Why help desk employees are a social engineer's favorite target
Help desk staffers, by the very nature of the position's title and name, are too helpful; and that makes them a perfect target for a social engineering criminal
By Steve Ragan, Staff Writer
July 17, 2013 — CSO —
A new report from the SANS Institute and RSA on help desk security and privacy finds help desk workers are the easiest victims for a determined social engineering criminal. Due to metrics and basic job requirements, end user and network support operations are still the top target when it comes to breaching corporate security. The reason is that help desk operators are being too helpful, which results in attackers gaining access simply by asking.
If you work in an office or remotely from home, you're familiar with the help desk. They're the team that resets passwords, issues email addresses, and helps you fix your computer. Within IT, the help desk is the first line of contact with the rest of the company, and they're tapped to deal with all of the 'minor' problems that don't require contacting a network engineer or administrator.
Help desk staff are judged, and their performance is measured, by a common set of metrics. Typically, the metrics are based on time and volume, followed by a third metric of quality that gauges how well they document their day-to-day dealings with the company and all of their work. However, because they are often judged on the number of requests they can correctly solve in a day (volume) and how fast they can solve them (time), SANS says this effectively sets up the human agent to be the weakest link in the security of the help desk.
"Agents, especially those working Tier 1 support, are trained to be friendly and get as many calls completed, resolved or transferred as quickly as possible, according to the established KPIs. As a result, an agent may ignore or work around compliance or quality requirements by trying too hard to meet the goals for quantity and timeliness," the report says.
Sixty-nine percent of the participants in the study, which included 900 IT professionals from across the globe, rated social engineering as the biggest threat to help desk security.
At the same time, 27 percent of those respondents also noted that they had weak help desk security policies. Expanding on that, the study reveals that a majority of organizations represented use basic personal information (e.g. names, locations, or employee ID) to verify callers into the help desk. The problem here is that all of this information can be easily sourced by an imposter. On top of this, many help desk employees will bypass security controls in an effort to be more helpful to the caller.