A new report from the SANS Institute and RSA on help desk security and privacy finds help desk workers are the easiest victims for a determined social engineering criminal. Due to metrics and basic job requirements, end user and network support operations are still the top target when it comes to breaching corporate security. The reason is that help desk operators are being too helpful, which results in attackers gaining access simply by asking.
If you work in an office or remotely from home, you're familiar with the help desk. They're the team that resets passwords, issues email addresses, and helps you fix your computer. Within IT, the help desk is the first line of contact with the rest of the company, and they're tapped to deal with all of the 'minor' problems that don't require contacting a network engineer or administrator.
Help desk staff are judged, and their performance is measured, by a common set of metrics. Typically, the metrics are based on time and volume, followed by a third metric of quality that gauges how well they document their day-to-day dealings with the company and all of their work. However, because they are often judged on the number of requests they can correctly solve in a day (volume) and how fast they can solve them (time), SANS says this effectively sets up the human agent to be the weakest link in the security of the help desk.
"Agents, especially those working Tier 1 support, are trained to be friendly and get as many calls completed, resolved or transferred as quickly as possible, according to the established KPIs. As a result, an agent may ignore or work around compliance or quality requirements by trying too hard to meet the goals for quantity and timeliness," the report says.
Sixty-nine percent of the participants in the study, which included 900 IT professionals from across the globe, rated social engineering as the biggest threat to help desk security.
At the same time, 27 percent of those respondents also noted that they had weak help desk security policies. Expanding on that, the study reveals that a majority of organizations represented use basic personal information (e.g. names, locations, or employee ID) to verify callers into the help desk. The problem here is that all of this information can be easily sourced by an imposter. On top of this, many help desk employees will bypass security controls in an effort to be more helpful to the caller.
Another issue created by a lack of security policy and helpfulness is the inclusion sensitive information into the help desk database. The report cites one example where personal information, as well as other sensitive data (such as personal health information), would be transmitted via email from the help desk.
Since all of these transactions are logged, the database is now full of sensitive data that shouldn't be there. The same problem applies to notes taken by the help desk agent, which can also include (and does in many cases) sensitive data that is then stored and logged.
The study says that the root of the problem is a lack of training, tools, and technology. More than half of the respondents claimed only a moderate approach to help desk security as part of their overall corporate security controls, and they're not necessarily focusing on training or additional technologies for day-to-day activities.
In fact, more than 40 percent of the respondents said that the cost of a security incident was not taken into account when establishing the help desk budget; rather the budgets are determined by the number of users serviced.
"When it comes to areas of risk, most organizations consider their endpoints, servers and critical applications. What they don't consider enough, according to the results of this survey, is the help desk. Help desk services are a rich entry point for social engineers and technical attackers. Help desks -- and their applications -- hold the "keys to the kingdom" to better serve user requests," the report concludes.