Robotic Process Automation is taking over mundane tasks in the workplace. But those bots may pose a serious security risk, according to researchers from the firm CyberArk.
Robotic Process Automation (RPA) may be the Holy Grail for enterprises these days, but all those bots pose a serious risk to enterprise security, according to research by the firm CyberArk.*
The (human) labor saving “bots” are transforming the way companies manage routine tasks, but they also need identities, credentials and access to critical enterprise systems. That makes them a prime target for malicious actors, who could exploit RPA systems to gain privileged access to enterprise environments, warned Kevin Ross and Ben Derr of CyberArk at the company’s Impact event in Chicago on Wednesday.
Robotic process automation, which is sometimes referred to as “intelligent automation,” refers to technologies that allow companies to automate manual tasks. They are increasingly used for work like data collection and manipulation and initiating interactions with other processes and systems based on that data. Organizations have deployed RPA in human resources for scanning, scraping and inputting potential candidate information from platforms like LinkedIn or in accounting departments to automate previously manual and tedious tasks assembling and parsing data from multiple sources.
The technology can automate manual processes that took hours and reduce the time needed to complete them to minutes, said Derr, a Principal Solutions Engineer with CyberArk.
Getting a Pass on Passwords
Adoption of the technology within enterprises is growing rapidly, with RPA solutions offered by companies like BluePrism, Automation Anywhere and Pega Systems. Use of RPA, in some fashion, is expected to be nearly ubiquitous in companies within the next five years. But that adoption could pose a real security risk as organizations implement weaker identity and access control practices for bots than for their human workers – or simply extend poor security hygiene to apply to robot workers and human workers alike.
By its nature, RPA systems typically require privileged credentials to the systems they interact with. But often, those credentials are hard coded into application scripts, re-used by the bot account and rarely changed, said Ross, a National Security Engineer at CyberArk. “(RPA) credentials are typically overprivileged. They may be used for 50 different tasks.” Also, because robot accounts typically interact with a range of other, third party systems, it is often impossible to isolate them within the enterprise perimeter.
A Target for Account Takeovers
All that increases their risk. Hackers who target these bot accounts may gain privileged access to one or more critical applications that the bot interacts with. Like their human equivalents: robot accounts can be compromised and used to impersonate the bots within trusted environments: allowing attackers to access sensitive data without notice or even taking part in phishing attacks on human users. As RPA gains adherents, RPA systems themselves become a rich target for would be cyber attackers.
Planning for security is critical, the experts say. Companies should pursue Robotic Process Automation projects in a deliberate fashion, with the knowledge and support of the CIO and CSO. Rather than rushing into RPA adoption, organizations should take pains to consider security up front. Established security practices like “least privilege” should be applied and organizations need to isolate and monitor RPA accounts – especially those with administrative credentials, Ross and Derr told attendees.
Companies with RPA deployments need to focus on securing RPA consoles from attack and also make sure the credentials used by robots – which often fall beyond the purview of IT teams – are securely stored and managed in keeping with overall enterprise governance practices, the researchers said.
(*) Disclosure: Security Ledger’s coverage of Impact 2019 was sponsored by CyberArk. For more information on how Security Ledger works with its sponsors and sponsored content on Security Ledger, check out our About Security Ledger page on sponsorships and sponsor relations.