Password Management Best Practices For Enterprises
Understand how hackers attack service desks to get important users’ passwords through vishing
When employees forget passwords, they call the service desk to change passwords to get back to work. It happens every day for Service Desks.
But if a hacker impersonates a real user to get a password, how can the service desk tell the difference? Do you force user verification through a compliant workflow to keep hackers out?
Here are password management best practices that can help:
Best Practice # 1 Have a Management Decided Process
According to a *Service Desk Institute Research, 35% of organizations do not have management approved process and practices – each Service Desk or Analyst must make his own. Does this make information and credentials secure?
In the remaining 65%, the majority uses questions for data and resources easily available like employees' details like the manager’s name, department number, and even username and password readily available for criminals.
Almost a third of management organizations expect password related issues to take up more than 25% of their calls.
Close to 20% of IT service desks don't authenticate users when conducting password resets.
22% of survey respondents stated that their IT service desk doesn’t have formal mechanisms and systems in place to ensure the identity of password service requesters
Current password management self-service solutions rely heavily on traditional forms of authentication, particularly security questions, two-factor authentication, with only 7% of implemented solutions offering more innovative authentication methods.
47% of respondents state that all service desk people have privileged access for Active Directory password resetting, versus 38% where this is limited to a select group, and 12% where no one on the service desk has any access to it
83% of respondents think that, despite controls being in place, it’s still possible for a criminal to gain a password to a legitimate end-users account (via the IT service desk)
Best Practice # 2 Make an Identity Verification Process for the Service Desk
Assisted Process in the Service Desk
The easiest way to get a password for a legitimate user is simply to call a service desk and ask. This is a big issue in security. You might have to charm or threaten to get the account password, but lots of practices and penetration tests have proven, that this provides easy access!
Here's why a privileged user from the service desk or user administration will give a password to a “wrong” user:
No authentication process is defined by management at work.
A weak authentication process is easy to bypass.
The privileged user is busy (it’s Monday morning) and hopes for the best.
The user on the phone charms or threatens the privileged user.
The privileged user has a different intention - a corrupt or criminal.
IDC cites other research from 2016 stating that 63% of data breaches are caused by some sort of password security issue. IDC suggests that using self-service of passwords as a way to become compliant in the password process. No matter how good the self-service solution is, some employees will still need assistance. As part of practices, when there is an assisted process, it must be secure and cybersecurity compliant. This is a huge challenge.
IDC proposes a business model where:
At least two persons are involved (a supporter and a voucher).
The supporter’s privileges to do password resets on their own are removed.
Users are allowed to get a key from the 2-person process enrolling them in self-service, so they make the new password themselves.
As this is a much more expensive process that is standard today, for many companies it will be necessary to move more than 80% of the calls to self-service, which means that the cost of the manual process becomes manageable and the business is can protect credentials more to avoid data breaches.
Best Practice #3 Follow Identity Verification Principles
Gartner calls the process for Identity Verification Manager
“The reality is that no matter how foolproof a Self-Service Password Reset (SSPR) solution is, the need for service-desk-assisted password resets will likely always be there.”
“An Identity Verification allows a delegate (such as an administrator or service desk operator) to perform a password reset or account unlock on behalf of another user. That said, there are often security holes in the identity verification process.”
How can we make the identity verification process secure?
We must have a common process decided by management
We must have different workflows to balance risk and costs for different user groups
We must prevent circumventions by the service desk analyst, this means no privileged passwords!
We must include many different information types for the manual authentication – in particular, dynamic and contextual data in addition to static data and tokens
For individuals with very high-security settings, we must include multi-factor authentication
Monitoring and alerts must be part of the solution
The only true way to enforce a secure workflow is through a flexible IT system designed for the authentication task.
Take a closer look at FastPass Identity Verification Manager (IVM), which really is a password reset best practices implemented.
Identity Verification for the future
It seems obvious that an IT-based solution for identity verification is needed. The primary concern must be IT Security, but management has more requirements.Management must be able to define the process the service desk analysts perform when assisting people. In general terms, the solution must be compliant and circumventions to the process from the service desk analysts must be prevented.Large organizations still have many calls for the service desk even if password manager self-service off-loads around 80%. Resources and Costs related to the process for the help desk and for the users must not be higher than what is needed for security. Different employee groups and accounts have different security profiles and should be treated differently. The authentication or proofing of people must be based on dynamic and contextual information in an intelligent way. Static information will in many cases be OK, but can’t stand alone as it in some case are too easy to get at.
A strong authentication method is when a person presents herself to the service desk analyst with an identity card including a photo. In the real world of service-desks, they are centralized and users are scattered around the world.
This is where Identity Verification Manager comes in. IVM controls the entire verification process, instructing the service desk supporter what questions and tests to do depending on the user’s security profile.
Learn more today about Identity Verification Manager