An integral part of any company is the IT help desk. While some people have horror stories from working with help desks in the past, they play a very important role in your overall security program. They are often the targets of sophisticated social engineering attacks and, as such, need to have strong processes in place and undergo regular training to enforce good behaviors.
The human aspect of any company is always one of the weakest links when it comes to a company’s security posture. This isn’t a knock on your employees, it is just notoriously hard to solve behavioral problems because there’s no quick fix or technical solution. Any IT support team can be used as part of social engineering campaigns to infiltrate your company.
As part of many of our social engineering campaigns, we attempt things such as getting the help desk to reset a password without validating identity, provide sensitive information, etc. Unfortunately, these attempts tend to have a very high success rate. Today, we will explore some tips to help improve your organization’s help desk security and ultimately make your organization more secure.
Use a Best Practice Method for Validating Caller Identity
You would be surprised by how many support teams we have interacted with in the past that did not require a single piece of identifying information prior to performing a password reset, MFA reset, or revealing sensitive information. A typical scenario might look like this:
- User submits credentials to a spoofed login portal during a phishing campaign
- Triaxiom engineer is now greeted by an MFA prompt for email and/or VPN when trying to login
- Triaxiom engineer calls the support desk, impersonating the user, and requests a temporary token for MFA or to register a new MFA device
- Support desk obliges without blinking an eye
By requiring some sort of identification such as an employee ID, a push notification to a registered phone number on file, or the last 4 digits of SSN, as some examples, you could drastically decrease the likelihood of this attack working. Utilizing personal information can be a challenge in some scenarios, but you can come up with some unique solutions if necessary. Anything is better than nothing and doing something simple will suffice in most scenarios.
Document Procedures and Test that They are Being Followed
As with all things process related, having a procedural document for your help desk employees will help ensure that they understand and are aware of how to handle different situations, such as identity validation, password resets, MFA resets, etc. Similar to testing your incident response process, testing your help desk procedures can help validate the documentation and training you have put into place are effective. Try to see if you can get them to stray from the procedures and ensure that they learn from any mistakes.
Training, Training, Training
Ensure that your IT support employees receive training on a regular basis. This should include expectations for how day-to-day tasks are handled and security awareness training (customized to their role, if possible) so they know what they are up against and the types of attacks they could encounter. It may be tough when outsourcing your help desk, but when vetting vendors, you can ensure they are all trained and meet your expectations from a security standpoint.
Communication is Key
Every organization is structured differently and may have their help desk in-house or outsourced. Either way, we recommend you communicate with the help desk on a regular basis to ensure they are up-to-date on all things organizationally.
Seen an uptick in phishing attempts and are sending an email out company wide? Planning on implementing multi-factor authentication? Inform the help desk! The more they know about your organization’s processes and current threat environment, the more helpful they can be when assisting your employees and the more equipped they are to handle social engineering attacks.
The help desk should not be overlooked when it comes to organizational security. Bad actors will go to any means necessary to try to find that one hole that will allow them unauthorized access to your organization, and the help desk has a giant bullseye on it. These tips should help improve the security of your help desk and ultimately, your organization as a whole.
Interested in social engineering engagement to test your resilience to this type of attack? Reach out to us today and we would be happy to help!