One-thousand cases of enterprise information bases (KBs) hosted by ServiceNow had been discovered to be exposing delicate company information over the previous yr, regardless of enhancements in information safety that the corporate put in place final yr to keep away from such safety points.
Primarily based on safety analysis carried out by software-as-a-service (SaaS) safety agency AppOmni, practically 45% of whole enterprise cases of ServiceNow KBs leak delicate information, together with personally identifiable info (PII), inner system particulars, and energetic credentials/tokens to dwell manufacturing methods.
AppOmni chief of SaaS safety analysis Aaron Costello in an evaluation printed on Sept. 17 attributed the safety holes to “outdated configurations and misconfigured entry controls in KBs,” probably indicating “a scientific misunderstanding of KB entry controls or probably the unintended replication of at the least one occasion’s poor controls to a different via cloning,” he wrote.
The truth is, in lots of the circumstances, organizations with multiple occasion of ServiceNow had persistently misconfigured KB entry controls throughout every one, the researchers discovered.
ServiceNow is a cloud-based IT service administration platform. Final yr, the corporate launched safety updates to its platform to stop unauthenticated customers from gaining access to information, together with default enhancements to entry management lists (ACLs). Nonetheless, the enhancements did not appear to have an awesome impression on its KBs, a “treasure trove of delicate inner information” not meant to be seen by these exterior of the group, Costello famous.
Why Leaks Regardless of Safety Enhancements?
AppOmni revealed its findings to ServiceNow, which labored with its clients to judge the cases of buyer information leaks and “appropriately configure the accessibility of KB articles,” ServiceNow CISO Ben De Bont mentioned in a press release printed with AppOmni’s evaluation.
“We’re dedicated to defending our clients’ information, and safety researchers are necessary companions in our ongoing efforts to enhance the safety of our merchandise,” De Bont mentioned. He thanked Costello and AppOmni not just for figuring out the safety hole, but in addition delaying publication of their findings till ServiceNow might coordinate mitigations with clients.
As talked about, ServiceNow made two key modifications to its information protections final yr in an effort to enhance the safety of information hosted on its platform. One was so as to add properties to stop choose widgets from granting unauthenticated customers entry to information until explicitly set to take action, whereas the second was a brand new characteristic known as Safety Attributes, which is utilized to most ACLs by default. It contains particular verifications to make sure unauthenticated customers usually are not allowed entry to information.
These updates didn’t defend information in KBs for 2 causes, Costello famous. One is that public widgets that can be utilized to entry the content material of KB articles didn’t obtain the replace, he wrote. The second purpose is that almost all of KBs are secured utilizing a characteristic known as Consumer Standards versus ACLs, “rendering the addition of the ‘UserIsAuthenticated’ Safety Attribute redundant since it’s an ACL-exclusive characteristic,” Costello famous.
Although this may occasionally clarify the problems discovered with ServiceNow’s KB publicity, it does not essentially clarify why organizations basically battle to lock down KBs. What Costello present in his analysis is that the majority enterprise cases — or 60% of the circumstances he examined — retain an insecure KB safety property to “enable public entry by default,” Costello mentioned.
Furthermore, many directors are unaware that there are numerous standards that grant entry to unauthenticated customers in KB configurations, permitting “exterior customers to slide via the cracks and be granted entry,” Costello wrote.
Easy methods to Mitigate KB Information Publicity
Certainly, ServiceNow is not the one internet hosting supplier to have points with information leakage from KBs, notes Roger Grimes, data-driven protection evangelist at safety consciousness coaching agency KnowBe4. Microsoft, too, skilled the same situation with leaking consumer information, “together with full reminiscence dumps, uncovered in assist desk-type information,” he says.
Nonetheless, pointing fingers at SaaS suppliers when safety points like KB information leaks come up is not going to assist fight the issue, and organizations additionally must take duty for the safety of their very own KBs.
“The fact is that we’re all studying easy methods to greatest safe our information on this world of hyper-connectivity and at all times on-line accessible content material,” he says. “As a substitute of blaming the seller, let’s use this extra occasion of the kind of drawback to look at our personal insurance policies and processes.”
Costello recommended methods organizations can try this, together with operating common diagnostics on KB entry controls to maintain safety configurations up to date, and utilizing enterprise guidelines to disclaim unauthenticated entry to KB content material by default.
In addition they ought to concentrate on the related safety properties of KBs, which act as necessary safety guardrails affecting how entry management is dictated when each inner and exterior customers try to entry information, he mentioned.
Preserving involved with ServiceNow (in addition to different SaaS suppliers which might be accountable for internet hosting delicate company information), and guaranteeing safety updates and efforts are up-to-date can assist forestall information publicity, Costello added.