DOES YOUR SERVICE DESK GIVE PASSWORDS AWAY?
Understand how hackers attack the service desk
See research into present risks for password resets
NEW: Vision and solution to the problem in the manual password reset
When users forget passwords, they call the service desk to get a new password to get back to their work. It happens every day many times in most service desks. But how does your service desk prevent that passwords are passed on to a wrong individual? Do you have a password reset manager assisting the service desk?
According to a Service Desk Institute research, 35% of organizations do not have management decided process – each analyst must make his own. Does this make us secure?
In the remaining 65%, the majority uses questions for data easily available like employee number, manager’s name, department number and other information readily available for criminals.
83% of respondents think that, despite controls being in place, it’s still possible for a criminal to gain a password to a legitimate end-user’s account (via the IT service desk)
SDI Report "On Security, GDPR and Self-Service Passwords"
How passwords are broken?
The assisted process in the service desk
The easiest way to get a password for a legitimate user is simply to call a service desk and ask. You might have to charm or threaten to get the password, but lots of penetration tests have proven, that this is the easy way in!
Why a privileged user from the service desk or user administration department will give a password to a “wrong” user:
- No authentication process is defined by management.
- A weak authentication process is easy to bypass.
- The privileged user is busy (it’s Monday morning) and hopes for the best.
- The user on the phone charms or threatens the privileged user.
- The privileged user is corrupt / criminal.
It happens! IDC cites other research from 2016 stating that 63% of data breaches are caused by some sort of password issue. IDC suggests using self-service of passwords as the way to become compliant in the password process. No matter how good the self-service solution is, some users will need assistance. When there is an assisted process, it must be secure and compliant. This is a huge challenge.
IDC proposes a model where:
- At least two persons are involved (a supporter and a voucher).
- The supporter’s privileges to do password resets on their own are removed.
- Users are allowed to get a key from the 2-person process enrolling them in self-service, so they make the new password themselves.
As this is a much more expensive process that is standard today, for many companies it will be necessary to move more than 80% of the calls to self-service, which means that the cost of the manual process becomes manageable.
Facilitated password reset principles
Gartner calls the process for Facilitated Password Reset. “The reality is that no matter how foolproof a Self-Service Password Reset (SSPR) solution is, the need for service-desk-assisted password resets will likely always be there.” “A facilitated reset allows a delegate (such as an administrator or service desk operator) to perform a password reset or account unlock on behalf of another user. That said, there are often security holes in the facilitated reset process.”
How can we make the facilitated password process secure?
- We must have a common process decided by management
- We must have different workflows to balance risk and costs for different user groups
- We must prevent circumventions by the service desk analyst, this means no privileged passwords!
- We must include many different information types for the manual authentication – in particular, dynamic and contextual data in addition to static data and tokens
- For individuals with very high-security settings, we must include multi-factor authentication
- Monitoring and alerts must be part of the solution
The only true way to enforce the secure workflow is in a flexible It-system designed for the authentication task. Take a closer look at FastPass Facilitated Password Reset module (FPR), which really is a password reset best practices implemented.
Facilitated password reset for the future
It seems obvious that an IT-based solution for facilitated password reset is needed. The primary concern must be ITsecurity, but management has more requirements.
Management must be able to define the process the service desk analysts perform when assisting users. In general terms, the solution must be compliant and circumventions to the process from the service desk analysts must be prevented.
Large organizations still have many calls for the service desk even if password self-service off-loads around 80%. Costs related to the process for the service desk and for the users must not be higher than what is needed for security. Different user groups have different security profiles and should be treated differently.
The authentication or proofing of users must be based on dynamic and contextual information in an intelligent way. Static information will in many cases be OK, but can’t stand alone as it in some case are too easy to get at.
In summary, the FPR process must be:
- Specific per user-group
- Proofing must be dynamic and contextual
A very strong proofing is when a person presents herself to the service desk analyst with an identity card including a photo. In the real world of service-desks they are centralized and users are scattered around the world. For this reason, we describe solutions which support a phone-based authentication or proofing where the personal meeting isn’t r