Security and the IT Help Desk

Deputy director of the FBI recently remarked that there are only 2 types of organizations:

“Those that know they have been “hacked” and those that don’t know they have been hacked”

The changing dynamic of the workplace, brought about by the digital age, has expanded the network perimeter.  Bringing with it new challenges.  Attack surfaces have increased exponentially, giving potential intruders almost unlimited leverage.

Looking back over the past 24 months it is difficult to find a month when there hasn’t been a major data breach. This would have been unthinkable 5 years ago.

The direct and indirect costs of these data breaches have been far reaching.  Damaging organizations’ reputations, brands and the careers of senior management.  In addition, new GDPR legislation brings with it the potential for further draconian penalties.  As a result, organizations have invested heavily to protect their infrastructure against intrusion and malicious attacks.

We have known for a long time that security is primarily based on trust. Kevin Mitnick, probably the worlds most famous hacker, argues that the greatest threat to that process (in respect of data breaches) is social engineering and human behavior.  He believes that as it becomes increasingly difficult to exploit technical vulnerabilities, attackers will turn more to exploiting the human element.  There is a natural cause and effect.

Hackers are not stupid and will always attack the weakest link in the chain. Cracking the human firewall is often easy and requires no investment beyond the cost of a phone call.  It therefore involves minimum risk. Mitnick asks;

“why should an attacker spend hours trying to break in, when he can do it instead with a simple phone call?”

He argues that as the human factor is the weakest link. Organizations who think that the deployment of security products alone, offer greater security, are merely settling for an illusion of security.

The weak link in any process will always be the one to be exploited. Analysts IDC, believe, that in respect of controlling identities and access (to prevent a data breach) the weak link is the password.

Testifying to congress, Mitnick explained that he could often get passwords and other sensitive pieces of information by pretending to be someone else. By just asking for it.

It should come as no surprise therefore, that the latest Verizon report shows that 80% of data breaches were due to weak, lost or stolen passwords.

In todays corporate environment, passwords protect your applications and data from unauthorized access. Passwords are a simple and effective way of ensuring that a person is, who they say they are.

Whilst analysts will continue to debate the future of passwords, the reality is, they are easy to use, cheap and in most cases there is no practical alternative.

It’s not a product it’s a process.

Most breaches are not down to any inherent weakness in the passwords but in the processes and policies that surround them. The Achilles heel of most organizations according to analysts IDC, is the password reset process.  Those occasions where users need help because they have a password problem.

The password reset process in most organizations lies within the domain of the I.T. Help desk.  The help desk, has to recognize it plays a vital role in protecting organizations and their users, against data breaches.

The need was graphically illustrated last year when it was revealed, that a British teenager managed to obtain access to sensitive U.S. plans.  Plans relating to intelligence operations in Middle eastern countries.  The teenager was successful, simply by impersonating former CIA director John Brennan.

In 2015, Kane Gamble

Then aged 18, researched Brennan and used the information he gathered to speak to an internet company help desk.  Gamble persuaded service agents to give him access to Brennan’s email inbox, internet account, iCloud storage and address book.

Gamble, aged 15, at the time, also persuaded a helpdesk at the FBI that he was the then, deputy director Mark Giuliano.  In October 2017 Gamble pleaded guilty to ten charges.

Despite the security risks, IT-budget cuts and outsourcing has meant that the password process in many organizations has become the victim of productivity KPI’s.  The only measure being:

• “What is the cost per password reset?”.

Today with a new emphasis on security, the real and important questions for any manager to ask should be:

• What is the authentication process in my service desk today?

• Do we have a procedure at all?

• How do we monitor that it is followed?

• If there is a process can a user or external person get access to another user’s account?

The service desk institute (SDI) undertook a survey in May 2018 of UK-based I.T. service desk managers.  It was undertaken to understand more about how organizations were tackling information security and the implications of GDPR legislation at the service desk.

83% of respondents thought that despite controls being put in place, it was still possible for a criminal to gain a password to a legitimate end users account via the service desk.

Investment on security is usually spent elsewhere or falls under a separate budget. The role of the help desk with respect to its role in safeguarding against data breaches and the potential for security to be compromised, has largely been overlooked, even in the most secure organizations.