Is Your IT Help Desk Helping Hackers?

How should your IT help desk work to help you secure your data?

Let me start with a story:

About a year ago, I received a frantic call from a business owner that needed figuring out how their business data had gotten compromised. Nearly 40 THOUSAND dollars had been wired from their business accounts and some other passwords had been changed. When no one on their team—including their IT department—had a clue as to what had happened, the owner decided to reach out to an outside source (Zog, Inc.) to evaluate what had happened.

Having performed a root cause analyses of their help desk, it was crystal clear what had happened: their help desk had gotten hacked!

Apparently a lady—supposedly the CEO—called in to the help desk asking for her administrative password. Having provided enough information to be believable (most of which could have been found on LinkedIn or Facebook), the help desk technician fielding the call reset her passwords on the phone.

Over the following few weeks, money started being spent from in marginal increments from one of the business accounts and a couple of unnoticed credit card charges started popping up in the CEO’s name. It wasn’t until the end of the month when someone on the accounting team noticed these discrepancies in full and alarmed the CEO and later the owner of the problem.

After interviewing the help desk technicians, one of the help desk techs remembered talking with the CEO a few weeks back, but had thought nothing of it at the time. With no training on how to handle sharing password credentials and being new on the team, he thought it best to be as helpful as possible and had no doubt in his mind that he was not talking to the real CEO.

How should have your IT help desk have handled a password request call?

First and foremost, verifying user identity is critical. Your help desk team needs to consistently verify the legitimacy of your users. This is an especially paramount necessity nowadays because social engineering phishing campaigns have started aiming their targets on help desks!

Since most users are typically less sophisticated than your help desk technicians, consider having your IT help desk simplify an authentication process when users call into the help desk. You should especially expect authentication when credentials are being changed, updated or given to a user.

Here are a few easy steps to make sure your users are getting quick authentication, while protecting your business from hackers:

1. All help desk calls come from users— first off, all of your support calls should be one-direction. Your users should be calling in with their problem (whatever it may be). Help desk technicians should not be calling your users without them first reporting an issue. This prevents fake phishing calls where an unverified help desk technician phishes your user for information. Your users should understand this and should request calling back to the help desk. And if a technician leaves your users a message to call them back, make sure they’re using the official help desk number!
2. Password credentials require a call back—if your help desk accustoms itself to a secure process in dealing with password changes, resets or sharing, your business will be less likely to have problems from social engineered password phishing. In cases where you have stored credentials for very sensitive information, you might want to even consider having a policy where credentials to very sensitive data must be done in person—either at the help desk or through desk-side support with standard verification (badge validation, for instance).
3. Use good password hygiene—even in 2017, many workers—including IT help desk technicians—store their passwords insecurely in spreadsheets, sticky notes, and in easy-to-find places. In fact, over 55% of IT help desk technicians—who often require long lists of logins for a wide range of systems and administrative-level credentials—openly share their passwords with other colleagues! Make sure your help desks are using some type of password vault to store credentials—or even better, make your help desk inject credentials behind the scene in a portal so that they’re completely hidden from the admin while giving them access to approved systems. Remember: people can’t sticky note what they can’t see!
4. Keep track of your support sessions—as we have talked about before, it is essential to record and track your user interactions with your IT help desk. Not only does tracking help your help desk improve their service standards, it makes sure that everyone is kept accountable. A well-documented audit trail of all support, but especially remote support activity, should be captured for your organization to comply with internal and external security guidelines.
5. Reevaluate your IT help desk metrics—as we have discussed over the past few weeks of the importance of tracking the right metrics, security should be treated no different. If your help desk does not record or report security metrics—deviations from security protocol or suspected hacking attempts—your business won’t have visibility on current threats to your system.

 But Most importantly, Make Your IT Help Desk Heed Their Own Advice!

Because IT help desks are often inundated with user issues—ranging from simple to some very complex problems—it is quite easy for them to forget basic security measures that they harp on you and your team to follow. Often some of the most egregious security flaws are a result of IT help desks failing to completely follow a protocol or abide by your industry’s security compliance policies.

But the reality is that good security hygiene starts with your IT help desk. They should be IT professionals ingrained with the expertise of (1) recognizing social engineering attacks or suspicious requests, (2) ensure your systems are well-secured, (3) completely understand proper credential hygiene. You shouldn’t be expected to manage their security mistakes—because they should be held to a higher standard than you and your users. 

 Which brings up a final point…

You IT help desk needs to be empowered with the right information to support your users and your business. They should be focusing on keeping you and your team secure (NO security flaws permitted!).

You might expect your IT help desk technicians to know better—understand how to check your user’s identity, create and curate safe passwords and keep your business safe. You might expect your IT help desk to NEVER fall for a hack or phishing attempt. But are you sure you’re in good hands?

Is your help desk helping hackers? Contact us TODAY for a help desk security assessment to make sure your help desk solution is not keeping you in the dark for some major security vulnerabilities.