On December 9, 2011 Imperva, Inc published a press release on the Imperva list of the top 10 security vulnerabilities for computing systems for 2012. This press release has been widely disseminated. A copy of the press release was listed on the US Homeland Security website.
The sixth spot on Imperva’s list is taken by “Internal Collaboration Meets its Evil Twin.” The two collaboration platforms mentioned in this release include SharePoint and Jive. Imperva notes that SharePoint is the most popular collaboration platform. The threat, as Imperva sees it, is that external facing SharePoint sites will not be secured properly in two key areas, the Document (or Data) repository and the Security Profile for the SharePoint implementation (which should be amended to include an entirely separate profile for external facing sites). Imperva cites a serious security breach that resulted in the unintended public exposure of over 3000 personal records of soldiers in the Mississippi National Guard on an external-facing web site for the Guard built on SharePoint.
Reading further, we took a look at Stach & Liu’s presentation paper on SharePoint Security for the ISSA. This paper advocates several policies and procedures to maintain a secure condition for external-facing SharePoint Sites. One of the procedures is referred to as “Google Hack Yourself.” We ran a Google search with a RegEx mentioned in this piece, inurl:”/_catalogs/wt/”. We were surprised at the 4K+ results that this query produced. One of these results was found on a website for a trade association on Risk Management, which shall remain nameless for this post. We called this association, spoke with the Head of IT who thanked us. He let us know that he would take steps to remove the exposure “pronto.”
What we will note here is that he let us know that his association is a customer of both Stach & Liu and Imperva. We make mention of this point to simply illustrate that without an internal system of security controls, external vendors cannot be properly managed to deliver targeted value. An internal system of security policies and procedures must be in place to “police” security vendors (experts) themselves. Needless to say, he let us know that he would be on the telephone with both of these vendors today to determine why, despite their efforts, this security hole still exists.
SharePoint-Videos.com offers several must-have video tutorials on SharePoint and security. We are confident that regular, periodic application of the security policies and procedures explained and presented by our video tutorials can be, potentially, a most effective method of obviating dangerous external exposures for SharePoint. If you would like to hear more about how our video training can be applied to bolster SharePoint security, then please either call us at (630) 786-7026, or Contact Us. We will be happy to elaborate with additional suggested videos and specific tips.
© Rehmani Consulting Inc, 2011 All Rights Reserved