Soon, it’s summer holiday, and your brain gets a long-awaited opportunity to finally erase some cognitive overload. After a few weeks, you return to your desk. Oh gosh, I forgot my password! Better call the help desk to restore it. But what if a cyber crook poses as you, steals your credentials and intrudes systems as you?
By nature, help desks are supposed to be helpful. Unfortunately, cyber criminals utilize this to their benefit.
Just think of a help desk employee who receives a constant flow of calls, emails and tickets from wide geographies and at odd hours. Closing open requests is the primary KPI of work performance. Under such circumstances, falling into a clever social engineering trap is not a far-fetched risk.
How can we mitigate help desk related risks, or at least limit them significantly? Let’s focus on one issue only to make the discussion crystal clear: password resetting through an anonymous help desk.
What do I mean by “anonymous” help desks? This: when a help desk receives a call, it does not know who is calling. Vice versa, the caller doesn’t know the person at the help desk.
The problem here is obvious: impersonating someone is easy. How to authenticate (pdf) the user calling to request a password reset? Well, of course, the help desk always asks a few questions to identify the caller somehow. But the information asked is often easy to source by an imposter. Password reset questions are often more useful for a password bypass than to authenticate a user reliably.
Probably, most help desks have security policies that should be enforced to verify users. But policies may be too weak, or help desk employees may be tempted to skip them to meet KPIs.
What options do we have to improve cyber security?
1. Training help desk employees
Constant training of help desk employees is essential to recognize social engineering attacks. Keep the staffers alert of new tricks by courses, role playing, workshops, gamification and occasional penetration testing. However, training needs to be supplemented by other actions.
2. SMS or automated phone calls
Verification of callers may be done by SMS or automated phone calls. But there’s a weakness here, too: it is possible for a highly motivated attacker to obtain access to someone’s SMS traffic. If that happens, the solution fails.
3. Call handling technology
It is a must in all help desks to utilize call handling and monitoring technology that displays all phone numbers. One powerful solution to authenticate users can be voice recognition technology combined with call recording. By user consent, each user’s voice can be pre-recorded, and automatically compared during a call to verify the user. Voice recognition is prone to spoofing, though.
4. A trusted introducer
A rare solution is to establish a trusted introducer policy for the help desk. Authentication requires a second person to also get in touch with the help desk to confirm the identity of the user with a password reset request. Each user could present a shortlist of introducers, and upon a request, the help desk would contact them automatically in a preset order. Only after someone responds, the request process begins. The weakness: the second person’s identity can be compromised, too.
5. No password resetting over the phone
A very useful solution is to completely deny the possibility to request password resets over the phone. There are ways to perform a password reset from a Windows login screen through the IAM system. This is offered by Tieto, and is becoming an accepted practice, first and foremost due to reasons of security and user experience.
6. Multifactor digitalized tools to validate users
In the market, there are fully digitalized tools available to validate the user by multifactor authentication, to verify user accounts, to manage user identities, to send codes to mobile phones, and to utilize additional identity service layers for high security accounts. Specific attention needs to be paid to the second factor’s security in two-factor authentication.
Whatever risk mitigation you choose, you need balancing to avoid weaknesses and to avoid making the solution too hard to use. There’s no simple and straightforward solution to offer, but it may be smart to combine soft and hard methods. Monitoring help desk operations security policies and their implementation is essential.
We must consider help desks as a critical front line of cyber security. They are our first point of contact to fix IT-related issues. Unfortunately, they are also the first target for social engineering criminals.
At Tieto, we offer our customers secure help desk operations as a service as well as consultancy to improve help desk security. Let us make this human line of defence tougher – together!
Do you want to know more about securing your business in Finland? Get in touch with me.