Can your SharePoint Be Hacked?

It is estimated that the theft of US intellectual property costs our economy $300 billion per year in jobs and innovation.

On Tuesday July 23rd 2013 over 300 registered attendees participated in the South Florida Joint Security Event. The Event was held at NSU’s campus in Fort Lauderdale.  Over the course of the afternoon and evening, delegates were treated to presentations by security experts from NSU as well as RSA.

The theme, ‘State Sponsored Hacking’ examined the threat to the US  by well organized groups of foreign hackers.

You may be wondering why a hacker would be interested in the data inside your company? Even if you think you have nothing to steal, hackers can use your computer as a launch pad for more malicious attacks.

Large companies with big security budgets get hacked all the time, recently in the News was the Apple hack that brought down their development website.

If large companies with seemingly endless suplies of money are getting hacked, you’re probably asking ‘What can I do?’ well it turns out that many hacking techniques aimed at smaller companies and individuals are based on some surprisingly simple techniques.

  • Malware: Many hackers gain access by placing malware on your computers. Therefore make sure your anti-virus and anti-malware products are patched and up to date.
  • Phishing: This is a simple kind of social engineering device that uses fake email to solicit personal or company data – be vigilant!
  • Watering hole attack: In a watering hole attack, a hacker will compromise a ‘trusted’ site that is visited by members of a target group, you will think the site is real.

Start making DLP (Data Loss Prevention) a priority in your company today.  Consider starting a Security Awareness Program that includes checking your audit logs regularly for stand-out events and get your staff involved in a security program – your compliance officer or auditors can help.

The SharePoint of things

To a hacker, SharePoint is just another data resource.  There are many techniques, most really quite simple that can be used to either hack public facing SharePoint sites or gain access to confidential contact information.  For example, using only a few simple Google searches can reveal SharePoint information that is published to the internet either on purpose, accidentally or incorrectly.

Probably one of the most famous SharePoint associated hack was ‘wget‘ which may have been how Bradly Manning copied the WikiLeaks documents.  Wget isn’t a virus or malware it’s a very useful command line tool for retrieving content from web-servers.

  • Know your external exposure.
  • Look out for users with excessive access.
  • Limit 3rd party plugins and code to trusted vendors.
  • Backup, backup, backup.