Risk
1/28/2009
05:50 PM
Connect Directly
RSS
E-Mail
50%
50%

Microsoft SharePoint: A Weak Link In Enterprise Security?

Popular collaboration tool is easy to deploy, but hard to secure, experts say

SharePoint, one of the fastest-growing applications in the Windows environment, may also be turning into one of its most serious security liabilities, according to researchers and security vendors.

The SharePoint collaboration tool, which has been licensed more than 85 million times to an estimated 17,000 companies, is one of the easiest-to-use tools in the Windows suite, experts say. In fact, it's so simple that many employees and workgroups deploy it without even asking the IT department for help. But this ease of use has a price: Many IT organizations haven't properly secured their SharePoint deployments, and many others don't know what sensitive data might be stored or exchanged there.

In a survey published earlier this week and sponsored by security vendor Trend Micro, Osterman Research reported that only 60 percent of companies have deployed security tools specifically for SharePoint, while the other 40 percent are relying on traditional server and endpoint security applications. But founder and president Michael Osterman observes that SharePoint data tends to travel beyond these boundaries -- SharePoint data is often shared across networks and applications, and sometimes even outside the company.

"Deploying antimalware software at the endpoint or on a server does not fully secure the SharePoint environment -- the underlying database, Web pages, etc.," Osterman says.

Osterman's findings are supported by another study conducted by Courion, also a SharePoint security provider, back in September. In that study, Courion found that 25 percent of IT managers believed their SharePoint security was weak, or that they weren't sure and were worried about it. Nine percent of respondents said their organizations had suffered a breach that may have been attributable to a leak of sensitive data from SharePoint.

And just last month, Microsoft patched a vulnerability in SharePoint 2008 and Search Server 2008 that might allow users to access parts of the SharePoint server and execute administrative tasks. These tasks might not allow the users to get direct access to protected information, but they could cause the server to stop responding to legitimate requests or provide attackers with additional information, such as the email addresses of users on the system, Microsoft said.

The problem, observers say, is that most companies don't have a clear, enforceable policy for using SharePoint. In many companies, any user can set up a SharePoint site, and, often, there are no guidelines for who can access it or what data can be stored there. Some users assume that because it's used on the company's internal network, SharePoint data must be protected by the standard corporate security defenses, they say. In other cases, employees make the mistake of offering SharePoint access to business partners or contractors outside of the company, without taking steps to secure the exchange of data.

While Microsoft offers some basic administrative tools for restricting access to SharePoint data, many users complain that SharePoint administration is too complex and doesn't go far enough. As a result, a number of third-party vendors are now offering software that they say provides more comprehensive SharePoint security. While vendors such as Courion, Trend Micro, Rohati, and WorldExtend offer SharePoint security tools, Exostar offers a software-as-a-service capability called ForumPass4, which is billed as a more secure collaboration tool for the aerospace and defense environments.

But before such tools can be effective, enterprises must recognize the vulnerabilities of collaborative environments, like SharePoint, and define policies for using them, said Shane Buckley, CEO of Rohati, following the publication of the company's own study on the topic last month. That study indicates that 66 percent of companies believe their organizations need authorization enforcement policies for controlling the ability to print, store, and delete files in collaborative environments.

"The shocking truth that this survey validates is that enterprises are deploying collaboration applications with little to no security policies that can enforce access controls," Buckley said. Such deployments may not only make organizations vulnerable to breaches, but also may jeopardize their compliance with regulatory requirements, he noted.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6117
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

CVE-2014-0174
Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

CVE-2014-3485
Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

CVE-2014-3499
Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

CVE-2014-3503
Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.