Microsoft SharePoint: A Weak Link In Enterprise Security?Jan 28,2009
Popular collaboration tool is easy to deploy, but hard to secure, experts say
Jan 28, 2009 05:50 PM
By Tim Wilson DarkReading
-->SharePoint, one of the fastest-growing applications in the Windows environment, may also be turning into one of its most serious security liabilities, according to researchers and security vendors.
The SharePoint collaboration tool, which has been licensed more than 85 million times to an estimated 17,000 companies, is one of the easiest-to-use tools in the Windows suite, experts say. In fact, it's so simple that many employees and workgroups deploy it without even asking the IT department for help. But this ease of use has a price: Many IT organizations haven't properly secured their SharePoint deployments, and many others don't know what sensitive data might be stored or exchanged there.
In a survey published earlier this week and sponsored by security vendor Trend Micro, Osterman Research reported that only 60 percent of companies have deployed security tools specifically for SharePoint, while the other 40 percent are relying on traditional server and endpoint security applications. But founder and president Michael Osterman observes that SharePoint data tends to travel beyond these boundaries -- SharePoint data is often shared across networks and applications, and sometimes even outside the company.
"Deploying antimalware software at the endpoint or on a server does not fully secure the SharePoint environment -- the underlying database, Web pages, etc.," Osterman says.
Osterman's findings are supported by another study conducted by Courion, also a SharePoint security provider, back in September. In that study, Courion found that 25 percent of IT managers believed their SharePoint security was weak, or that they weren't sure and were worried about it. Nine percent of respondents said their organizations had suffered a breach that may have been attributable to a leak of sensitive data from SharePoint.
...
"The shocking truth that this survey validates is that enterprises are deploying collaboration applications with little to no security policies that can enforce access controls," Buckley said. Such deployments may not only make organizations vulnerable to breaches, but also may jeopardize their compliance with regulatory requirements, he noted.
Cookie use in YouTube videos on WhiteHouse.gov prompts privacy concerns The Obama administration is already facing an IT controversy: Privacy advocates are criticizing its decision to let third-party cookies be installed in video files on the White House Web site. Read more...
IE8's clickjacking protection will have 'zero impact,' says researcher
January 28, 2009 (Computerworld) Microsoft Corp. provided more information today about how Internet Explorer's new anti-clickjacking feature works, but one of the researchers who first reported the problem last year said it will have "zero impact" on protecting users.
Clickjacking is the term given last September to a new class of browser-based attacks that tricks users into clicking on site buttons or Web forms. Such attacks hide malicious actions under the cover of a legitimate site, and they theoretically can be used to empty online bank accounts, secretly turn on Web cameras or even change a computer's security settings to make it vulnerable to additional attack.
Russian 'cybermilitia' knocks Kyrgyzstan offline
Same tactics used in '08 attack against Georgia, but hackers getting faster, says researcher
January 28, 2009 (Computerworld)
A Russian "cybermilitia" has knocked the central Asian country of Kyrgyzstan off the Internet, a security researcher said today, demonstrating that the hackers are able to respond even faster than last year, when they waged a digital war against another former Soviet republic, Georgia.
Since Jan. 18, the two biggest Internet service providers in Kyrgyzstan have been under a "massive, sustained distributed denial-of-service attack," said Don Jackson, the director of threat intelligence at SecureWorks Inc.
Third State Department worker pleads guilty to passport snooping
Marshal8e6 Security Threats ReleasedJanuary 28, 2009
The Marshal8e6 Security Threats report is now available. It is our latest roundup of security threats encountered by TRACE security analysts.
Malware Swipes Millions of Credit Cards
By John Borland 01/22/2009
A security breach shows failings in security rules.
Tens of millions of credit cards could be at risk of fraudulent use thanks to a serious computer-security breach at financial-transactions company Heartland Payment Systems. Earlier this week, Heartland revealed that a piece of malicious software, apparently installed inside the company's transaction-processing system last year, had compromised credit-card data as it crossed the network.
The breach was announced on Tuesday--the day of the U.S. presidential inauguration--and, according to some experts, it shows that attackers are successfully defeating the financial industry's tough computer-security rules. "The potential is certainly there for this to be one of the biggest, if not the biggest breach we've seen," says Rich Mogull, founder of computer-security consulting company Securosis. "Something huge had to have gone wrong here."
It's not clear precisely what kind of malicious software was used, or how many credit-card accounts were compromised. But company president Robert Baldwin has said that Heartland handles as many as 100 million transactions per month.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment