Here’s 10 ways to keep your ServiceNow instance secure in the era of cybersecurity and online threat actors.
1 | A01:2021 – Broken Access Control
What is it and how is it posing a security risk? Access control ensures system policies keep users from acting outside of their intended permissions. Failures in this area commonly lead to unauthorized data disclosure, modification, or destruction - or actions being performed by unauthorized users.
How to begin mitigating risk? Apply the principle of least privilege by practicing group/role-based user administration and authorization. Also, make use of the application/scope-specific admin-roles to practice the delegated development/administration best practice.
Make sure to make use of the just-in-time (JIT) principle by doing admin privilege elevation when possible, to only elevate admin-level permissions for specific purposes rather than permanently having admin-role assigned to the your ordinary domain user of the System Administrators.
What do I gain from this? Addressing this, you are effectively minimizing exposure to for instance, the Notable Common Weakness Enumeration (CWE) which is the CWE-200: Exposure of Sensitive Information to an Unauthorized Actor - thus hardening your instance and making it more secure.
2 | A02:2021 – Cryptographic Failures
What is it and how is it posing a security risk? Cryptography allows your system to prevent data from being compromised, both in-transit and at-rest. What you are concerned with, when managing data security, is the CIA Triaging Principle, that states the three perspectives in data security; Confidentiality, Integrity and Accesibility. You need all three covered to have your data secured - if not, then you are at risk of suffering a data breach, for instance. Are your organization maybe processing Personal Identifiable Information (GDPR PII) then that data falls under new privacy legislation; the EU General Data Protection Regulation (GDPR), which makes it punishable by law to neglect security measures.
How to begin mitigating risk? Begin or continue hardening your integrations with in-transit data encryption, e.g. credentials, by considering planning your transition from any Basic Auth-enabled Microsoft SMTP/IMAP integrations you may have to a secure method – like OAuth.
Visit Email Accounts on your Now Platform and determine whether you need to plan this change now.
What do I gain from this? You get to continue integrations with the SMTP/IMAP protocols, as in this example. If you do not, your integration based on basic auth will cease to work when Microsoft deprecates support.
3 | A03:2021 – Injection
What is it and how is it posing a security risk? Any web application is in nature easily exposed to injection vulnerabilities, e.g. HTML- URL and SQL injections, which means an adversarial visitor to the application succeeds in submitting malicious code into input fields and/or address field and the application/server then processes and responds, against your intention. This might allow the adversary access to data or actions that he is not authorized for. This may have major consequences - and has, for many years, been a very attractive attack vector for hackers.
How to begin mitigating risk? Perform a basic check to validate that you are not allowing cross site scripting and HTML injection attacks through un-sanitized HTML input fields in your applications on your instance.
What do I gain from this? You take an important step towards hardening your HTML input fields to a point where no dangerous inoputs are allowed and your web forms are secured - and your data and application is also more secure.
4 | A04:2021 – Insecure Design
What is it and how is it posing a security risk? This covers isufficient security structures and measures in design and architecture of a web application and system. If not properly designed using development best practices and community learning from security incidents and hacks, this can have major consequences if successfully excploited by an adversary.
How to begin mitigating risk? Prevent any potential vulnerabilities by practicing due diligence in design and critical thinking and thorough triaging of business demands as well as user stories/technical designs – referring to the ServiceNow Security Best Practice Guide.
What do I gain from this? By neutralizing or limiting poor practices and sloppy security architecture you are keeping a secure, functional and vendor guidance complient Now Platform that has a significantly lower risk of suffering a hacking attempt.
5 | A05:2021 – Security Misconfiguration
What is it and how is it posing a security risk? The platform may be unnecessarily vulnerable to exploits if insufficient security properties have been set, too many unnecessary plugins and APIs are activated and opened, without the appropriate restrictive measures being taken. This category is about securing/hardening the platform via configuration options. If not done properly, native features, business logic and integration offerings may unintentionally become an attack vector.
How to begin mitigating risk? Address this category by applying recurring configuration reviews and security assessments of your Now Platform, using Instance Scans. Analyze and optimize in accordance with ServiceNow best practices and industry principles like Security by Design and Zero trust.
What do I gain from this? You prevent unintentionally activating features and functionality that opens up the potential attack surface to an adversary. And you keep your platform secure by running a “Tight Ship”.
6 | A06:2021 – Vulnerable and Outdated Components
What is it and how is it posing a security risk? This is about the risks that come with neglecting to inventory and monitor the patchlevel, released patches, vulnerability/exploit announcements and more of the used components of your solution and its dependencies, i.e. code libraries, APIs or java versions. If you do not map out and continuously keep yourselves informed of the development from the component vendor (release notes) and the security community (cve announcements) you may be risking letting vulnerabilities become exploitable.
How to begin mitigating risk? To address this and proactively mitigate any vulnerabilities associated with the use of outdated libraries and more, consider basing development efforts in general on your Now Platform on the guidance from the ServiceNow Secure Coding Guide.
What do I gain from this? This way, you stick to vendor best practices and make sure that your maintenance, administration and new developments on your platform are performed in accordance with ServiceNow recommendations. This will keep your instance secure.
7 | A07:2021 – Identification and Authentication Failures
What is it and how is it posing a security risk? This one is all about authentication and session management and how this is a major factor, obviously, when it comes to securing your platform and solution against unwanted visitors accessing or executing what they shouldn’t. As insecure or weak authentication mechanisms are very attractive attack vectors and can allow users access without authentication, this may pose a great risk to your solution.
How to begin mitigating risk? To address the most critical possible weaknesses do consider enabling Multi-Factor Authentication on all admin-role privileged user accounts. Also, reset all default passwords, especially on privileged user accounts.
Concerning login failures, you should verify your Lockout properties. Lookup glide.user.max_unlock_attempts and glide.user.unlock_timeout_in_mins on your Now Platform to configure how many unsuccessful login attempts you will allow and when user is locked out, how long time until user is unlocked again.
What do I gain from this? Well, addressing this and hardening your authentication procedures on your platform, keeps you more compliant with ServiceNow recommendations and the risk mitigation actions in the CWE-287: Improper Authentication, about password policies, MFA and more.
8 | A08:2021 – Software and Data Integrity Failures
What is it and how is it posing a security risk? Do you remember the SolarWinds SUNBURST hack in december 2020? The supply chain attack that had succesfully compromised SolarWinds update servers and its 500 customer networks, through an insecure software update procedure. Also Ukrainian tax software company MeDoc were a victim to a similar supply-chain attack that impacted their customers globally, in June 2017. These are examples of what you are risking when not taking measures to address software and data integrity risks, in due time.
How to begin mitigating risk? Where possible, consider introducing or formalizing internal code reviews of any third-party introductions and changes to the instance and its applications, to actively monitor and minimize risk in the field of supply chain attack vectors. And also, in regards to all automated system-managed updates and retrievals, do consider if it is possible to verify source and integrity of payload and signature to prevent supply-chain attacks from happening. Learn from these incidents and prevent you become a victim of the same kind of attacks.
What do I gain from this? Well, you gain the confidence that comes with a properly secured platform and solution that is hardened to a state where you are no longer an easy target to supply-chain hacks. You’ll also keep your organization off the newspicture, unlike SolarWinds and MeDoc.
9 | A09:2021 – Security Logging and Monitoring Failures
What is it and how is it posing a security risk? Everything around logging and monitoring of your platform, integrations and solutions in general - all preventive measures in place to detect security breaches. Failure to do so effectively results in running a compromised landscape of infrastructure which potentially jeopardize your customer and partner system as well. This is why it takes 200+ days in average for organizations to detect a breach, according to Blumira and IBM.
How to begin mitigating risk? Effectively detect and respond to any attempted breaches or attacks by introducing monitoring of your Now Platform security metrics by use of the Instance Security Center, incl. the “Failed logins”, “Email”, and “MFA Metrics” Reports. Also, review your platform and integrated systems and consider what needs to be logged and how to secure those logs - and most importantly; when and by whom are the logs reviewed?
What do I gain from this? By showing due diligence like this, you are following industry standard recommendations in regards to the measures an organization should take to mitigate risks of undetected breach or hack. Thais ways you have an honest chance of being alerted IF it happens - and WHEN it does happen, you are much better of when analyzing the incident in retrospect, with proper logs.
10 | A10:2021 – Server-Side Request Forgery (SSRF)
What is it and how is it posing a security risk? This is all about the risks in todays convenience features and integrations accelerating software developers and cloud architects in doing URL redirections, fetching URLs and more.
How to begin mitigating risk? Apply security controls to harden your instance and specifically, consider introducing another layer of validation by setting the glide.security.url.whitelist system property. This ensures that no externally provided URL, as part of an integration and redirection mechanism, is redirecting users to anything less that the URLS whitelisted.
Note: This may have an impact on Single Sign-On integrations.
What do I gain from this? By configuring the platform to be restrictive you make sure only the intended URLs are processed and only intended behavior is executed by your business logic thus keeping your instance more secure that if you didn’t.
These guidelines are based on the industry recognized web app security guideline.
Learn more here: OWASP Top 10:2021