Enterprises use this popular application to enable data sharing outside the organization. And if access controls and other security essentials are lacking, these installations can leave data unguarded. When the enterprise doesn't establish consistent policies about permissible SharePoint data, when transferred or terminated employees retain access to the application, or when the enterprise permits remote access, critical information can end up 'in the wind'.
Various administrative bloopers and bad judgment calls can exacerbate these risks. Incorrectly configuring services that analyze and present data to SharePoint, such as Excel, Visio, and Performance Point business services, can create security holes, according to Gordon. Administrators who inappropriately grant broad access rights to people who shouldn't have them -- usually just trying to provide a quick fix for some workday problem -- also create vulnerabilities, Gordon explains.
The simpler the mistake and the greater the exposure, the more the embarrassment.
"I had a customer who inadvertently allowed the organization to post proprietary financial data to the external side of its SharePoint portal, allowing customers to see account information and transactional data," says Gordon. In this case, a live data feed was mistaken for the test data feed and errantly input into the test system. When the test system's output was shared on the public side of SharePoint with the partners and vendors who were examining it to fix / improve the test system, they saw the confidential information as well.
(More on the horrors of test system misuse a bit later.)
3. Dropbox (and company)
Dropbox is similar to SharePoint but potentially more hazardous since the enterprise customer does not manage the externally hosted cloud file-sharing service. Dropbox and its ilk -- Google Drive, SkyDrive, Box, and so on -- are designed to appeal to consumers with extremely simple account setup. So their use for enterprise data is all but inevitable.
Once Dropbox is sending information to the public Internet and mobile devices outside the enterprise perimeter, that data can make its way to eyes that don't have the proper authorization. "Almost anything could end up on a public Web server outside the company's control," says Bellis.
In addition to its public nature, passwords are another of Dropbox's weaknesses.
Obviously, hackers can guess weak Dropbox passwords or acquire UID / password combinations through social engineering, says Gordon. The most common password vulnerability, however, seems to be the re-use of passwords on Dropbox that have been used with other compromised systems (email, websites).
In a widely-publicized debacle from July of 2012, a Dropbox employee stored an unencrypted document inside the file-sharing app that listed users' email addresses. An attacker logged into the employee's account using a password the employee had reused on another infiltrated site. The attacker then obtained a copy of the unencrypted document and used the email addresses to unleash a flood of Spam on Dropbox users.
The password reuse problem is, of course, not unique to file-syncing services.
But Dropbox customers have faced internal issues. In August of 2011, an employee of the Chocolate Emporium, Cleveland, Ohio maliciously copied the company's entire customer database to Dropbox, including credit card numbers. The company recovered the records, but an arrest and lawsuits ensued, according to the Open Security Foundation's DataLossDB.org.
Provide data with a way out of the organization, and sooner or later someone will try to abuse it.