One other is that the overwhelming majority of employee-created ServiceNow Information Base articles are secured utilizing what ServiceNow calls Consumer Standards. This can be a security property that denies entry by default to KB articles until a Consumer Standards is about up that teams customers to allow entry. This functionality was added in March, 2020. Nevertheless, Costello mentioned, most enterprise ServiceNow situations have been round for much longer, inflicting them to nonetheless retain the beforehand insecure ‘permit public entry by default’ worth. This was the case for round 60% of enterprise situations he analyzed. Even when this property is securely configured, he added, merely defining a ‘Can Contribute’ property on a KB will nonetheless permit unauthenticated customers to learn insecure articles inside it.
As well as, the out-of-the-box Consumer Standards might be deceptive to the untrained eye, Costello mentioned. Whereas there’s an express ‘Visitor Consumer’ standards for granting unauthenticated entry, many directors are unaware that different, less-explicitly named standards additionally grant entry to unauthenticated customers.
And as a rule, when a Consumer Standards is about, it’s solely on the allow-lists (‘Can Learn’), Costello mentioned. The deny-list (‘Can’t Learn’) is ignored because of this. Due to the difficult nature of Consumer Standards, this could permit exterior customers to slide via the cracks and be granted entry.
