Why help desk employees are a social engineer's favorite target

Help desk staffers are too helpful; and that makes them a perfect target for a social engineering criminal

A new report from the SANS Institute and RSA on help desk security and privacy finds help desk workers are the easiest victims for a determined social engineering criminal. Due to metrics and basic job requirements, end user and network support operations are still the top target when it comes to breaching corporate security. The reason is that help desk operators are being too helpful, which results in attackers gaining access simply by asking.

If you work in an office or remotely from home, you're familiar with the help desk. They're the team that resets passwords, issues email addresses, and helps you fix your computer. Within IT, the help desk is the first line of contact with the rest of the company, and they're tapped to deal with all of the 'minor' problems that don't require contacting a network engineer or administrator.

[Social engineering: The basics]

Help desk staff are judged, and their performance is measured, by a common set of metrics. Typically, the metrics are based on time and volume, followed by a third metric of quality that gauges how well they document their day-to-day dealings with the company and all of their work. However, because they are often judged on the number of requests they can correctly solve in a day (volume) and how fast they can solve them (time), SANS says this effectively sets up the human agent to be the weakest link in the security of the help desk.

"Agents, especially those working Tier 1 support, are trained to be friendly and get as many calls completed, resolved or transferred as quickly as possible, according to the established KPIs. As a result, an agent may ignore or work around compliance or quality requirements by trying too hard to meet the goals for quantity and timeliness," the report says.

Sixty-nine percent of the participants in the study, which included 900 IT professionals from across the globe, rated social engineering as the biggest threat to help desk security.

At the same time, 27 percent of those respondents also noted that they had weak help desk security policies. Expanding on that, the study reveals that a majority of organizations represented use basic personal information (e.g. names, locations, or employee ID) to verify callers into the help desk. The problem here is that all of this information can be easily sourced by an imposter. On top of this, many help desk employees will bypass security controls in an effort to be more helpful to the caller.

Another issue created by a lack of security policy and helpfulness is the inclusion sensitive information into the help desk database. The report cites one example where personal information, as well as other sensitive data (such as personal health information), would be transmitted via email from the help desk.

[9 dirty tricks: Social engineers' favorite pick up lines]

Since all of these transactions are logged, the database is now full of sensitive data that shouldn't be there. The same problem applies to notes taken by the help desk agent, which can also include (and does in many cases) sensitive data that is then stored and logged.

The study says that the root of the problem is a lack of training, tools, and technology. More than half of the respondents claimed only a moderate approach to help desk security as part of their overall corporate security controls, and they're not necessarily focusing on training or additional technologies for day-to-day activities.

In fact, more than 40 percent of the respondents said that the cost of a security incident was not taken into account when establishing the help desk budget; rather the budgets are determined by the number of users serviced.

"When it comes to areas of risk, most organizations consider their endpoints, servers and critical applications. What they don't consider enough, according to the results of this survey, is the help desk. Help desk services are a rich entry point for social engineers and technical attackers. Help desks -- and their applications -- hold the "keys to the kingdom" to better serve user requests," the report concludes.

Join the CSO newsletter!

Error: Please check your email address.

Tags SANS Institutesecurityrsa

More about RSASANS Institute

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Steve Ragan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts