Don’t Ignore Major Attack Surfaces Like Tenable and ServiceNow.
A scary stat we’ve heard for a few years now is that around 80% of data breaches involve compromised privileged credentials, according to the Forrester Wave for Privileged Identity Management, Q4 2018. Scarier is evidence that hackers are taking advantage of these uncertain times by ramping up their efforts with credential-based cyber-attacks, phishing, and ransomware. It's not business as usual.
More than ever before, organizations must now be laser-focused on business continuity by ensuring they have security controls in place to ENABLE the right users to do their jobs, while PREVENTING hackers from exploiting those privileged accounts for nefarious gains.
For this blog, I’m going to focus our conversation on one of many similar attack surfaces you may be ignoring - ServiceNow. Note that the same concerns and mitigations apply to other platforms, such as Tenable. If you don’t sufficiently protect these platforms, you risk your critical IT systems (Windows, Linux, and UNIX servers, as well as network devices) falling victim to a breach.
What We’re Potentially Overlooking
ServiceNow is a hugely popular platform for many organizations worldwide. In 2018, it accounted for over 51% of the global market for IT Service Management (ITSM) tools. One area of ServiceNow’s expertise - IT Operations Management (ITOM) - includes applications such as ServiceNow Discovery, ServiceNow Orchestration, and ServiceNow Service Mapping, which require highly-privileged system accounts in order to function. For example, ServiceNow Discovery helps IT maintain a thorough inventory of IT assets by scanning the network, then logging into servers to record system and configuration data such as CPU, disk, memory, applications, services, and ports.
To do this, it needs highly privileged accounts with enough rights to peek into areas that are not typically visible to regular user accounts. It obtains those credentials from another ServiceNow application - the ServiceNow Management, Instrumentation, and Discovery (MID) Server. This is where the potential risk lies, because admins manually configure static IDs and passwords in the MID Server itself. Anyone with enough rights can access this information, so it’s a vector that can ultimately lead to an attacker gaining access to the server(s) for which those credentials are associated.
The Right Tools for the Right Job
Thankfully, there’s a better way.
ServiceNow MID Server has a plugin framework that allows it to talk to third-party applications, services, and data stores. ServiceNow did this in part because - although very capable at ITSM and ITOM - they recognized that some tasks are better suited to specialized vendors. Thus, Centrify has developed an External Credential Store Plugin to the MID Server allowing organizations to store these credentials in the Centrify Privileged Access Service - a hardened vault with top-notch security and broad password management capabilities.
With Centrify in place, when ServiceNow Discovery (or any other ITOM application that talks to a ServiceNow MID Server) needs a credential, it asks the ServiceNow MID Server in the same way as before, but the ServiceNow MID Server can now fetch that password from the Centrify vault via the plugin. This all happens transparently to the ITOM app - there’s no change in its behavior or configuration.
Noteworthy benefits of this approach include better security and risk posture, improved IT efficiency, and stronger compliance.
In terms of security and risk, storing and replicating credentials in multiple ServiceNow MID Server instances represents a large attack surface. Simply, more attack vectors for hackers. Passwords are also visible and exposed to ServiceNow admins who manually configure them. By moving these credentials out of ServiceNow and out of the ServiceNow admins’ hands, you reduce your attack surface and reduce your risk of compromise by external threat actors as well as insiders.
The vault itself is not simply a database. Layers of encryption, role-based access controls, workflow-based access request and approval, and multi-factor authentication (MFA) stand in the way of anyone attempting to compromise the vault and gain access to stored credentials.
You also benefit from built-in password management capabilities to further improve security and, via automation, greatly improve IT efficiency - capabilities you didn’t have when manually processing credentials in the ServiceNow MID Server. The vault now assumes sole management of the passwords. It can rotate them on a routine basis to reduce their lifetime, giving attackers a much smaller window of opportunity to crack them. With rotation, had these credentials remained statically in the ServiceNow MID Server, administrators would have to revisit each one and manually update each password to prevent ITOM app failure during login attempts. Instead - no admin overhead at all. Password rotation is automatic, and the ServiceNow MID Server fetches the current password from the vault. No system availability issues and no panic requests for the help desk and IT to resolve outages.
These extra security controls and password management capabilities can also help you better comply with regulations, industry standards, and authority advice that are now taking a much firmer stance on organizations protecting and managing access to privileged accounts.
Intrigued and Want to Explore Further?
If you’re an existing Centrify Privileged Access Service customer, this is as simple as downloading the External Credential Storage Plugin for ServiceNow jar file from the Centrify Support Downloads page, pushing it to your ServiceNow MID Server, and making a few configuration changes to tell it about your Centrify tenant.
If you’re new to Centrify, there’s a little extra effort to stand up a Centrify Privileged Access Service tenant. Unlike legacy on-premises vaults, however, this takes only around 20 minutes since it’s a SaaS service managed by Centrify. You can also sign up for a for a metered version of the service on AWS Marketplace, whereby you can manage the first 50 systems and associated accounts free of charge.