Help desk staffers, by the very nature of the position's title and name, are too helpful; and that makes them a perfect target for a social engineering criminal A new report from the SANS Institute and RSA on help desk security and privacy finds help desk workers are the easiest victims for a determined social engineering criminal. Due to metrics and basic job requirements, end user and network support operations are still the top target when it comes to breaching corporate security. The reason is that help desk operators are being too helpful, which results in attackers gaining access simply by asking.If you work in an office or remotely from home, you’re familiar with the help desk. They’re the team that resets passwords, issues email addresses, and helps you fix your computer. Within IT, the help desk is the first line of contact with the rest of the company, and they’re tapped to deal with all of the ‘minor’ problems that don’t require contacting a network engineer or administrator.[Social engineering: The basics]Help desk staff are judged, and their performance is measured, by a common set of metrics. Typically, the metrics are based on time and volume, followed by a third metric of quality that gauges how well they document their day-to-day dealings with the company and all of their work. However, because they are often judged on the number of requests they can correctly solve in a day (volume) and how fast they can solve them (time), SANS says this effectively sets up the human agent to be the weakest link in the security of the help desk.“Agents, especially those working Tier 1 support, are trained to be friendly and get as many calls completed, resolved or transferred as quickly as possible, according to the established KPIs. As a result, an agent may ignore or work around compliance or quality requirements by trying too hard to meet the goals for quantity and timeliness,” the report says. Sixty-nine percent of the participants in the study, which included 900 IT professionals from across the globe, rated social engineering as the biggest threat to help desk security.At the same time, 27 percent of those respondents also noted that they had weak help desk security policies. Expanding on that, the study reveals that a majority of organizations represented use basic personal information (e.g. names, locations, or employee ID) to verify callers into the help desk. The problem here is that all of this information can be easily sourced by an imposter. On top of this, many help desk employees will bypass security controls in an effort to be more helpful to the caller. Another issue created by a lack of security policy and helpfulness is the inclusion sensitive information into the help desk database. The report cites one example where personal information, as well as other sensitive data (such as personal health information), would be transmitted via email from the help desk.[9 dirty tricks: Social engineers’ favorite pick up lines]Since all of these transactions are logged, the database is now full of sensitive data that shouldn’t be there. The same problem applies to notes taken by the help desk agent, which can also include (and does in many cases) sensitive data that is then stored and logged.The study says that the root of the problem is a lack of training, tools, and technology. More than half of the respondents claimed only a moderate approach to help desk security as part of their overall corporate security controls, and they’re not necessarily focusing on training or additional technologies for day-to-day activities.In fact, more than 40 percent of the respondents said that the cost of a security incident was not taken into account when establishing the help desk budget; rather the budgets are determined by the number of users serviced.“When it comes to areas of risk, most organizations consider their endpoints, servers and critical applications. What they dont consider enough, according to the results of this survey, is the help desk. Help desk services are a rich entry point for social engineers and technical attackers. Help desks — and their applications — hold the “keys to the kingdom” to better serve user requests,” the report concludes. Related content news Google Chrome zero-day jumps onto CISA's known vulnerability list A serious security flaw in Google Chrome, which was discovered under active exploitation in the wild, is a new addition to the Cybersecurity and Infrastructure Agency’s Known Exploited vulnerabilities catalog. By Jon Gold Oct 03, 2023 3 mins Zero-day vulnerability brandpost The advantages and risks of large language models in the cloud Understanding the pros and cons of LLMs in the cloud is a step closer to optimized efficiency—but be mindful of security concerns along the way. By Daniel Prizmant, Senior Principal Researcher at Palo Alto Networks Oct 03, 2023 5 mins Cloud Security news Arm patches bugs in Mali GPUs that affect Android phones and Chromebooks The vulnerability with active exploitations allows local non-privileged users to access freed-up memory for staging new attacks. By Shweta Sharma Oct 03, 2023 3 mins Android Security Vulnerabilities news UK businesses face tightening cybersecurity budgets as incidents spike More than a quarter of UK organisations think their cybersecurity budget is inadequate to protect them from growing threats. By Michael Hill Oct 03, 2023 3 mins CSO and CISO Risk Management Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe