A hacker attack on the service desk happened for Robinhood. It happened for Twitter. 83% of service desk managers fear it can happen for them.
Are YOU concerned?
All organizations have an IT service desk to help users cope with IT problems. The single most frequent call type is forgotten and locked passwords. If a hacker impersonates a real user to obtain his password, how can your service desk know? If they don’t know and issue a password, you will have a data breach very soon.
It happened to Twitter in July 2020. This quote is from Twitter’s blog post:
The key phrases here are:
- Small number of employees
- Phone spear phishing
- Mislead certain employees
- Exploit human vulnerabilities
In November 2021 Robinhood was attacked.
In a post to its blog, Robinhood says that the unauthorized party “socially engineered a customer support employee by phone and obtained access to certain customer support systems.”
In both cases it is social engineering. This is a person-to-person skill obtained by criminals. They convince the service desk supporter to issue a password. Perhaps they are very good, perhaps the supporter is too busy. Perhaps his instructions are un-clear, perhaps he is not complying with them.
In a study made by Service Desk Institute 83% of respondents answered that they were concerned that their service desk would give a password away.
Obviously, many service desks are the weak link in IT-security, when it is possible to obtain a password for an important employee. The problem is that instructions and education do not protect against trained social engineers!
We believe that the following principles will protect the service desks:
- Password issuance from the service desk can only be granted based on system decisions
- Take emotions out of the verification process with an IT-workflow, which the supporters are forced to follow (social engineering is all about creating emotions)
- Use dynamic and contextual data not available to hackers. Include user behaviour in the verification process
- Make an automatic registration of all steps and decisions in the workflow for security alerts and future compliance reporting.
With our long history of secure solutions for user verification in password self-service we have developed the FastPass Identity Verification Manager as a forced workflow for the service desk password reset process. It can be used with any ITSM solution but is out-of-the-box integrated with ServiceNow. It is not only for Windows (AD+Azure) passwords but for all corporate passwords like SAP, Oracle, IBM, LDAP and so on.
For a relatively low cost and fast implementation the backdoor to IT-security in the service desk can be protected. The benefits are clear:
- Reduced risk for data breaches
- Productivity with automation
The old wisdom is that it is best to close the doors to the stable before the horse has bolted!