The shift to remote work has created new priorities and an increased workload for IT. Business continuity was the immediate priority, which meant setting-up VPNs and shipping new equipment, while ensuring that access was as secure as possible. Now, in a state of normalization, IT departments are fine-tuning the work from home processes, and policies, such as access control.
An IDG research study on the impact of COVID-19 found that 40% of IT decision-makers expect their budgets to remain the same, while 35% said that they expect a decrease. This means that IT leaders need to focus on all of the above, while improving cost control and operational efficiency.
In order to achieve success in this new paradigm, IT departments need to identify areas where they can proactively cut costs and increase user efficiency, while maximizing security through quick wins and high-impact projects. A key area to evaluate is the IT service desk. A good start would be identifying common issues that have historically driven service desk calls and how they are being addressed today. This article highlights common issues at the service desk, including the security gaps that can be resolved quickly.
Expired Passwords and Locally Cached Credentials
Password reset calls pre-COVID were the top service desk call driver. This reality remains unchanged, and in fact, many organizations have seen an increase in such calls driven by expired passwords and locally cached credentials.
Many organizations still use periodic password expirations. While it is widely believed that the practice can lead to poor password practices, it is still a requirement by a number of compliance bodies. If you are one of those organizations, users that are off-network will not receive password expiry notifications. As such, when a password eventually expires, users will not be able to connect to the VPN as it relies on the expired password for authentication.
Even with a password reset solution in place that can notify users of an upcoming password expiration, when a user resets their password remotely, the locally cached credential can still become out-of-sync with the new password resulting in a lockout. In both cases, the IT service desk will have to get involved. This not only increases costs but also creates a security gap as the service desk lacks secure user verification. So, what can you do?
- Standard bodies such as NIST and NCSC propose removing password expiration altogether and instead recommend forcing a password change when a leaked password is detected. This is not only not an option for compliance regulated organizations, but can leave organizations exposed for too long as it is estimated to take 207 days to identify a breach. A better approach is to implement smarter and stronger password policies that can reward users with less frequent password changes based on the length/strength of their password in addition to having the ability to block the use of leaked, weak or compromised passwords
- Notify users of upcoming password expiry. This is a viable option for those that cannot set passwords to never expire. You will need to notify users to change their passwords prior to expiration, while connected to a VPN
- Implement a self-service password reset solution that can update the locally cached credentials. This is the optimal approach to freeing up IT resources by removing this high-volume call from the IT service desk
Device Encryption and User Lockouts
With encrypted devices on the rise, to ensure that users can work both remotely and securely, it is no surprise that encryption related lockout calls are on the rise.
There are many solutions that authenticate users to decrypt the device. However, given that 90% of organizations utilize Active Directory, and since Microsoft Bitlocker is provided for free, we’ll concentrate on this example.
Microsoft Bitlocker Recovery Mode can be triggered by various things depending on how Bitlocker is configured. Methods include relying on TPM only, or using TPM with the use of a Pin or USB – all of which can trigger lockouts e.g. forgotten PIN, lost USB, adding or removing hardware and more.
When a user is faced with the Bitlocker Recovery Mode screen, often the only way to regain access is to call the IT service desk. These calls can be time consuming as the recovery keys are 25-digit strings which are awkward to read and hear over the phone. Often organizations will use other encryption solutions for the management and recovery of those keys. Relying on a third-party solution for self-service key recovery is a better way to go, however keep in mind the following two important considerations:
- The self-service key recovery method needs to be accessible remotely. This is a limitation with many systems
- The solution needs to enforce secure user verification before providing the user the recovery key. Often solutions rely on insecure security questions
How Can Specops Help?
Deflecting high volume/high risk calls from an overwhelmed call center is essential to business continuity, security and IT operational efficiency. Specops Software is offering a few solutions to get ahead of the problem with tools that enforce stronger password policies, notify users to update passwords or allow them to reset their own passwords successfully, whether or not connected to a local DC. In terms of encryption lockouts, Specops also offers a self-service key recovery solution that is accessible from anywhere and shares the same robust multi-factor authentication platform as the self-service password reset solution. The shared MFA means that user enrollments can be used to secure these two-high risk use cases. Contact Specops to learn more.
