users are aware of SharePoint policies, access procedures,
and security concerns
— Benefits/risks of integrating external data via SharePoint Designer
— Adding code via the Content Editor Web Part
• Identify privileged users who require additional security-relevant training,
such as admins and designers
• Provide periodic refresher training to prevent skill loss
Without proper training, users may, by choice or
by accident, violate policies and expose your
organization to data breach risks!
© 2012 Learning Tree International, Inc. All rights reserved, Inc. Not to be reproduced without prior written consent.®
1060-33
End-User Audit Considerations
• At this layer, several audit tasks are important
• Due to increased complexity, user audits should rely on sampling
— Unlike other SharePoint layers, audits may best be conducted by business
users
• Regularly— Audit permissions to ensure users’ valid access
— Coordinate with appropriate organizational stakeholders who are
responsible for user access, to ensure that they
– Analyze monitoring tools to verify compliance, such as remote access
– Verify that user interactions comply with SharePoint policies
© 2012 Learning Tree International, Inc. All rights reserved, Inc. Not to be reproduced without prior written consent.®
1060-34
In Conclusion…
SharePoint is a team tool: Security may not be your responsibility, but
you can advocate for proper security measures
Establish a SharePoint steering committee to involve all stakeholders,
such as IT security, network, and business users
Start with a secure core of hardened infrastructure
Create unique credentials for SharePoint installation account
Create non-obvious user IDs and strong passwords for service accounts
Change SharePoint service account passwords regularly
Document SharePoint security/usage policies, and train your users
Provide additional training to users with escalated privileges, such as site
administrators and designers
Audit critical items, such as remote access, device configurations, and
user management
Poll
© 2012 Learning Tree International, Inc. All rights reserved, Inc. Not to be reproduced without prior written consent.®
1060-35
Integrated Cyber Education (ICE) Program
• ICE is a framework of training content and resources that address practical
training needs of personnel who are not cybersecurity specialists
• The framework is based on input from experts and stakeholders from
multiple government and corporate partners
• ICE is composed of
— The ―Practical Guide‖ Training Series, targeting key relevant topics and
technologies
— Enhanced cybersecurity awareness content in Learning Tree courses
– SharePoint, mobile application development, project management, and
more
— Online resources for customers to further their awareness of key topics
To learn more, please visit www.learningtree.com/ICE
© 2012 Learning Tree International, Inc. All rights reserved, Inc. Not to be reproduced without prior written consent.®
1060-36
Related Learning Tree Courses
• All of the following courses are PMI®-aligned and eligible for PDU credits:
• For more specific course details, please visit www.learningtree.com
Course
number
Course title
957 SharePoint Governance: Best Practices
1501 SharePoint 2010 Technologies Comprehensive Introduction
1510 Administering SharePoint Server 2010
1520 Building SharePoint Server 2010 Enterprise Solutions
960 Windows Server 2008 Comprehensive Introduction
961 Windows Server 2008 Administration
962 Windows Server 2008 Active Directory Domain Services
2107 SQL Server 2012 Comprehensive Introduction
2108 SQL Server 2012 Database Administration
940 Securing Web Applications, Services, and Servers
© 2012 Learning Tree International, Inc. All rights reserved, Inc. Not to be reproduced without prior written consent.®
1060-37
Certification Programs
• Learning Tree courses help you prepare for key industry certifications
— Including ITIL®, ISO/IEC 20000, COBIT®, several PMI® certifications,
PRINCE2®, IIBA CBAP®, Scrum, MCTS, Cisco®, CompTIA A+®, CompTIA
Security+™, CompTIA Network+®, and CISSP®
• PDUs are earned for certain management courses
• Learning Tree Professional Certification Programs
— Details at www.learningtree.com/certification
PDU = PMI Professional Development UnitITIL® and PRINCE2® are registered trademarks of the Cabinet Office. COBIT® is a registered trademark of the Information Systems Audit and Control Association (ISACA)
and the IT Governance Institute. PMI® is a registered trademark and service mark of the Project Management Institute, Inc. IIBA® CBAP® is a registered trademark owned by
International Institute of Business Analysis. CBAP is a registered certification mark owned by International Institute of Business Analysis. Cisco® is a registered trademark of
Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. CompTIA A+® and CompTIA Network+® are registered trademarks of the Computing
Technology Industry Association, Inc. CompTIA Security+™ is a trademark of the Computing Technology Industry Association, Inc. CISSP® is a registered mark of the
International Information Systems Security Certification Consortium in the United States and other countries.
© 2012 Learning Tree International, Inc. All rights reserved, Inc. Not to be reproduced without prior written consent.®
1060-38
Session Objectives Revisited
In this presentation, we have
• Defined cybersecurity and its importance to SharePoint admins
• Planned for SharePoint security by integrating security throughout the
SDLC
— Understood the impact of a SharePoint data breach through the use of a
case study
• Addressed security requirements at various layers of a SharePoint
deployment
— Server and farm layer
— Network and perimeter defenses
— End-user layer
• This presentation will be sent to all attendees following this course
© 2012 Learning Tree International, Inc. All rights reserved, Inc. Not to be reproduced without prior written consent.®
1060-39
Session Objectives Revisited
(continued)
• For Learning Tree to become your trusted training supplier
— You will be contacted by a Learning Tree Account Manager to discuss any
training requirements and to provide you with our introductory pricing
© 2012 Learning Tree International, Inc. All rights reserved, Inc. Not to be reproduced without prior written consent.®
1060-40
Your Guarantee of Satisfaction
Unless you feel 100% satisfied that Learning Treedelivered even more than you expected, there is nofee for your course attendance. Our Guarantee ofQuality lets you experience the value of thecourse—and then pay only if you feel the coursewas well worth the tuition.
© 2012 Learning Tree International, Inc. All rights reserved, Inc. Not to be reproduced without prior written consent.®
1060-41
Thank You for Your Participation
• Any questions?
— Chime in to ask your instructor now
— Visit us at
– U.S.: www.learningtree.com
– Canada: www.learningtree.ca
— Call us at 1-800-THE-TREE (1-800-843-8733)
• We wish you every success in the future
• We hope to see you in class soon!
Poll