Given the low adoption of self service solutions most users today call the service desk for resetting, changing or unlocking their passwords. Gartner call this process the facilitated password reset process (FPR).
In the film ‘Meet the Fokkers’ Robert De Nero broaches the concept with his future son in law by introducing him to the circle of trust, the family circle. The implication being, that for anyone inside that circle the principle of trust was established and a different set of rules could apply.
The same parallels exist within organizations where people who claim to be a fellow employee and who know company procedures and terminology, could lead you to believe that they fall inside that circle of trust. Therefore allowing them access to certain information.
The role of the service desk is to provide assistance, be a team player, and deliver a quality of service that meets their user’s expectations. It is human nature to trust our fellow man. Particularly when they are part of the same team, which automatically gives them a higher degree of acceptance.
This is a vulnerability that social engineers understand. Cloaking themselves in a veil of believability to achieve their goals. Making the corporate help desk the primary target, both because it assists users with computer related issues and because agents have elevated system privileges. The most common ploy is to have another person’s account password reset or changed.
No one is immune to being duped by a good social engineer.
Service desk agents may know they shouldn’t give out certain information. However, a number of factors, including pressure of work can provide a trigger which can be used by a social engineer. Convincing them to override established security procedures.
Assuming that an organization rises to the challenge and successfully deploys a self service password reset solution and achieves a consistent 85% adoption rate. It must still recognize that for whatever reason, a percentage of users will call the service desk for help.
As passwords underpin the majority of interactions with computer applications in our personal lives. It creates the illusion that the enterprise password reset processes, that support those calls are simple and the issues clear.
However, nothing could be further from the truth. There are multiple ways of implementing a password reset process badly. Thus guaranteeing a lack of compliance with GDPR legislation. Increasing the risk of a data breach.
Unlike other processes that have such an influence on I.T. service management such as ITIL and ISO 2000-1. Password reset processes have been almost totally ignored. Subsequently, there is nothing for organizations to fall back on.
The ISO 27001 security standard, deals with the creation and storage of passwords, but not the reset process. The U.K.’s National Cyber Security Centre advises that administrators should. “allow users to reset passwords easily, quickly and cheaply”. Problem being, it stops short of saying how this might be achieved.
So, how do organizations today handle the process of those password resets at the service desk. Making sure that they authenticate the validity of both the request and identity of the user?
A 2018 SDI survey revealed that 35% of organization’s surveyed had no clear authentication process relying instead on the service agent to verify the caller’s identity. Even worse close to 20% of I.T service desks do not authenticate end users when conducting password resets at all.
The SDI concluded the 35% of their members are not only open to security risks as they dispense credentials without clear and consistent authentication processes. But are also at risk of exacerbating password management challenges, by encouraging potentially damaging end-user behavior.
A general characteristic of service desks is that:
- Staff turnover is high with 38% of agents moving within a 12month period.
- Agents are paid below the mean salary levels within the I.T. department.
- Agents and management are under pressure to deliver a high quality service and improve their productivity, often measured on a percentage of one touch resolution or the number of calls handled per hour/day. The time taken to securely authenticate a caller versus processing the request as quickly as possible are often in conflict.
- Many service desks are outsourced to companies with lower cost levels but high scores on that country’s corruption index.
- Many service desks are out-sourced to other companies, without checking their internal I.T. security processes.
- In only a few companies are service desk analysts’ criminal records checked.
Management need to reflect on these general characteristics. The fact that 80% of data breaches are password related. The weak link is the password process and that the corporate help desk, who own that process, is the primary target. They need to ask themselves whether the service desk can be considered to have the profile of a secure environment and should the process of authenticating users be left to the discretion of individual service agents?
It seems obvious that a facilitated password reset solution should be implemented with security as its primary concern.
That solution must have the following characteristics:
- Management must define the process which cannot be subjective and not rely on individual service agents to authenticate users.
- The system must be compliant and prevent agents from circumventing the process.
- It must balance the different user security profiles with cost, providing a light touch process for users who only have access to non sensitive data but offer much stronger proofing where users have access to critical data. Where a breach would have disastrous consequences.
- It cannot rely on static data alone as its too easy for social engineers to acquire. The authentication process needs to be adaptive and use dynamic and contextual data.
- The process must provide a complete audit trail. Interfacing to the ITSM desk to update tickets and be capable of alerting management and users to a potential breach as GDPR sets a 72hour window.
- There must be the ability in the process to escalate the request if the appropriate requirements in the proofing process cannot be met.
Zero trust and adaptive multifactor authentication.
The facilitated password reset process requires flexible authentication methods to suit every user’s needs. The authentication process and technology must be easy to use otherwise users won’t use it. It must also be capable of evolving with the future environment.
When looking at authenticating end user customers in the finance industry, FIDO based their authentication processes around 3 factors:
- Something you know- Passwords backed by challenge response questions
- Something you have – Devices that support tokens
- Something you are – Biometrics
Users inside the circle of trust, represent another level of risk given the range of devices they use. Along with their working practices and the wide range of data they have access to.
A fundamental requirement of a facilitated password process is to take into account the dynamics at the desk. When dealing with fellow employees, negate the skills of the ‘social engineer’ and enable the service agent to adequately authenticate the caller is who they say.
Research from the Kaspersky labs shows us that one third of all security breaches are ‘internal’. Therefore authentication needs to cover both internal employees and external intruders impersonating an employee.
We know that 35% of service desks in the SDI survey had no management process for user proofing. Effectively rendering the concept of compliance as meaningless.
The SDI subsequently, asked the 65% of respondents who had a clear authentication process, what method this was based on. This was to determine to what degree it upheld the principle of trust and helped protect the passwords as a unique authentication for the users’ accounts.
The majority, (58%), used a system of authentication based on personal information provided by the end-user. Which was validated by a service desk agent. However, personal information such as username, full name or asset ID’s (whilst easy for the user to recall) are also relatively easy for third parties to determine.
Another layer of authentication using dynamic and contextual data needs to be added to any proofing process. The reason being that it is practically impossible to replicate and supplement static data.
Two-factor authentication is the simplest, most effective way to make sure users really are who they say they are. It protects your applications and data against unauthorized access due to credential theft. By verifying your users’ identities before they access your data.