1,000 instances of institutional knowledge bases (KBs) hosted by Service Now Some companies have been found to have exposed sensitive company data over the past year, despite data protection improvements the company put in place last year to avoid such incidents. Security issues.
According to security research by SaaS security firm AppOmni, nearly 45% of all enterprise instances of ServiceNow databases leaking sensitive data, including personally identifiable information (PII), internal system details, and active credentials/tokens to live production systems.
Aaron Costello, Head of SaaS Security Research at AppOmni In analysis The vulnerabilities were traced back to “outdated configurations and incorrect access controls in knowledge bases,” likely indicating “a systematic misunderstanding of knowledge base access controls or perhaps an accidental replication of weak controls in at least one instance into another instance through cloning,” he wrote.
In fact, in many cases, organizations that have more than one instance of Service Now The researchers found that users were consistently misconfiguring knowledge base access controls across each one.
ServiceNow is a cloud-based IT service management platform. Last year, the company rolled out security updates to its platform to prevent unauthorized users from accessing data, including improvements to default access control lists (ACLs). However, the improvements didn’t appear to have a significant impact on its knowledge bases, a “treasure trove of sensitive internal data” not meant for those outside the organization to see, Costello noted.
Why do leaks happen despite security improvements?
AppOmni disclosed its findings to ServiceNow, which worked with its customers to assess customer data leaks and “appropriately configure access to knowledge base articles,” Ben De Bont, ServiceNow’s chief information security officer, said in a statement published with AppOmni’s analysis.
“We are committed to protecting our customers’ data, and security researchers are important partners in our ongoing efforts to improve the security of our products,” said De Bont, who thanked Costello and AppOmni for not only identifying the vulnerability, but also delaying the release of the findings so ServiceNow could coordinate mitigation with customers.
As mentioned, ServiceNow made two major changes to data protection last year in an effort to improve the security of data hosted on its platform. One was the addition of properties to prevent certain UI elements from granting unauthenticated users access to data unless explicitly set to do so, while the second change was a new feature called security attributes, which are applied to most ACLs by default. They include specific checks to ensure that unauthenticated users are not allowed to access data.
Costello noted that these updates did not protect the data in knowledge bases for two reasons. The first is that the public tools that can be used to access the content of knowledge base articles did not receive the update. The second reason is that most knowledge bases are secured using a feature called user criteria rather than access control lists, “making it unnecessary to add the ‘UserIsAuthenticated’ security attribute since it is a feature exclusive to access control lists,” Costello noted.
While this may explain the issues found with ServiceNow’s knowledge base exposure, it doesn’t necessarily explain why organizations generally have a hard time securing knowledge bases. What Costello found in his research is that most organizations—60% of the cases he examined—keep the insecure knowledge base security feature “allowing public access by default,” Costello said.
Furthermore, many administrators are unaware that there are various criteria that grant access to unauthorized users in knowledge base configurations, allowing “external users to slip through the cracks and gain access,” Costello wrote.
How to mitigate knowledge base data exposure
In fact, ServiceNow isn’t the only hosting company to have problems with knowledge base data leaks, notes Roger Grimes, data-driven defense advocate at security awareness training firm KnowBe4. He says Microsoft has also had a similar problem with customer data leaks, “including full memory dumps, which were exposed in help desk-type data.”
However, pointing fingers at SaaS Providers When security issues such as knowledge base data leaks arise, this will not help combat the problem, and organizations also need to take responsibility for the security of their knowledge bases.
“The truth is, we’re all learning how to best secure our data in this hyperconnected, always-on world,” he says. “Instead of blaming the vendor, let’s use this additional instance of this type of problem to examine our own policies and processes.”
Costello suggested ways organizations can do this, including running regular diagnostics on knowledge base access controls to keep security configurations up to date, and using business rules to deny unauthenticated access to knowledge base content by default.
He said they should also be aware of the security properties related to knowledge bases, which act as important security barriers that affect how access control is dictated when internal and external users attempt to access data.
Costello added that staying in touch with ServiceNow (as well as other SaaS providers responsible for hosting sensitive corporate data), and ensuring that security updates and efforts are up to date, can help prevent data exposure.
