A SharePoint Administrators

Practical Guide to Cybersecurity

1060/CN/A.1/207/

Course 1060

Contributing Author:

Aaron Kraus, Certified Information System Security Professional (CISSP),

CompTIA Security+CE

2012 Learning Tree International, Inc. All rights reserved, Inc. Not to be reproduced without prior written consent.

1060-2

To Join the Audio Conference

For todays session, were using a conference bridge to eliminate the need for microphones and system validations

From a direct line1. Enter your directly dialed

telephone number (no

extensions) into the Join

Teleconference dialog box

2. Click Call My Phone

From an internal extension line or from outside the U.S. or Canada

1. Dial:

2. Enter *5555#Note: To redisplay the Join

Teleconference dialog box, click

the Audio Conference Options

button at the bottom of the

Attendee List and select Call Me

1

2

2012 Learning Tree International, Inc. All rights reserved, Inc. Not to be reproduced without prior written consent.

1060-3

Learning Tree AnyWareTM: Quick Tour

To ask questions Click the Chime In button icon and well unmute your audio

AnyWare status symbols Agree/Disagree

Chat Use to share information via a

text message

Click the drop-down arrow to

select the recipient

Private messages Use to send a private message

to your instructor

Displays in red text

2012 Learning Tree International, Inc. All rights reserved, Inc. Not to be reproduced without prior written consent.

1060-4

Learning Tree AnyWareTM: Quick Tour

(continued)

Technical support If you need technical assistance,

click the Get Assistance button

to initiate a chat session with an

AnyWare support technician

Enter your question and click the

Send Message button

An AnyWare support technician

will provide the assistance that

you need

Once your issue is resolved, the

technician will close the ticket

2012 Learning Tree International, Inc. All rights reserved, Inc. Not to be reproduced without prior written consent.

1060-5

About Learning Tree International

Learning Tree International was founded in 1974 More than 2.1 million technology professionals and managers from over

65,000 organizations trained to date

In-depth course curriculummore than 235 titles and growing Includes more than 90 management titles

Courses are developed and taught by technology and business professionals actively working in the field

Public and on-site courses are available at Learning Tree and client locations worldwide

This course is being delivered using Learning Tree AnyWare Our (patent pending) training delivery solution that connects online

participants to a live, instructor-led classroom

2012 Learning Tree International, Inc. All rights reserved, Inc. Not to be reproduced without prior written consent.

1060-6

About Your Instructor

Background and education

Current position

Experience

Poll

2012 Learning Tree International, Inc. All rights reserved, Inc. Not to be reproduced without prior written consent.

1060-7

Session Objectives

In this presentation, we will

Define cybersecurity and its importance to SharePoint admins

Plan for SharePoint security by integrating security throughout the SDLC Explore a real-world case study involving a SharePoint data breach

Address security requirements at various layers of a SharePoint deployment

Server and farm layer

Network and perimeter defenses

End-user layer

This presentation will be sent to all attendees following this course

2012 Learning Tree International, Inc. All rights reserved, Inc. Not to be reproduced without prior written consent.

1060-8

SharePoint Security Best Practices

SharePoint is a team tool: Security may not be your responsibility, but

you can advocate for proper security measures

Establish a SharePoint steering committee to involve all stakeholders,

such as IT security, network, and business users

Start with a secure core of hardened infrastructure

Create unique credentials for SharePoint installation account

Create non-obvious user IDs and strong passwords for service accounts

Change SharePoint service account passwords regularly

Document SharePoint security/usage policies, and train your users

Provide additional training to users with escalated privileges, such as site

administrators and designers

Audit critical items, such as remote access, device configurations, and

user management

2012 Learning Tree International, Inc. All rights reserved, Inc. Not to be reproduced without prior written consent.

1060-9

A SharePoint Administrators Practical Guide

to Cybersecurity

Define Cybersecurity

Plan for SharePoint Security by Integrating

Security Throughout the SDLC

Address Security Requirements at Various

Layers of a SharePoint Deployment

2012 Learning Tree International, Inc. All rights reserved, Inc. Not to be reproduced without prior written consent.

1060-10

What Is Cybersecurity?

The ability to protect and defend critical Information Technology (IT) systems, preserving CIA:

Confidentiality: to ensure that only authorized users have access

Integrity: to ensure that only approved changes are made

Availability: to ensure that critical resources are accessible when and where

needed

SharePoint requires a multidisciplinary approach to security, because

It encompasses a broad range of technologies

It places a great deal of power in the hands of

end users, including security decisions

Cyber threat is one of the most serious economic

and national security challenges we face.

President Barack Obama

2012 Learning Tree International, Inc. All rights reserved, Inc. Not to be reproduced without prior written consent.

1060-11

Data Breaches Are Costly

Data breaches are costly and can carry significant legal or regulatory consequences

The average cost of a data breach to an organization is $7.3 million per

breach ($214 per compromised record)*

Attacks against the Sony PlayStation network were estimated to cost more

than $178 million in 2011**

Costs for lost business, loss of goodwill,

etc., are impossible to calculate

Cybersecurity concerns for SharePoint admins Control user access

Enforce restrictions on user actions

Secure infrastructure and access methods

The goal of a SharePoint security program is to safeguard data!

*bit.ly/eiz9Ec

**bit.ly/LSjbpw

2012 Learning Tree International, Inc. All rights reserved, Inc. Not to be reproduced without prior written consent.

1060-12

Standards, Laws, and Regulations

Securing SharePoint may require adherence to or implementation of Standards

ISO/IEC 27000-defined Information Security Management System

NIST Special Publication (SP) Series / DOD DIACAP Framework

ITIL V3 Information Security Management (ISM)

Laws

Federal Information Security Management Act (FISMA)

Health Insurance Portability and Accountability Act (HIPAA)

Sarbanes-OXley (SOX)

EU Data Protection Directive/Regulation

Industry regulation

Payment Card Industry Data Security Standard (PCI DSS)

ISO/IEC = International Organization for Standardization/International Electrotechnical Commission

ITIL = Information Technology Infrastructure Library

NIST = National Institute for Standards and Technology

ITIL is a Registered Trade Mark of the Cabinet Office.

2012 Learning Tree International, Inc. All rights reserved, Inc. Not to be reproduced without prior written consent.

1060-13

A SharePoint Administrators Practical Guide

to Cybersecurity

Define Cybersecurity

Plan for SharePoint Security by Integrating

Security Throughout the SDLC

Address Security Requirements at Various

Layers of a SharePoint Deployment

2012 Learning Tree International, Inc. All rights reserved, Inc. Not to be reproduced without prior written consent.

1060-14

SharePoint Is Multilayered

A SharePoint ecosystem is composed of many elements, each with unique security concerns

Windows Server, MS SQL Server, .NET, IIS, ASP

A variety of end-user access protocols, devices, and client programs

Administrative responsibility is often split across the organization, including server admins, SharePoint admins, and individual site admins

Security should start before you install and deploy SharePoint

Properly securing SharePoint is a multidisciplinary, collaborative effort

SharePoint is a collaborative and user-empowering technology The majority of security decisions fall to end users

The tool is designed to facilitate information sharing, making it a virtual

goldmine for hackers

2012 Learning Tree International, Inc. All rights reserved, Inc. Not to be reproduced without prior written consent.

1060-15

A Plan is Required

Cost-effective controls should be chosen Control cost should never exceed the value of the asset being safeguarded

Categorize the data and access to the system to guide control selection

Security is most easily