IT service desks are a security weak point for many businesses, with nearly half of organizations lacking a user verification policy for incoming calls.
This was just one of the findings of a Specops Software survey of more than 200 IT leaders from the public and private sectors in North America and Europe.
For the 28% of organizations that have instilled user verification policies, security remains an issue as the majority of today’s policies rely on knowledge-based questions, such as an employee’s ID, a manager’s name, date of birth or address, according to the survey.
This practice runs contrary to recommendations from the National Institute of Standards and Technology (NIST), which advises against using knowledge-based questions because of their lack of security.
Voice Recognition is a Far Cry From Secure
Specops Software’s CEO Marcus Kaber said the most surprising finding from the survey is that many organizations are relying on recognizing the voice of the person calling instead of strong authentication.
“Spear phishing attackers can easily replicate the voice of an executive to reset their password and access confidential data,” he said. “Of the organizations that do have some form of user verification in place, many were relying on weak identification such as the employee’s ID number.”
Kaber said there are two main reasons the IT service desk is often overlooked as an attack target: first, adding security measures to the user verification step would negatively affect the performance metrics of the service desk, which are based on speed and efficiency (cost per ticket).
“Help desk managers are in a difficult spot where they are continuously asked to do more with less, and security is not prioritized,” he explained.
Second, Kaber noted there’s a false belief that security questions or recognizing voices is a sufficient form of verification.
“Both can be easily sourced, and it isn’t difficult to trick a help desk agent who has followed all the steps in their security policy,” he said. “Hackers may pose as a stressed executive who needs help resetting their password and the agent will read out the new password over the phone.”
Some initial steps organizations can take to shore up service desk security include avoiding use of security questions at the service desk, since this user data is easily sourced through social engineering. Instead, organizations can use MFA with push notifications on the user’s mobile phone.
User Verification Must be Traceable
Another basic step is to ensure that the user verification put in place is actually enforced and traceable.
The Specops survey revealed that organizations that do have a security policy in place do not always have a way to enforce or track that the user verification is actually taking place.
An additional security measure involves having the service desk generate a unique temporary password when assisting with a password reset or onboarding new staff, and then enforcing a password change at the user’s next login. Too often, the service desk has a generic password that is distributed to everyone.
The fourth step is to reduce the number of calls made to the service desk. In addition to online guides and FAQs, implementing a self-service password reset tool can reduce up to 50% of all service desk calls.
“These calls are time-consuming for the IT support team, are a cost driver and leave the service desk susceptible to fake password reset calls,” Kaber said.
An organization’s overall security culture can also play a large role in securing this attack vector, he explained, noting that security training can help raise general awareness, but enforcement is key to a successful implementation.
“When you are asking your staff, both IT support and all other employees, to use multifactor authentication every time they contact the help desk, people are going to ask why,” he said.
As this security threat evolves, Kaber pointed out that the impact of COVID-19 on how we work is still evolving, but as employers begin to reopen their offices, he expects to see a larger variety of work scenarios in the coming 18 to 24 months. That could increase the burden on organizations’ service desk.
“As more companies accept a hybrid work environment or go completely remote, the need for remote IT support is set to increase together with the likelihood of attackers exploiting this security issue,” he said.