Social Engineering and the IT Service Desk

The COVID-19 pandemic has provided a perfect opportunity for many types of social engineering attacks. It is not surprising that 2020 saw a spike in breaches. With users working remotely, attackers are taking advantage of the lack of in-person user verification and/or the lack of secure user verification mechanisms. In August 2020, the FBI along with the CISA issued a warning regarding remote users being targeted by attackers spoofing organizations’ business numbers and impersonating the IT service desk. The service desk has also been a popular target for attackers, due to the fact that they often times lack the appropriate security polices and tools to properly verify users’ identities.

In the wake of the pandemic, IT departments had to seemingly overnight ensure that all workers could access corporate resources remotely and securely. This shift created a spike in customer support calls. In fact, a study by Inside Intercom found that close to 50% of support teams reported a 51% increase in inbound calls since the outbreak. A significant percentage of these calls are password reset related, providing attackers with ample opportunity to easily take over accounts. 

To prevent these types of attacks, IT departments should consider:

  • Enforcing and tracking secure user verification at the IT service desk
  • Removing high volume calls from the IT service desk

Enforce and Track Secure User Verification

In a survey conducted earlier in 2020, Specops Software asked over 130 organizations if they were verifying users’ identities when calling the service desk. The good news is that 65% answered that they were. The bad news, however, is that the majority of them rely on knowledge-based authentication (KBA), which is essentially questions and answers. The answers are based on static information pulled from Active Directory or HR systems such as employee ID or manager name. 

The issue with KBA is that attackers can easily source this information. Standard bodies recognize this security gap, in fact NIST’s Digital Identity Guidelines, SP800-63 B section 8.2, recommends to “Avoid use of authenticators that present a risk of social engineering of third parties such as customer service agents.” The use of questions and answers to verify users’ identities has long been recognized as insecure. Organizations still relying on this method in light of the fact that attackers have access to so much user data should really consider more secure alternatives especially within high risk use cases.

This is just one side of the coin. Another important consideration is user verification enforcement and the ability to track that it is being done. This was identified as a challenge by the survey respondents. Although a large percentage said that they do have a security policy in place that calls for user verification at the IT service desk, there was no way to enforce or track that this was being done.

Remove High Volume/High Risk Calls

According to analyst firms Gartner Group and Forrester Research, between 20%-50% of help desk calls are related to password resets, and a single password reset call can cost about $70. These calls are not only taxing to IT support teams, they are a significant cost driver and leave the IT service desk susceptible to fake password reset calls. 

Investing in a self-service password reset solution can be a quick win. Typically, solutions can be implemented in a few short months allowing organizations to realize the benefits quickly. However, not all solutions are equal. When evaluating solutions consider:

  • The user authentication methods supported. It’s a win if the solution supports commercial forms of authentication that may already be in use
  • Types of enrollment options, for example, can users be pre-enrolled or forced to enroll?
  • Ease of use and access; for instance, can remote users successfully reset their passwords while off VPN?

Uplift Security with Specops

Password resets, whether being done via self-service or at the IT service desk, are a popular entry point for attackers. Having a security strategy that secures this use case across these two access points is the optimal approach, however, organizations can start by either deflecting calls with a self-service password reset solution or the other way around by securing user verification at the IT service desk.

Specops’ robust authentication platform supports self-service password recovery in addition to providing the IT service desk with a more secure means of verifying user identities. The shared MFA means that user enrollments can be used to secure these two high risk use cases.

Contact Specops to learn more.

Brought to You by

What’s Hot on Infosecurity Magazine?