Busy help desks are the social engineer's playground. They take full advantage of the chaos rampant on help desks...
just trying to keep up with the high volume of calls routinely besieging them. They barely have time to reset passwords, let alone verify the caller's identity.
The three rules for defeating social engineers are verify, verify and verify. Even if you can only contact the user by phone, there are simple ways to separate legitimate employee requests from those of attackers and con men from outside the company or less than scrupulous employees who are up to no good.
First, every help desk staffer should have an employee directory readily available. The directory should have other information about the employee, besides just their phone number and e-mail address. It should also have information about their department, their manager's name, their title and location or cube number, for example. Check if the employee is listed. If not, red flags should go up immediately. Even if listed, ask a few random questions from the information about the employee in the directory. The important thing is to keep the questions random and unpredictable. You should report any slip-ups or obvious irregularities to your information security department's incident response team for follow up. Provide them with whatever additional information the help desk staffer has to track down the offender.
There are two other ways for the help desk to protect themselves after password resets. Send an e-mail to the employee immediately after completing the password reset. If someone other than the employee maliciously changed the password in the employee's name, the real employee will probably call the help desk right after getting the e-mail. The real employee will likely sound concerned or ask questions about the supposed "mix up." Another way is to follow up after the reset with a call to the employee's boss. The supervisor can then verify with the employee in person.
Also, keep a readily available log of all password resets. Educate your help desk staff to check the log and always look out for:
- Suspicious patterns
- Repeated resets by the same individual, or groups either in the same or related departments
- Requests at odd times or from unusual locations
Dig Deeper on Security Awareness Training and Internal Threats-Information
Related Q&A from Joel Dubin
Ensuring authenticity of online communications is critical to conduct business. Learn how to use a public key and private key in digital signatures ... Continue Reading
Learn about the purpose of CAPTCHA challenges that enable websites to differentiate bots from authentic users to stop spammers from hijacking forums ... Continue Reading
Proper planning is at the top of the list for single sign-on best practices, but it's important to get enterprise SSO implementations off to a good ... Continue Reading