Frequently Asked Questions
Indecium is about solutions. We are working to help every customer achieve the goals they have set out to achieve with Security, Governance, Compliance, Hosting and Auditing of your technology systems and your data. Presenting you with a single point product is not going to solve your overall technology need. We are partnered with the best of breed solutions to meet all of the major areas of requirement within your organization. Let us help you achieve a secure, compliant and virtually data secured operation.
Do you offer POC's?
Yes, contact us and we can get you setup with any of our partner products as a POC. We will work with you review the use cases and ensure that the product you evaluate will fit your organizations needs.
Are you able to support Global Operations?
Yes, We support organizations anywhere around the world. We currently provide support to customers in the North America, Latin America and the Middle East. Indecium is poised to offer services to your organization wherever you happen to need the support. Contact our sales team and we can discuss your regional needs.
Can you help us with the ServiceNow Access Control List misconfiguration?
Yes, Indecium is poised to assist you with the solutions provided by our partner AppOmni. The first step in this assistance is to perform a SaaS Security Evaluation right away.
What is the ServiceNow Access Control List (ACL) misconfiguration?
As part of the AO Labs team’s ongoing security research into the ServiceNow platform, AppOmni discovered external interfaces exposed to the public that may be utilized by a malicious actor to extract data from records. AppOmni’s analysis of ServiceNow instances showed that nearly 70% of tested instances are vulnerable to this misconfiguration, which could allow an unauthenticated user to extract sensitive data, including Personal Identifiable Information (PII).
How does the ServiceNow ACL misconfiguration happen?
There are many legitimate reasons why a company may use their SaaS platforms as a delivery vehicle for public content such as forums, online shops, customer support sites, and knowledge bases. SaaS platforms like ServiceNow are complex and highly configurable. Along with this incredible flexibility comes the ability to inadvertently expose data that isn’t intended to be shared. That makes it common for organizations to have system configurations that don’t match their business intent, such as over provisioning Guest users in this ServiceNow ACL misconfiguration. Customers are responsible for configuring their SaaS platforms and ACLs are commonly misconfigured.
How can I check if my ServiceNow instance has this ACL misconfiguration?
AppOmni, an Indecium Partner, has released a web application to evaluate ServiceNow instances for public data exposure through the ACL misconfiguration. You can request a SaaS Security Analyzer evaluation for your ServiceNow instance.
What type of information is requested in the evaluation?
The types of information requested are high confidence indicators of Personally Identifiable Information (PII), such as First Name, Last Name, email address, etc. but our evaluation for you will not receive the actual data. No data is collected or released in our evaluation with the SaaS Security Analyzer.
Why does this involve only a limited subset of possible data exposures?
The SaaS Security Analyzer is evaluating only one table out of the thousands commonly used in ServiceNow. This table, along with many others, contains Personally Identifiable Information (PII). The exposure of this data is not intentional and can have negative ramifications for both the organization and the individuals whose data is exposed. That’s one of the reasons our partners AO Labs conducts research like this: to educate organizations about potential misconfigurations and other security issues so they can take action. The SaaS Security Analyzer does not evaluate a complete ServiceNow instance — a more comprehensive evaluation is required to determine if data is at risk.
My portal uses 2FA so how would Indecium or the partner be able to access this information to evaluate?
Authentication isn’t a consideration when talking about this particular exposed external interface and misconfiguration. Since the Guest user does not need to authenticate to the ServiceNow instance, 2FA doesn’t provide any additional protection. With this misconfiguration, the external interface exposes data to anonymous users/the Internet — not to authenticated users.
My data is encrypted at rest. Would it still be exposed?
Yes. Vendor provided disk-level or database-level encryption does not prevent this category of data exposure. If either Edge or Column-Level Encryption (CLE) have been implemented for this particular resource, unauthenticated users will not be able to access data within restricted fields unless their role has been explicitly associated with the field’s encryption context.
What can I do to remediate the ServiceNow ACL misconfiguration?
Be aware: because there are valid reasons for the ACL configuration, disabling the setting as a “fix” is not recommended, as it could break functionality. AO Labs researchers have developed recommended steps ServiceNow administrators can take to remediate this ACL misconfiguration if it does not match their business intent.
Administrators should perform the following checks on a regular basis to ensure that access to sensitive information is not being provisioned to external unauthenticated users.
- Review ACLs that are absent of conditional and script based access evaluation, which have either no role, or the public role, assigned to them.
- Review User Criteria (UC) and the resources to which those criteria are granting access. In particular, focus on any UC in which the ‘Guest’ user is assigned to or contains the ‘public’ role. This includes the ‘Any User’ and ‘Guest’ built-in UCs.
- Review resources that can be directly assigned the ‘public’ role to grant access, or indirectly made accessible to the public through another mechanism (such as publishing a report).
- Review System Properties that may dictate access to records through a provided role or list of roles.
These instructions and another option to remediate this ACL misconfiguration can be found in the AO Labs technical paper: “AppOmni Research Discovers Major Security Misconfiguration Impacting ServiceNow and Other SaaS Instances. ”This document is available from the Indecium Website at this link: ServiceNow Misconfiguration Discovery
How can I avoid ServiceNow misconfigurations like this in the future?
Indecium's security experts recommend that the security or IT teams responsible for managing SaaS applications at their organization conduct regular evaluations of their SaaS environments. Having the appropriate Security tools in place will assist with this task. This is especially important to do when a SaaS platform releases an update, as changes could impact your security posture. The best way to avoid misconfigurations is to implement continuous monitoring of your SaaS ecosystem.
If you’re interested in learning more or have questions about the SaaS Security Analyzer or any other security, governance or compliance solutions, please email [email protected] and we’ll respond in a timely manner to answer questions or help you evaluate the partner solutions we offer.