Are company help desks being too helpful?
A recent survey of more than 900 IT professionals found that enterprise help desks— an important troubleshooting resource for employees and customers alike — are a popular target for hackers seeking access to a company's sensitive data.
The 2013 Help Desk Security and Privacy Survey, conducted by the Internet security training company SANS, found that in businesses of every size, regardless of industry, help desk personnel are proving to be easy prey for social engineering attacks.
Trust me, I need help
Social engineering, also known as pretexting or phishing, is a targeted attack on an individual or a business by a malicious third party.
In these types of attacks, the "engineer" pretends to be someone else in an attempt to fraudulently obtain private information about a person or company — anything from network passwords to Social Security numbers to corporate documents.
Recently, many social engineering attackers have turned to going through company help desks to gain access to sensitive information.
Help desks are responsible for resetting passwords, restoring email access and troubleshooting connectivity issues — all of which would be useful to an intruder.
But before a caller to the help desk can get help resetting a password, for example, he or she must first pass the help desk operator's identity-verification measures.
These security measures — which typically include questions about an employee's name, location, email address or employee ID — are what social engineers find so easy to circumvent.
Once an attacker has circumvented this first layer of security, he or she can gain access to more sensitive data, such as the information contained in an email.
"As help desks are ordered to help, they are ripe for others who want to take advantage of their mission," according to the SANS survey. "For decades, the help desk has been a backdoor to enterprise network resources through social engineering."
Dial-in is the new hack
In recent years, social engineering attacks have often occurred via email campaigns or on social networking sites like Facebook and Twitter.
Attacks on help desks mark a return to a more dated brand of social engineering: attacks via telephone.
But as one survey respondent noted, social-engineering attacks carried out via telephone can become even more dangerous in the age of social networking.
Sites such as Facebook and LinkedIn can put "private" information in untrustworthy hands and give social engineers even more ammunition with which to lead attacks on help desks.
For example, a social engineer wishing to pose as an employee may simply have to find that person on Facebook or LinkedIn to find out his or her location, email address or telephone number, all of which are common credentials used for verification at help desks.
Lagging behind the times
It's not just that social engineers are having an easier time mounting attacks; help desk employees are also having a harder time fending off these attacks.
Pressure to resolve as many calls as possible in the shortest amount of time forces many help desk employees to cut corners when it comes to security protocol, the report said.
Despite the fact that the majority of the 900 IT professional surveyed for the study identified social engineering as a chief area of concern for possible compromises of the help desk, many organizations still prefer to rely on human help desks instead of automated tools.
Even password resets and status checks, two common help desk services that could easily be automated, often continue to rely on human help.
Furthermore, in the age of Bring Your Own Device (BYOD), it's harder than ever for help desk staff to verify that an employee is really who he or she claims to be.
Employee use of personal cellphones in lieu of desk phones means that the name and location method of verification, which is still the most common type of verification amongst enterprise help desks, is increasingly ineffective.
The SANS survey suggested that increased automation of help desk services might be the key to reducing some of the vulnerabilities that lead to security breaches and the theft of personally identifiable information.
Respondents to the survey also stated that more training regarding this issue, as well as more high-tech verification methods, could prove useful in stemming social engineering attacks on enterprise help desks.