My motivation for writing an article on robotic process automation (RPA) came from an information security assessment I was doing for a customer. As I reviewed the system (that was acquired from a vendor) it occurred to me that it had 特性 of a malicious botnet command and control tool, but it was used internally to ensure that software scripts were continuously running.
I consider myself a white hat warrior, but I realized that this product came from a progressive thinker who could market it to both commercial businesses and black hat actors. 为此目的, the originator/developer of this RPA product could be labeled a gray hat because they could market software products to good businesses and bad/criminal enterprises.
My concern with RPA products used by businesses is that they contain software scripts that run at an administrator level and can access many parts (i.e., components and systems) of the organization’s IT infrastructure. If malicious scripts were inserted into an RPA and deceptively labeled, they could affect the organization (and even personal privacy) for a long period of time. The scripts could be used to extract, modify and delete data, plant malicious software (i.e., bots) on many types of devices without customer knowledge, and affect system log files by deleting their activities/tracks. They could even delete, corrupt and encrypt backup files. And the RPA product could contain hidden or disguised malware possible labelled as templates or examples.
为了防止这些事件, it is essential to review vendor-provided scripts and test the system in a contained environment before implementing it into production. In addition, deep-dive audits of the old and new scripts should be conducted on a regular basis. Verifying backups on a frequent schedule is another practice that can prevent catastrophes such as a ransomware event.
RPA is used in myriad business applications including the financial environment, 零售业务, utility enterprises and many other common uses. It is helpful to understand the benefits, 功能, 特性, 问题区域, and risks associated with RPA products, as well as defensive measures and safeguards,
编者按: For further insights on this topic, read Larry Wlosinski’s recent Journal article, “RPA Is Evolving but Risk Still Exists,” , ISACA杂志,第2卷2023.
