Today, bots are monitoring life-support equipment, provisioning the utility grid, reconciling high-value trades, paying invoices, opening bank accounts, detecting money laundering transactions and filing health insurance claims. Can someone hijack your bot and make it do things it is not supposed to do? Can malicious users detect system vulnerabilities and steal data, or make the bot freeze critical equipment or even use bots as an entry point to your network for ransom ware?
No, this is not a scenario for sci-fi movies, nor is it science fiction anymore. It is reality.
Take the case of the wannacry ransomware attack earlier this year. It crippled operations of many businesses using the Microsoft Windows operating system, including critical organizations, such as hospitals, across several countries in the world. This is an example of how even the most advanced software development shops, (Microsoft, in this case), left holes for hackers to exploit.
Or take the case of the infamous Bangladesh Bank heist of 2016, where cybercriminals exploited the weakness in SWIFT global payment network to steal almost a billion dollars from the central bank of Bangladesh.
Bots are pieces of software performing critical tasks, and like any other software, they are vulnerable to threats, even if your perimeter is secure.
Process bots constantly interact with their environment to include other applications, which send and receive critical data and control APIs and connectors. This ecosystem is only as secure as the weakest link in the chain. Even if you follow the most advanced security process when developing the bot, the ecosystem may still expose it to vulnerabilities.
In the following incidents, hackers took advantage of the larger ecosystem to steal data. Cybercriminals entered the secured technology environment by exploiting vulnerabilities found in one of Target’s vendors and compromised credit card and debit card details of approximately 40 million Target customers. Similarly Lowe’s underwent a major security breach, which resulted in leaked information of its employees (including social security numbers) that was stored in an online database, provided by a third-party supplier.
Further, most process bots log into multiple systems using stored credentials; some process emails, chatbots provide customer service, others manage multiple process documents. If you do not follow advanced security specifications during development, vulnerability points left in the code can be exploited by hackers. So, how does one secure these bots from phishing or spear phishing? Digital social engineering targeting these process bots might very well define the next wave of cyber intrusion.
To ensure security process, bots needs to maintain the highest standards of cybersecurity by undergoing rigorous vulnerability assessment and penetration testing before deployment. Companies should also ensure that they have an integrated security alerts and reporting mechanism and monitor it throughout deployment.
Bots should be coded by following strict security principles such as specified by Systems Security Engineering Capability Maturity Model (ISO/IEC 21827) or Microsoft’s Trustworthy Computing Security Development Lifecycle. These protocols define security engineering processes that add a series of security-focused activities and deliverables to each phase for the development of software that needs to withstand security attacks.
It is essential that these activities are followed right through the development lifecycle. Coders must define the security features in the requirements phase, threat modelling for security risk identification during the bot design phase, use static analysis code-scanning tools and code reviews during implementation, and security focused testing (including Fuzz testing), during the testing phase.
Finally, during the release phase, a final security review should be conducted by a central team of security experts to ensure code integrity.
Identifying vulnerabilities goes a long way in preventing malicious code from exploiting these weaknesses and taking over the systems. Evaluation techniques, such as those specified in the International Common Criteria for Information Technology Security Evaluation, should be applied.
During a vulnerability assessment, ensure coders carry out an in-depth review to detect the weaknesses in the entire IT environment and not just the bots code and make use of NMAP (Network Mapper) and Metasploit tools.
Coders must carry out a simulated attack on the IT ecosystem to test its capability to resist planned attacks. At NTT DATA Services, when we carried out some penetration testing, some of the issues that emerged included:
- Secure configuration and hardening of critical devices
- Logical access control
- Password management
- Security patches management
- Application code security, such as SQL injection & Cross-site scripting (XSS)
Over the past several decades, each industry has developed a comprehensive set of security protocols for human operators that have been codified in regulatory policies such as HIPPA and SOX. With automation increasingly taking over the roles of these human operators, concerted effort is required to develop similar regulations for process bots.
In our next post, we will further define these Advanced Security Features, Vulnerability Assessment and Penetration Testing specific for process bots.
Know more about our Robotic Process Automation.
Discover our QAT services.