ServiceNow SecureCheck - Security

ServiceNow SecureCheck  Table of Contents What is SecureCheck? Recommended Prerequisites How to Import the SecureCheck Update Set How to Use SecureCheck Helpful Hints Security Center – Scanner SecureCheck Suite Scan Finding Type Additional Resources What is SecureCheck? SecureCheck is a suite of detections designed to enable instance administrators to detect misconfigurations that may impact the security posture of their instance. Provided as an update set, customers will have the ability to use SecureCheck within Security Center. The update set will serve as a seamless method of integrating pre-built checks that customers can run, review, and resolve.

Recommended Prerequisites SecureCheck is designed to be used within Security Center; as such, if your instance is running on Utah, please ensure that Security Center is installed. To install Security Center, navigate to: All > System Applications > All Available Applications > All , search for “ Security Center ” and then click Install .

How to Import the SecureCheck Update Set To import SecureCheck onto an instance, as an administrator:

Click here to download the SecureCheck update set: SecureCheck Navigate to the Retrieved Update Sets table (sys_remote_update_set_list.do). Click Import Update Set from XML . Click Choose File and import the SecureCheck Update Set XML file and proceed to click Upload . Once the SecureCheck update set has been retrieved, open the new K24 SecureCheck record and click the Preview Update Set UI Action button. After the preview has been completed, click the Commit Update Set UI Action button. Once the update set has been imported and retrieved, the SecureCheck suite can be located by navigating to: All > Security Center > Scanner > Suites

How to Use SecureCheck To use SecureCheck, as an administrator:

After the Update Set has been imported, navigate to Security Center and select the Scanner tab. Select the Suites item from the left navigation of the Security Center Scanner tab. Open the K24 SecureCheck scan suite. Click Execute Suite Scan . Once the scan is complete click the Results item on the left navigation of the Security Center Scanner tab. Select the most recent result from the K24 SecureCheck scanner suite and open the Scan Findings tab. Review Scan Findings by clicking the Count value for the scan finding that you would like to open. * Refer to the SecureCheck Suite section below for details on the type of each scan finding. Helpful Hints SecureCheck View The SecureCheck update set includes a Form view that needs to be enabled. To enable this view:

Navigate to: All > Instance Scan > Findings Open a scan finding by selecting a value in the Check Version column. To enable the SecureCheck view, navigate to: Context Menu (on the top left side of the form) > View > SecureCheck View

*Once this has been completed, the view will be used in Security Center as well; this action only needs to be completed once.

Muting a Scan Finding As configurations may be tailored to meet specific business needs, it is possible that some findings may be raised for these configurations despite being intentional and aligned with business requirements. In these cases, after confirming that the configurations are implemented as intended, the unique scan finding can be muted to prevent the occurrence of future scan findings for the associated scan check.

To mute a scan finding:

Obtain the sys_id of the scan finding within the Security Center Findings tab. Navigate to the Scan Findings table to locate the specific scan finding via: “ /nav_to.do?uri=scan_finding.do?sys_id={sys_id} ” To enable the SecureCheck view, navigate to: Context Menu (on the top left side of the form) > View > SecureCheck View Click the Count value for the associated scan finding. Select the Mute UI Action Button located on the top right side of the form.

Grouping Results By Check When reviewing results with many findings, grouping the results by Check can help consolidate the information you are looking at and allow you to more easily narrow in on the areas you'd like to focus on. To group results Check

After executing a scan, and opening the results, click the context menu on the Check column. Select "Group by Check"

Scheduling Recurring Scans Scan Suites can be scheduled to execute on a regular cadence. To schedule a scan:

Navigate to: Security Center > Scanner > Suites Select the Suite you would like to schedule Once the suite is opened, select "Schedule" and click "New" Populate a Name for the scan, and select a frequency to run the scan. For example, Monthly on Day 1 at 02:00:00. Save the record.

Security Center - Scanner Within Security Center, customers can navigate to the Scanner tab of the application to review the configuration tools used to customize instance security scanning and to identify any potential misconfiguration findings within the instance. ServiceNow’s Security Center is powered by the Instance Scan tool. For more details regarding Security Center’s Scanner tooling, please review the following product documentation: Security Center - Security Scanner

*Click each section below to learn more about Security Center's Scanner Tooling.

Instance Scan Overview Instance Scan is a tool within the Now Platform that allows for customers to identify potential instance health issues. The tool performs checks on an instance's current configurations and validates their state against best practices. Instance Scan is comprised of a variety of sub-tools that enable customers to perform specific inspections of the configurations within their instance. These sub-tools include suites, checks, results, and findings.

To learn more about Instance Scan, please review the following product documentation: Instance Scan

Scan Suites Scan suites are a collection of scan checks used for instance scanning. Once a scan suite is executed, the instance will be scanned against the criteria of each scan check. Scan suites can be scheduled to be executed in advance or executed manually.

Scan Checks Scan checks are rules that specify specific criteria that do not align with security best practices. Scan checks can run against tables, records, or metadata. Please note, scan checks cannot be run individually as they can only be executed within a scan suite. However, customers have the ability to test scan checks for functionality before adding them to a scan suite. Scan Results Scan results report the status and type of scan executed. Within this section, you can review all the checks that ran as part of the scan and all other information related to the scan such as errors and scan logs. Scan Findings When a scan suite is executed, scan findings may be generated if the instance does not meet the specific criteria of the suite’s scan checks. Scan findings may differ as each instance may have unique configurations based on specific use cases. If the criteria of a scan check is not met due to a business requirement, ServiceNow recommends that the scan finding be muted to avoid future scan findings for the specific check.

SecureCheck Suite The following table outlines the checks within the SecureCheck Suite, please review for more information regarding the names, descriptions, and scan finding types of each check.

Name of Check Description Scan Finding Type Identify Out of Date Store Apps New versions of Store Applications may introduce fixes to security issues. To ensure you are running to the most up-to-date security fixes, it is recommended to review and update store applications regularly. Resolution Recommended Insecure GlideRecord Calls Scripts that are directly invokable by end-users (such as Client-Callable Script Includes, Widgets, Processors, REST Endpoints, etc.) should always respect ACLs and therefor either use GlideRecordSecure or GlideRecord in conjunction with canRead, canWrite, canCreate, canDelete. Resolution Recommended Review Allowed JavaScript Libraries JavaScript Content Access Control is used to allow or deny specific third-party JavaScript libraries.

For instances initially provisioned on Tokyo or later, this check can be ignored as records on the associated table have "Deny" rules set out of the box. For instances initially provisioned prior to Tokyo, there may be "allow" rules in the JavaScript Access Control Tables. It is recommended that instance customizations be reviewed to ensure the library is not in use before blocking access. Please note that the [sys_js_content_provider_access_tracking] table can be reviewed to see the last date that the library was accessed.

Resolution Recommended Review Client Callable Script Includes with No Corresponding ACL Client Callable Script Includes that do not have a corresponding ACL will use the default ("*") Client Callable Script Include ACL. To ensure that only expected users can interact with the functionality provided, applying a corresponding ACL that defines the appropriate criteria for access for your specific use cases is recommended.

Resolution Recommended Review Custom Tables with Record Producers and No Business Rule Record Producers that do not have additional server side validation may allow users to submit unexpected data to the associated table. This check identifies custom tables with a Record Producer but without an associated Business Rule.

Resolution Recommended Review Empty ACLs This check flags ACL records ACL has no script, no condition, no security attribute, no role or role is public.

Resolution Recommended Review Fields With HTML Sanitization Disabled HTML Sanitization is controlled using multiple configuration options within the instance. HTML Sanitization is enabled for HTML fields using the 'glide.html.sanitize_all_fields' and 'glide.translated_html.sanitize_all_fields' fields; however, individual fields can turn off sanitization. It is recommended that HTML fields where sanitization is disabled be reviewed to confirm whether this configuration is necessary.

Resolution Recommended Review Inactive Security Feature Plugins This check identifies plugins that are not activated that provide additional, configurable security controls. Please note that the findings produced by this check are provided for informational purposes.

Before enabling one of the identified plugins, please take a look and confirm that the plugin meets your use cases or requirements. If you do not have a use case for plugins identified by this check, please "mute" the findings.

Inform Review Large Allowed IP Address Ranges This check identifies IP Address Access Control Ranges that contain a large amount of IP Addresses.

Note that if you are seeing a large number of false positives, consider adjusting the largestExpectedCIDRBlock variable for your specific business needs.

Additionally, please note that CIDR blocks contain a larger amount of IP addresses as the number decreases. For example, the CIDR block size 8 is larger (contains more IP addresses) than the CIDR block size 16.

Review and Decide Review Public GraphQL Schemas GraphQL Schemas are defined in the [sys_graphql_schema] table and can be configured to be available without authentication. Depending on the endpoint's functionality, this may allow unauthenticated users to perform unexpected actions or interact with unexpected data.

Review and Decide Review Public Knowledge Base Articles Knowledge Bases and Knowledge Base Articles can be configured to allow unauthenticated users to access Knowledge Base Articles. This check identifies public Knowledge Bases Articles to be reviewed for confirmation that the current configuration aligns with your business needs.

Review and Decide Review Public Knowledge Bases Knowledge Bases and Knowledge Base Articles can be configured to allow unauthenticated users to access Knowledge Base Articles. This check identifies public Knowledge Bases to be reviewed for confirmation that the current configuration aligns with your business needs.

Review and Decide Review Public REST API Endpoints Rest API Endpoints are defined in the [sys_ws_operation] table and can be configured to be available without authentication. Depending on the endpoint's functionality, this may allow unauthenticated users to perform unexpected actions or interact with unexpected data.

Review and Decide Review Public Service Portal Pages Service Portal pages [sp_page] can be made public by setting the "public" field to "true".

Review and Decide Review Public UI Pages UI Pages can be made available to unauthenticated users using the [sys_public] page.

Review and Decide Review Roles That Contain the 'admin' Role Any role that contains the 'admin' role grants users that are assigned that role 'admin' privileges. If this is an intentional configuration, this check can be muted.

Review and Decide Review UI Pages without Corresponding ACLs UI Pages that do not have a corresponding "UI Page" ACL will use the default "UI Page" ACL, which may grant access to unintended users.

Resolution Recommended Review Users with Valid Local Passwords Users with local passwords may interact with the instance via API using the local credentials even if local logins are disallowed. This is needed for integration users to function correctly.

This check identifies users with locally set passwords, and it is recommended that the listed users be reviewed to ensure that only intended users (e.g., integration accounts) can authenticate with local authentication.

Review and Decide Rotate Passwords Stored with Outdated Hashing Algorithms Passwords created in previous versions of the Now Platform may have used what is now considered a legacy or outdated hashing algorithm. User records created on old platform versions that have not rotated their passwords may still have passwords stored with a legacy hashing algorithm.

Resolution Recommended Securing Record Producers If appropriate roles are not assigned to record producers then, an unauthorized users can access it by directly navigating to the URL and thereby revealing unnecessary and sensitive information.

Resolution Recommended UI Action visibility Checks to see if the UI Action can be accessed by a user with no roles who does not have read access to the table.

Resolution Recommended Scan Finding Type Please note, this column serves to aid customers in understanding and categorizing the nature of scan findings for each associated check. This column provides clarity by defining three distinct categories for each scan finding, please review the below sections for further information.

*Click each section below to learn more about each Scan Finding Type category.

Resolution Recommended Scan findings categorized as Resolution Recommended require immediate attention and remediation. Scan findings under this category pose a significant risk to the integrity and security of instance. To safeguard the overall security posture of the instance, ServiceNow recommends that these scan findings be prioritized.

Review and Decide Scan findings categorized as Review and Decide require careful review as they are dependent on specific business needs. ServiceNow recommends that customers review and consider whether modifications to these scan findings align with their organization’s context and objectives.

Inform Scan findings categorized as Inform serve for awareness and informational purposes. While they do not demand immediate action, ServiceNow recommends that customers review these findings to remain informed of potential areas of concern.

Additional Resources To learn more about Instance Scan and how to implement custom instance scan checks, please review the following Now Learning Courses: Introduction to ServiceNow HealthScan and Instance Scan CCL1062-K21 - Writing custom instance scan checks

For questions or assistance with configuring SecureCheck within your instance, please open a Case within NowSupport.