November 3rd – IT service desks have recently experienced a wave of social engineering threats. Traditionally, the IT service desk has functioned as the first point of contact for an organization’s employees who are experiencing technical challenges, such as forgotten passwords and computer crashes.
In order to assist with such requests, service desk staff typically verify users’ identities through a series of questions. However, given the proliferation of personal information on social media and elsewhere on the web, it’s surprisingly easy for a cyber attacker to obtain an employee’s basic information and to impersonate him/her.
It’s this easy for hackers…
For those of you from the Facebook generation, many people used to list their birthdays on Facebook, and some users haven’t removed them. Location information can also be sourced from the internet, as can age, information about relatives, and other details that are common to security questions.
In an attempt to handle issues quickly, service desk staff may overlook weak verbal answers to security question challenges or may overlook other identity management best practices. Remember, the MGM hack —that led to outages across the company’s establishments— was catalyzed by a fraudulent call to the company’s help desk.
Multi-factor authentication
Experts recommend that organizations apply a multi-factor authentication (MFA) approach at the service desk level. This means moving beyond security questions.
A multi-layered verification approach helps ensure that genuine employees can access service desk resources, while protecting against social engineering attacks. This is because MFA is based on something that the user is (ex. a fingerprint) or has (ex. mobile phone), not just on information that an attacker may know.
Further recommendations
What’s feasible for a given IT service desk will vary based on a variety of factors, including staff-to-user ratio, urgency of service requests, business industry and business operating needs. However, it pays to determine the best approaches for user identity management, as it might help you avoid an MGM type hack.
Lastly, to receive timely cyber security insights and cutting-edge analyses, please sign up for the cybertalk.org newsletter.