Nearly half (48%) of organizations do not have a user verification policy in place for password reset calls to IT service desks, according to a new Specops Software survey, which highlights social engineering vulnerabilities among IT service help desks. The information was uncovered as part of Specops Software’s survey of more than 200 IT leaders from the private and public sectors in North America and Europe.  

In addition, the survey found that 28% of the companies that do have a user verification policy in place are not satisfied with their current policy due to security and usability issues. A user verification or authentication policy is the process of verifying the identity of a user attempting to gain access to a network or computing resource.

Sounil Yu, Chief Information Security Officer at JupiterOne, a Morrisville, N.C.-based provider of cyber asset management and governance solutions, explains, "It's often hard to reconcile both a service desk mindset where one is trying to be as helpful as possible to a person needing assistance and a security mindset where one needs to be skeptical and wary of a person's intentions. This can create cognitive dissonance and a culture clash.

"Nevertheless, because the IT service desk often serves as a major point of entry for both attackers and legitimate users, an organization can bolster its security posture and reinforce a security culture by leveraging the service desk in the following ways:

  1. Communicate the importance of security as a part of the service desk experience so that legitimate users are primed to be patient in the event that immediate assistance may be delayed due to service desk personnel needing to follow strict procedures.
  2. Institute guardrails that limit or prohibit the disclosure of any information that can be used by an attacker.
  3. Turn service desk personnel into a human sensor grid, giving them easy ways to report suspicious activities or patterns. "Tune" the antennas of the service desk personnel occasionally with the latest threat actor techniques and tactics for social engineering."

Most of these companies rely on knowledge-based questions using static Active Directory information, such as an employee ID, a manager’s name, or even HR-based information like the employee’s date of birth or address –data that can easily be sourced by hackers, reveals the Specops survey. In fact, the National Institute of Standards and Technology (NIST) recommends against using knowledge-based questions because of their lack of security. 

Sean Cordero, Security Advisor at Netenrich, a San Jose, Calif.-based Resolution Intelligence provider, agrees. He says, "For some organizations, the desired outcomes expected from a service desk can trump the needs of security teams as the motivations of each group can be at odds. For example, service desks measure the speed and effectiveness with which they resolve calls."

Cordero adds, "Service desks incentivize closing a problem as quickly as possible and measure it through first-call resolution metrics. If this, along with flimsy authentication of the requester, is in place, the service desk can become a prime target for social engineering attacks that exploit these process issues. However, this measurement does not take into account how the service desk resolved a call. In access control requests, a long-standing problem has been “fixing” rights issues by adding the requester to a group or groups, which may lead to excessive rights if the rights structure is unclear, difficult to navigate, or lacks a process for validating the request. Setting expectations on the caller into the service desk, so they know what will be required of them before the caller is helped, can smooth out the support process for both sides and, when paired with methods and technologies to make the approval and verification of access requests quick and trackable."

Cordero offers a few, initial steps organizations can take to shore up service desk security:

  • Separate administrative accounts and standard accounts for all service desk team members. In some organizations, the service desk professionals have access to elevated rights. Ensure that each service desk agent is required to authenticate separately before using an account with elevated rights.
  • Clean up privileged security groups and ensure ownership and a process to validate the addition of new members if well documented and agreed upon company-wide.
  • Use multi-factor authentication to all accounts with elevated privileges.
  • Include the service desk team in incident response plans and tests.
  • For all remote control software in use by service desk agents, ensure authorization to control sessions requires real-time, mutual approval.
  • Ensure the service desk has multiple methods of validating a caller and their request. This additional authentication can include a different email address, which is already on record and is a different, non-organizational account, a mobile number, and processes, and technology to force mutual authentication of both sides of the discussion.

He adds, "A company’s security culture plays a large part in mitigating the risks associated with some service desk services, such as requiring additional levels of authentication before being eligible for service desk help. In this example, the awareness training could provide a heads up to service desk customers calling in as to what to expect and what they will need to provide before receiving help from the service desk team."

Without a secure verification policy in place, service desk agents can provide account access to unauthorized users without even knowing it – exposing businesses to an increased risk of costly cybersecurity breaches. According to Matt Klein, Cyber Executive Advisor at Coalfire, a Westminster, Colo.-based provider of cybersecurity advisory services, two reasons stand out as to why IT service desk is one of the largest risks to an organization's security posture.

"One, social engineering has been and continues to be on the rise. Attackers may use a variety tactics to trick a service desk team member to divulge information to enable an attack on an organization. And two, internal communications between various IT teams, the information security team and the service desk are often adhoc. Communications about system updates, changes to security policy and the technology stack and the latest threats are crucial to helping the service desk spot and understand how best to address something that makes their "Spidey sense" tingle," Klein explains. 

Because an organization's service desk team members likely have access to information to allow an attacker to login, team members must be trained to spot a social engineering attempt, Klein notes. "An obvious first step is to ensure that those service desk members regularly participate in the organization's phishing training. Additional enhanced training about current phishing and social engineering attacks in the wild can help sure up the service desk attack vector. Further, active learning activities that include role playing with internal security resources and social engineering as part of a 3rd party comprehensive penetration test can help service desk team members identify and respond appropriately to attacks."

Klein adds, "From an operational angle, an organization can ensure the service desk has enterprise tools to perform their duties to log calls and document and escalate suspicious activity. One process to adopt for end user calls related to authentication e.g., password reset, is to call the user back on a phone number documented within an internal system. This will reduce the risk of an attacker spoofing an end users phone number and attempting a social engineering attack."

While organizations can and should offer training to their service desk, they must provide them the necessary tools and automation, says John Morgan, CEO at Confluera, a Palo Alto, Calif.-based provider of cloud cybersecurity detection and response. "Regardless of service desk size and resources, most organizations do not have the resources to chase down all possible cyberattack possibilities. Nor can they manually look for patterns in incoming service tickets to make sense of issues being reported. They need automation tools to guide them in the right direction to investigate issues that are only part of a larger cyberattack. Such automation also benefits the service desk to identify any attacks they may be launched to specifically target them, which many bad actors would consider a top prize."