Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity NewswireCybersecurity News

48% of businesses don't use a user verification policy for password reset calls to IT service desks

authentication freepik
June 10, 2021

Nearly half (48%) of organizations do not have a user verification policy in place for password reset calls to IT service desks, according to a new Specops Software survey, which highlights social engineering vulnerabilities among IT service help desks. The information was uncovered as part of Specops Software’s survey of more than 200 IT leaders from the private and public sectors in North America and Europe.  

In addition, the survey found that 28% of the companies that do have a user verification policy in place are not satisfied with their current policy due to security and usability issues. A user verification or authentication policy is the process of verifying the identity of a user attempting to gain access to a network or computing resource.

Sounil Yu, Chief Information Security Officer at JupiterOne, a Morrisville, N.C.-based provider of cyber asset management and governance solutions, explains, "It's often hard to reconcile both a service desk mindset where one is trying to be as helpful as possible to a person needing assistance and a security mindset where one needs to be skeptical and wary of a person's intentions. This can create cognitive dissonance and a culture clash.

"Nevertheless, because the IT service desk often serves as a major point of entry for both attackers and legitimate users, an organization can bolster its security posture and reinforce a security culture by leveraging the service desk in the following ways:

  1. Communicate the importance of security as a part of the service desk experience so that legitimate users are primed to be patient in the event that immediate assistance may be delayed due to service desk personnel needing to follow strict procedures.
  2. Institute guardrails that limit or prohibit the disclosure of any information that can be used by an attacker.
  3. Turn service desk personnel into a human sensor grid, giving them easy ways to report suspicious activities or patterns. "Tune" the antennas of the service desk personnel occasionally with the latest threat actor techniques and tactics for social engineering."

Most of these companies rely on knowledge-based questions using static Active Directory information, such as an employee ID, a manager’s name, or even HR-based information like the employee’s date of birth or address –data that can easily be sourced by hackers, reveals the Specops survey. In fact, the National Institute of Standards and Technology (NIST) recommends against using knowledge-based questions because of their lack of security. 

Sean Cordero, Security Advisor at Netenrich, a San Jose, Calif.-based Resolution Intelligence provider, agrees. He says, "For some organizations, the desired outcomes expected from a service desk can trump the needs of security teams as the motivations of each group can be at odds. For example, service desks measure the speed and effectiveness with which they resolve calls."

Cordero adds, "Service desks incentivize closing a problem as quickly as possible and measure it through first-call resolution metrics. If this, along with flimsy authentication of the requester, is in place, the service desk can become a prime target for social engineering attacks that exploit these process issues. However, this measurement does not take into account how the service desk resolved a call. In access control requests, a long-standing problem has been “fixing” rights issues by adding the requester to a group or groups, which may lead to excessive rights if the rights structure is unclear, difficult to navigate, or lacks a process for validating the request. Setting expectations on the caller into the service desk, so they know what will be required of them before the caller is helped, can smooth out the support process for both sides and, when paired with methods and technologies to make the approval and verification of access requests quick and trackable."

Cordero offers a few, initial steps organizations can take to shore up service desk security:

  • Separate administrative accounts and standard accounts for all service desk team members. In some organizations, the service desk professionals have access to elevated rights. Ensure that each service desk agent is required to authenticate separately before using an account with elevated rights.
  • Clean up privileged security groups and ensure ownership and a process to validate the addition of new members if well documented and agreed upon company-wide.
  • Use multi-factor authentication to all accounts with elevated privileges.
  • Include the service desk team in incident response plans and tests.
  • For all remote control software in use by service desk agents, ensure authorization to control sessions requires real-time, mutual approval.
  • Ensure the service desk has multiple methods of validating a caller and their request. This additional authentication can include a different email address, which is already on record and is a different, non-organizational account, a mobile number, and processes, and technology to force mutual authentication of both sides of the discussion.

He adds, "A company’s security culture plays a large part in mitigating the risks associated with some service desk services, such as requiring additional levels of authentication before being eligible for service desk help. In this example, the awareness training could provide a heads up to service desk customers calling in as to what to expect and what they will need to provide before receiving help from the service desk team."

Without a secure verification policy in place, service desk agents can provide account access to unauthorized users without even knowing it – exposing businesses to an increased risk of costly cybersecurity breaches. According to Matt Klein, Cyber Executive Advisor at Coalfire, a Westminster, Colo.-based provider of cybersecurity advisory services, two reasons stand out as to why IT service desk is one of the largest risks to an organization's security posture.

"One, social engineering has been and continues to be on the rise. Attackers may use a variety tactics to trick a service desk team member to divulge information to enable an attack on an organization. And two, internal communications between various IT teams, the information security team and the service desk are often adhoc. Communications about system updates, changes to security policy and the technology stack and the latest threats are crucial to helping the service desk spot and understand how best to address something that makes their "Spidey sense" tingle," Klein explains. 

Because an organization's service desk team members likely have access to information to allow an attacker to login, team members must be trained to spot a social engineering attempt, Klein notes. "An obvious first step is to ensure that those service desk members regularly participate in the organization's phishing training. Additional enhanced training about current phishing and social engineering attacks in the wild can help sure up the service desk attack vector. Further, active learning activities that include role playing with internal security resources and social engineering as part of a 3rd party comprehensive penetration test can help service desk team members identify and respond appropriately to attacks."

Klein adds, "From an operational angle, an organization can ensure the service desk has enterprise tools to perform their duties to log calls and document and escalate suspicious activity. One process to adopt for end user calls related to authentication e.g., password reset, is to call the user back on a phone number documented within an internal system. This will reduce the risk of an attacker spoofing an end users phone number and attempting a social engineering attack."

While organizations can and should offer training to their service desk, they must provide them the necessary tools and automation, says John Morgan, CEO at Confluera, a Palo Alto, Calif.-based provider of cloud cybersecurity detection and response. "Regardless of service desk size and resources, most organizations do not have the resources to chase down all possible cyberattack possibilities. Nor can they manually look for patterns in incoming service tickets to make sense of issues being reported. They need automation tools to guide them in the right direction to investigate issues that are only part of a larger cyberattack. Such automation also benefits the service desk to identify any attacks they may be launched to specifically target them, which many bad actors would consider a top prize."

KEYWORDS: authentication cyber security information security password risk management

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Leadership and Management
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Security Leadership and Management
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Cybersecurity Education & Training
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Red laptop

Cybersecurity leaders discuss Oracle’s second recent hack

Pills spilled

More than 20,000 sensitive medical records exposed

Coding on screen

Research reveals mass scanning and exploitation campaigns

Laptop in darkness

Verizon 2025 Data Breach Investigations Report shows rise in cyberattacks

Computer with binary code hovering nearby

Cyberattacks Targeting US Increased by 136%

2025 Security Benchmark banner

Events

May 22, 2025

Proactive Crisis Communication

Crisis doesn't wait for the right time - it strikes when least expected. Is your team prepared to communicate clearly and effectively when it matters most?

November 17, 2025

SECURITY 500 Conference

This event is designed to provide security executives, government officials and leaders of industry with vital information on how to elevate their programs while allowing attendees to share their strategies and solutions with other security industry executives.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • Security newswire default

    Nearly Half of Americans Likely to Use Voice Recognition for Personal Verification

    See More
  • video management

    Report calls for retailers to adopt more strategic use of video analytics

    See More
  • network-data-cyber-security-freepik

    Increased cybersecurity mandates coming for state and local governments

    See More

Events

View AllSubmit An Event
  • March 6, 2025

    Why Mobile Device Response is Key to Managing Data Risk

    ON DEMAND: Most organizations and their associating operations have the response and investigation of computers, cloud resources, and other endpoint technologies under lock and key. 
View AllSubmit An Event
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing