Undercover
Undercover: A Case of Help Desk Failure
How a lack of coordination between departments at a large bank opened up a big security hole, and what we did about it.
By Anonymous
Me: "Ahh, yes. This is Joe from IT, my password isn't working."
Help desk: "Oh? Did you check to see if the CAPS LOCK key is on?"
(Good first step, I think, shows either knowledge or a clean flow chart.)
Me: "Yes. It just won't work. Can you reset it for me?"
Help desk: "Sure, but let me verify who you are first, OK?"
(Great, I think, they appear to know what they are doing so far.)
Me: "Sure, what do you need?"
Help desk: "Well, your full name."
Me: "Joseph P. Itdirector"
Help desk: "Your employee number?"
Me: "123412345."
(The number was printed in bold letters on Joe's badge.)
Help desk: "Your extension?"
(Good, I'm thinking, it is NOT printed on the badge, but let's try a bit of social engineering.)
Me: "Oh, my base is in New York, but right now I am at extension 223," (the extension number from the station at which I was calling).
Help desk: "No problem, we just ask it to call back to see if your new password is working after we reset it."
(Uh-oh, I think, BIG PROBLEM!)
Help desk: "OK, I reset it to be "PASSWORD1" -- all in caps."
Me: "Thank you very much." Then I hung up.
I turned to Joe and said, "Joe, your new password is "PASSWORD1."
Joe nodded his head. "See?" he said triumphantly, "They asked all the right questions!"
"They sure did." I agreed. "The problem is that the only two pieces of information they asked for were your name and employee number. Both of those pieces of information are found on your badge. Does no one ever lose a badge, which contains your bank's name on it, around here?"
This happened with the IT Help Desk people, who should be some of the most trained IT people in the company, and this happened to the IT security director's account.
"But," Joe said, "You are here to do an IT audit. This is social engineering that you just did!"
"Not exactly," I said. "We are here to do a security assessment of IT controls, and two of the controls we have to check are awareness and training. This showed us that some people are not as aware as they should be and maybe more training is needed."
"Well," Joe said somewhat defensively, "I am not the one printing the badges. This is not an IT problem!"
I agree. This is not an IT problem only. This is a problem for the entire organization.
If security professionals today do not see the connection between a physical access badge and the security of their information systems, we have a big problem.
undercover
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
