Alright, I think we need a thread to talk about how everyone is hardening and security CommitCRM. Here's a list of concerns out of the gate that our team is aware of and working to mitigate (some we have solutions for, others we do not).
Hopefully some of you have already come up with solutions to these that we can share and talk about openly:
-------------------------------------
Securing database and raw files - BIGGEST RISK
-------------------------------------
Anyone with access to CommitCRM inherently has access to all account information, emails, documents, and database files which are unencrypted. So the moment I give my low-level office staff access to CommitCRM they have access to everything. If their account is compromised, a bad actor has everything within minutes.
Before a user can even login to CommitCRM they have access to everything by virtue of access to the SMB share.
We've done what we can here but if there's something specific that can be done to fully mitigate this we would love to hear it. Perhaps CommitCRM could release a CommitCRM Hardening Best Practices Wiki that outlined all of this.
-------------------------------------
Web Hardening
-------------------------------------
The new changes to account lockout is a start, we monitor the event logs for failed logins BUT we need alerts on failed logins across the entire ecosystem and we need 2FA even on the Desktop app side of things.
Also, account login auditing is huge and would be amazing to have right inside CommitCRM so we could track when users login, what IP they are logging in from, etc.
-------------------------------------
2FA/MFA
-------------------------------------
The 2FA system only allows codes to be sent to the email address of the account. We need additional, more secure options, like App/Yubikey/SMS.
-------------------------------------
Account Restrictions
-------------------------------------
We need the ability to filter access to data once a user gets into CommitCRM. For example if we have a team member only working on one region we need the ability to limit their access to certain types of data (Structured Notes, Tickets, etc.) to only that region or group of clients. For example keeping residential/SOHO techs out of sensitive Managed Client account information.
-------------------------------------
Management Level Statuses
-------------------------------------
This goes along with the silly notion that we cannot have more/less Primary Statuses, but if we could, it would be really useful to be able to have certain Status/Categories for tickets that limited access only to certain people. So a certain team could have a Status of tickets that no one else in the company had access to for example.
-------------------------------------
Auditing & Logging
-------------------------------------
We need better account action auditing/logging in general. I would like to know every time a user logs in, what IP they logged in from, etc. from right inside CommitCRM.
-------------------------------------
Data In Motion Encryption
-------------------------------------
No real documentation on this, but we don't believe that all data in motion is encrypted between the CommitCRM Client and the Desktop application.
-------------------------------------
Forced Password Changes, Complexity Requirements & Rotations
-------------------------------------
Not huge on password rotations with 2FA but we don't have that on the Desktop client so it would make sense to have some ability to force password complexity (length mainly), previous password use prevention and the ability to reset a password and force a new one on next login.
-------------------------------------
WHAT ARE WE MISSING?
-------------------------------------
It's important to all providers here that we are doing the very best we can to protect our organizations as well as our clients' data with everything we do. CommitCRM is an important tool so securing it to the best of our ability is our duty.
Help share information with vulnerabilities you see and how you're mitigating them.
Hopefully some of you have already come up with solutions to these that we can share and talk about openly:
-------------------------------------
Securing database and raw files - BIGGEST RISK
-------------------------------------
Anyone with access to CommitCRM inherently has access to all account information, emails, documents, and database files which are unencrypted. So the moment I give my low-level office staff access to CommitCRM they have access to everything. If their account is compromised, a bad actor has everything within minutes.
Before a user can even login to CommitCRM they have access to everything by virtue of access to the SMB share.
We've done what we can here but if there's something specific that can be done to fully mitigate this we would love to hear it. Perhaps CommitCRM could release a CommitCRM Hardening Best Practices Wiki that outlined all of this.
-------------------------------------
Web Hardening
-------------------------------------
The new changes to account lockout is a start, we monitor the event logs for failed logins BUT we need alerts on failed logins across the entire ecosystem and we need 2FA even on the Desktop app side of things.
Also, account login auditing is huge and would be amazing to have right inside CommitCRM so we could track when users login, what IP they are logging in from, etc.
-------------------------------------
2FA/MFA
-------------------------------------
The 2FA system only allows codes to be sent to the email address of the account. We need additional, more secure options, like App/Yubikey/SMS.
-------------------------------------
Account Restrictions
-------------------------------------
We need the ability to filter access to data once a user gets into CommitCRM. For example if we have a team member only working on one region we need the ability to limit their access to certain types of data (Structured Notes, Tickets, etc.) to only that region or group of clients. For example keeping residential/SOHO techs out of sensitive Managed Client account information.
-------------------------------------
Management Level Statuses
-------------------------------------
This goes along with the silly notion that we cannot have more/less Primary Statuses, but if we could, it would be really useful to be able to have certain Status/Categories for tickets that limited access only to certain people. So a certain team could have a Status of tickets that no one else in the company had access to for example.
-------------------------------------
Auditing & Logging
-------------------------------------
We need better account action auditing/logging in general. I would like to know every time a user logs in, what IP they logged in from, etc. from right inside CommitCRM.
-------------------------------------
Data In Motion Encryption
-------------------------------------
No real documentation on this, but we don't believe that all data in motion is encrypted between the CommitCRM Client and the Desktop application.
-------------------------------------
Forced Password Changes, Complexity Requirements & Rotations
-------------------------------------
Not huge on password rotations with 2FA but we don't have that on the Desktop client so it would make sense to have some ability to force password complexity (length mainly), previous password use prevention and the ability to reset a password and force a new one on next login.
-------------------------------------
WHAT ARE WE MISSING?
-------------------------------------
It's important to all providers here that we are doing the very best we can to protect our organizations as well as our clients' data with everything we do. CommitCRM is an important tool so securing it to the best of our ability is our duty.
Help share information with vulnerabilities you see and how you're mitigating them.
Comment