A SharePoint Administrator’s - Learning Tree … · A SharePoint Administrator’s Practical...

®

A SharePoint Administrator’s

Practical Guide to Cybersecurity

1060/CN/A.1/207/—

Course 1060

Contributing Author:

Aaron Kraus, Certified Information System Security Professional (CISSP),

CompTIA Security+CE

© 2012 Learning Tree International, Inc. All rights reserved, Inc. Not to be reproduced without prior written consent.®

1060-2

To Join the Audio Conference

• For today’s session, we’re using a conference bridge to eliminate the need

for microphones and system validations

• From a direct line

1. Enter your directly dialed

telephone number (no

extensions) into the Join

Teleconference dialog box

2. Click Call My Phone

• From an internal extension line

or from outside the U.S. or Canada

1. Dial:

2. Enter *5555#Note: To redisplay the Join

Teleconference dialog box, click

the Audio Conference Options

button at the bottom of the

Attendee List and select Call Me

1

2


1060-3

Learning Tree AnyWareTM: Quick Tour

• To ask questions

— Click the Chime In button icon and we’ll unmute your audio

• AnyWare status symbols

— Agree/Disagree

• Chat

— Use to share information via a

text message

— Click the drop-down arrow to

select the recipient

• Private messages

— Use to send a private message

to your instructor

— Displays in red text


1060-4

Learning Tree AnyWareTM: Quick Tour

(continued)

• Technical support

— If you need technical assistance,

click the Get Assistance button

to initiate a chat session with an

AnyWare support technician

— Enter your question and click the

Send Message button

— An AnyWare support technician

will provide the assistance that

you need

— Once your issue is resolved, the

technician will close the ticket


1060-5

About Learning Tree International

• Learning Tree International was founded in 1974

— More than 2.1 million technology professionals and managers from over

65,000 organizations trained to date

• In-depth course curriculum—more than 235 titles and growing

— Includes more than 90 management titles

• Courses are developed and taught by technology and business

professionals actively working in the field

• Public and on-site courses are available at Learning Tree and client

locations worldwide

• This course is being delivered using Learning Tree AnyWare™

— Our (patent pending) training delivery solution that connects online

participants to a live, instructor-led classroom


1060-6

About Your Instructor

• Background and education

• Current position

• Experience

Poll


1060-7

Session Objectives

In this presentation, we will

• Define cybersecurity and its importance to SharePoint admins

• Plan for SharePoint security by integrating security throughout the SDLC

— Explore a real-world case study involving a SharePoint data breach

• Address security requirements at various layers of a SharePoint

deployment

— Server and farm layer

— Network and perimeter defenses

— End-user layer

• This presentation will be sent to all attendees following this course


1060-8

SharePoint Security Best Practices

SharePoint is a team tool: Security may not be your responsibility, but

you can advocate for proper security measures

Establish a SharePoint steering committee to involve all stakeholders,

such as IT security, network, and business users

Start with a secure core of hardened infrastructure

Create unique credentials for SharePoint installation account

Create non-obvious user IDs and strong passwords for service accounts

Change SharePoint service account passwords regularly

Document SharePoint security/usage policies, and train your users

Provide additional training to users with escalated privileges, such as site

administrators and designers

Audit critical items, such as remote access, device configurations, and

user management


1060-9

A SharePoint Administrator’s Practical Guide

to Cybersecurity

Define Cybersecurity

Plan for SharePoint Security by Integrating

Security Throughout the SDLC

Address Security Requirements at Various

Layers of a SharePoint Deployment


1060-10

What Is Cybersecurity?

• The ability to protect and defend critical Information Technology (IT)

systems, preserving CIA:

— Confidentiality: to ensure that only authorized users have access

— Integrity: to ensure that only approved changes are made

— Availability: to ensure that critical resources are accessible when and where

needed

• SharePoint requires a multidisciplinary approach

to security, because

— It encompasses a broad range of technologies

— It places a great deal of power in the hands of

end users, including security decisions

―Cyber threat is one of the most serious economic

and national security challenges we face.‖

—President Barack Obama


1060-11

Data Breaches Are Costly

• Data breaches are costly and can carry significant legal or regulatory

consequences

— The average cost of a data breach to an organization is $7.3 million per

breach ($214 per compromised record)*

— Attacks against the Sony PlayStation network were estimated to cost more

than $178 million in 2011**

– Costs for lost business, loss of goodwill,

etc., are impossible to calculate

• Cybersecurity concerns for SharePoint admins

— Control user access

— Enforce restrictions on user actions

— Secure infrastructure and access methods

• The goal of a SharePoint security program is to safeguard data!

*bit.ly/eiz9Ec

**bit.ly/LSjbpw


1060-12

Standards, Laws, and Regulations

• Securing SharePoint may require adherence to or implementation of

— Standards

– ISO/IEC 27000-defined Information Security Management System

– NIST Special Publication (SP) Series / DOD DIACAP Framework

– ITIL® V3 Information Security Management (ISM)

— Laws

– Federal Information Security Management Act (FISMA)

– Health Insurance Portability and Accountability Act (HIPAA)

– Sarbanes-OXley (SOX)

– EU Data Protection Directive/Regulation

— Industry regulation

– Payment Card Industry Data Security Standard (PCI DSS)

ISO/IEC = International Organization for Standardization/International Electrotechnical Commission

ITIL = Information Technology Infrastructure Library

NIST = National Institute for Standards and Technology

ITIL® is a Registered Trade Mark of the Cabinet Office.


1060-13


to Cybersecurity







1060-14

SharePoint Is Multilayered

• A SharePoint ecosystem is composed of many elements, each with unique

security concerns

— Windows Server, MS SQL Server, .NET, IIS, ASP

— A variety of end-user access protocols, devices, and client programs

• Administrative responsibility is often split across the organization,

including server admins, SharePoint admins, and individual site admins

— Security should start before you install and deploy SharePoint

— Properly securing SharePoint is a multidisciplinary, collaborative effort

• SharePoint is a collaborative and user-empowering technology

— The majority of security decisions fall to end users

— The tool is designed to facilitate information sharing, making it a virtual

goldmine for hackers


1060-15

A Plan is Required

• Cost-effective controls should be chosen

— Control cost should never exceed the value of the asset being safeguarded

— Categorize the data and access to the system to guide control selection

• Security is most easily achieved when security requirements and tasks are

integrated throughout the SDLC

— For existing deployments, secure as much as possible, and utilize upgrades

to enhance security

SDLC = System Development Lifecycle

InitiationDevelopment /

AcquisitionImplementation

Operation / Maintenance

Disposal

Poll


1060-16

Planning for Security

• Utilize a well-defined SDLC methodology, such as that defined in NIST SP

800-63 Security Considerations in the System Development Lifecycle

InitiationDevelopment /

AcquisitionImplementation

Operation / Maintenance

Disposal

• Advocate for

security

resources

and budget

• Assist in

determining

information

and system

security

requirements

• Analyze

requirements

• Perform and

support

security

testing

• Secure key

system

components

• Deploy

SharePoint

solution

using secure

plan

• Create and

implement

policies for

secure use

• Train users

• Audit to

ensure

compliance

• Archive and

secure

sensitive

information

before

disposal


1060-17

A Case Study

• Let’s investigate a real data breach in a SharePoint environment

— Identify the issues that led to the failure

— Determine actions to mitigate similar breaches in your environment

• The goal of SharePoint is to facilitate frictionless information sharing

— If malicious users gain access, SharePoint provides no defenses

• Case study source:

— SC Magazine, published October 2010

— bit.ly/M3iziY

Poll


1060-18

Case Study: Mississippi National Guard

• The public-facing SharePoint site of the state’s National Guard

— Hosted PII of nearly 3,000 guard members, including name, rank, and SSN

— Did not enforce authentication for access to the site

— Made this information available for more than a month, until it was reported

by a third party

• Issues:

— User(s) inappropriately uploaded sensitive records to a public-facing site

— Auditing was insufficient for the organization to find the mistake

• To avoid similar incidents, you can

— Train your users on SharePoint usage and sensitive data-handling policies

— Implement content management controls

— Implement audit and monitoring tools for oversight of your SharePoint

environment

PII = personally identifiable information


1060-19


to Cybersecurity







1060-20

Modeling SharePoint

• A simplified model of a typical SharePoint deployment can

— Assist in gathering security requirements

— Delineate responsibility across the organization

• SharePoint’s multilayered nature requires the involvement of many groups

within an organization

• A useful model is a three-tiered structure, depicting your relative

responsibility as a SharePoint admin

Server and farm

Poll


1060-21

Securing the Server and Farm

• Key roles and tasks for admins at this layer:

— Configure and harden server and database infrastructure

— Secure database access privileges and roles

— Deploy SharePoint, including initial setup of accounts used for ongoing

SharePoint operations

— After deployment, support continuous monitoring and auditing

Server and farm


1060-22

SharePoint Central Admin

• Manage security settings through SharePoint Central Administration


1060-23

Securing Core Infrastructure

• Start by segregating server admin duties

— Prevents any one user from compromising an entire system

— Target critical roles: Windows Server, database, and SharePoint admins

— Create unique accounts with strong passwords for SharePoint admin and

service accounts

• Harden core infrastructure

— Implement recognized guides such as CIS

Benchmarks or DISA STIGs

— Utilize validated security settings, such as

Windows FIPS mode, whenever possible

— Implement routine patching schedule

CIS = Center for Internet Security

DISA STIG = Defense Information Systems Agency Security Implementation Technical Guide

FIPS = Federal Information Processing Standard

Insider threats are becoming

both more costly and more

sophisticated; pressures such

as financial hardship and

foreign espionage are

increasing the risk of trusted

employees willingly stealing

business data.

Source: Carnegie Mellon CERT


1060-24

Maintain an Asset Inventory

• SharePoint database

— Will encryption be used?

• Access control

— How will you verify and authenticate authorized

users?

• Replication and search indexing

— Can sensitive data be accessed through alternate means

or channels?

• Backup and continuity

— How will the environment be recovered in the event of a disaster?

— Is backup media secured to prevent data loss?

• Separate sensitive information

— Does the data sensitivity warrant creation of separate environments?


1060-25

Server and Farm Audit Considerations

• At this layer, several audit tasks are important

• Regularly— Audit system configurations against documented baselines

— Review access logs

— Audit and verify accounts,

users, and permissions

— Change passwords for

service accounts


1060-26

Securing the Network and Perimeter

• Network and perimeter controls may not be under the purview of the

SharePoint admins

— Coordination with appropriate network or security personnel is key

• Key roles and tasks for admins at this layer:

— Coordinate with other organizational stakeholders

— Where encryption is used, implement FIPS-compliant or -validated solutions

— Encrypt data transmissions with SSL/TLS

— Provide secure remote access with VPN, Microsoft Forefront Threat

Management Gateway, etc.


1060-27

Network Design and Perimeter Defense

• Deploy a defense-in-depth strategy of layered security controls

— Boundary routers, firewalls, network IDS/IPS

• Harden network devices using recognized guides such as CIS Benchmarks

or DISA STIGs

• Place SharePoint according to access needs

— Anonymous users: SharePoint-powered external Web site (www.marines.mil)

— Corporate extranet: Authenticated users must have access

— No access: SharePoint resources may be logically or physically separated

from external contact

• Consider additional controls if SharePoint data is sensitive

— Network-monitoring tools and more rigorous audits

— Penetration testing to identify gaps

IDS/IPS = intrusion detection system / intrusion prevention system


1060-28

Network and Perimeter Audit Considerations


• Regularly— Coordinate with appropriate organizational stakeholders who are

responsible for network and perimeter security, to verify that they

– Audit network device configurations against expected baselines

– Review and verify access control lists and rule sets for network devices

– Monitor traffic for unusual or suspicious activity

– Devote adequate resources to monitor output from network-monitoring

devices


1060-29

Securing the End User

• SharePoint empowers users

— This power to effortlessly share information comes with great responsibility

• Key roles:

— Site collection administrators: Configure and maintain general standards

for use, user groups, and monitor usage

— Site administrators: Configure and maintain standards for granular items

such as list/document library permissions, monitor content

• Key tasks for admins at this layer:

— Permissions should be managed at the

highest level possible (via groups)

— Policies for SharePoint usage

should be carefully planned,

published, and disseminated


1060-30

Managing Users and Sites

• End-user controls may not be under the purview of the SharePoint admins

— Coordination with appropriate business leaders, user communities, and

security personnel is key

— End-user management strategies

must align IT management with

business objectives

• Users’ access to and use of

information must be controlled

— Protecting SharePoint data

means managing

– Authorization: Who can see

it?

– Permissions: What can they

do with it?

Poll


1060-31

Policy Considerations

• Develop and publish policy to guide use of SharePoint in your organization

— Information/data classification policy

— SharePoint usage policy (what may/may not be

stored in a site)

— User management policy

• SharePoint is an IT asset and a business enabler

— Coordination must happen between IT asset owners and relevant business

users/owners

— Poorly designed policies will be circumvented/ignored

• Compile policies, procedures, and other documentation into a SharePoint

governance plan


1060-32

Train Your Users

• Ensure that users are aware of SharePoint policies, access procedures,

and security concerns

— Benefits/risks of integrating external data via SharePoint Designer

— Adding code via the Content Editor Web Part

• Identify privileged users who require additional security-relevant training,

such as admins and designers

• Provide periodic refresher training to prevent skill loss

Without proper training, users may, by choice or

by accident, violate policies and expose your

organization to data breach risks!


1060-33

End-User Audit Considerations


• Due to increased complexity, user audits should rely on sampling

— Unlike other SharePoint layers, audits may best be conducted by business

users

• Regularly— Audit permissions to ensure users’ valid access

— Coordinate with appropriate organizational stakeholders who are

responsible for user access, to ensure that they

– Analyze monitoring tools to verify compliance, such as remote access

– Verify that user interactions comply with SharePoint policies


1060-34

In Conclusion…

SharePoint is a team tool: Security may not be your responsibility, but

you can advocate for proper security measures

Establish a SharePoint steering committee to involve all stakeholders,

such as IT security, network, and business users

Start with a secure core of hardened infrastructure

Create unique credentials for SharePoint installation account

Create non-obvious user IDs and strong passwords for service accounts

Change SharePoint service account passwords regularly

Document SharePoint security/usage policies, and train your users

Provide additional training to users with escalated privileges, such as site

administrators and designers

Audit critical items, such as remote access, device configurations, and

user management

Poll


1060-35

Integrated Cyber Education (ICE) Program

• ICE is a framework of training content and resources that address practical

training needs of personnel who are not cybersecurity specialists

• The framework is based on input from experts and stakeholders from

multiple government and corporate partners

• ICE is composed of

— The ―Practical Guide‖ Training Series, targeting key relevant topics and

technologies

— Enhanced cybersecurity awareness content in Learning Tree courses

– SharePoint, mobile application development, project management, and

more

— Online resources for customers to further their awareness of key topics

To learn more, please visit www.learningtree.com/ICE


1060-36

Related Learning Tree Courses

• All of the following courses are PMI®-aligned and eligible for PDU credits:

• For more specific course details, please visit www.learningtree.com

Course

number

Course title

957 SharePoint Governance: Best Practices

1501 SharePoint 2010 Technologies Comprehensive Introduction

1510 Administering SharePoint Server 2010

1520 Building SharePoint Server 2010 Enterprise Solutions

960 Windows Server 2008 Comprehensive Introduction

961 Windows Server 2008 Administration

962 Windows Server 2008 Active Directory Domain Services

2107 SQL Server 2012 Comprehensive Introduction

2108 SQL Server 2012 Database Administration

940 Securing Web Applications, Services, and Servers


1060-37

Certification Programs

• Learning Tree courses help you prepare for key industry certifications

— Including ITIL®, ISO/IEC 20000, COBIT®, several PMI® certifications,

PRINCE2®, IIBA CBAP®, Scrum, MCTS, Cisco®, CompTIA A+®, CompTIA

Security+™, CompTIA Network+®, and CISSP®

• PDUs are earned for certain management courses

• Learning Tree Professional Certification Programs

— Details at www.learningtree.com/certification

PDU = PMI Professional Development UnitITIL® and PRINCE2® are registered trademarks of the Cabinet Office. COBIT® is a registered trademark of the Information Systems Audit and Control Association (ISACA)

and the IT Governance Institute. PMI® is a registered trademark and service mark of the Project Management Institute, Inc. IIBA® CBAP® is a registered trademark owned by

International Institute of Business Analysis. CBAP is a registered certification mark owned by International Institute of Business Analysis. Cisco® is a registered trademark of

Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. CompTIA A+® and CompTIA Network+® are registered trademarks of the Computing

Technology Industry Association, Inc. CompTIA Security+™ is a trademark of the Computing Technology Industry Association, Inc. CISSP® is a registered mark of the

International Information Systems Security Certification Consortium in the United States and other countries.


1060-38

Session Objectives Revisited

In this presentation, we have

• Defined cybersecurity and its importance to SharePoint admins

• Planned for SharePoint security by integrating security throughout the

SDLC

— Understood the impact of a SharePoint data breach through the use of a

case study

• Addressed security requirements at various layers of a SharePoint

deployment

— Server and farm layer

— Network and perimeter defenses

— End-user layer

• This presentation will be sent to all attendees following this course


1060-39

Session Objectives Revisited

(continued)

• For Learning Tree to become your trusted training supplier

— You will be contacted by a Learning Tree Account Manager to discuss any

training requirements and to provide you with our introductory pricing


1060-40

Your Guarantee of Satisfaction

Unless you feel 100% satisfied that Learning Treedelivered even more than you expected, there is nofee for your course attendance. Our Guarantee ofQuality lets you experience the value of thecourse—and then pay only if you feel the coursewas well worth the tuition.


1060-41

Thank You for Your Participation

• Any questions?

— Chime in to ask your instructor now

— Visit us at

– U.S.: www.learningtree.com

– Canada: www.learningtree.ca

— Call us at 1-800-THE-TREE (1-800-843-8733)

• We wish you every success in the future

• We hope to see you in class soon!

Poll

Date post:	07-Sep-2018
Category:	Documents
Upload:	trinhtu
View:	226 times
Download:	0 times

A SharePoint Administrator’s - Learning Tree … · A SharePoint Administrator’s Practical...

Documents