4 Replies - 250 Views - Last Post: 10 January 2020 - 08:31 AM

#1 Skydiver   User is offline

  • Code herder
  • member icon

Reputation: 7230
  • View blog
  • Posts: 24,513
  • Joined: 05-May 12

Warning: Service Now can be used for password data mining...

Posted 10 January 2020 - 06:49 AM

I know some of the folks here work for companies that are big enough to afford and use Service Now. I'd like to warn you about SNOW's CMDB and its automatic horizontal discovery feature: Configuration file tracking

What happens is that if you have IIS, it sucks in all the web.*.config files that it can find in all the web applications and puts a copy of the file contents into Service Now's CMDB. So now any of your licensed Service Now users can search for "connectionStrings", and find the passwords for databases that you were so careful trying to keep secure by having layers and layers of security. Obviously, one way to avoid this issue is to have yet another layer of security to encrypt the config file or at least the sections of the config file which may contain sensitive information, but then doing that will kill CMDB's ability to track which applications are reliant on which databases.

Is This A Good Question/Topic? 0
  • +

Replies To: Warning: Service Now can be used for password data mining...

#2 modi123_1   User is offline

  • Suitor #2
  • member icon



Reputation: 15488
  • View blog
  • Posts: 62,032
  • Joined: 12-June 08

Re: Warning: Service Now can be used for password data mining...

Posted 10 January 2020 - 08:05 AM

Is this for some sort of code repo feature of SN?
Was This Post Helpful? 0
  • +
  • -

#3 astonecipher   User is offline

  • Senior Systems Engineer
  • member icon

Reputation: 3062
  • View blog
  • Posts: 11,753
  • Joined: 03-December 12

Re: Warning: Service Now can be used for password data mining...

Posted 10 January 2020 - 08:15 AM

I wonder if our cyber team is aware of this or if because we use SSO and it doesn't apply....
Was This Post Helpful? 0
  • +
  • -

#4 Skydiver   User is offline

  • Code herder
  • member icon

Reputation: 7230
  • View blog
  • Posts: 24,513
  • Joined: 05-May 12

Re: Warning: Service Now can be used for password data mining...

Posted 10 January 2020 - 08:22 AM

Sorry: CMDB == Configuration Management Database. It's the list of all servers, applications, software, etc. that would potentially be a "configuration item".
Was This Post Helpful? 0
  • +
  • -

#5 modi123_1   User is offline

  • Suitor #2
  • member icon



Reputation: 15488
  • View blog
  • Posts: 62,032
  • Joined: 12-June 08

Re: Warning: Service Now can be used for password data mining...

Posted 10 January 2020 - 08:31 AM

Aight.. I've just known them for support tickets. Wheew.
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1