Help Desk Personnel are the Side Door for Cybercriminals

According to Gartner, worldwide end-user spending on security and risk management is projected to total $215 billion in 2024. That is up nearly 15 percent from 2023. This increase in investments is happening for a good reason. Just look at the spike in ransomware attacks alone. According to recent Corvus Insurance research, ransomware attacks increased by 68 percent in 2023 (over 2022), establishing a new record for a single year at 4,496.

Yet, as businesses invest in new and innovative technologies to tighten the perimeter and battle increasingly sophisticated attacks—endpoint detection and response, secure access service edge, identity, and access management, the list goes on—many are continuing to leave critical gaps that cybercriminals can and will exploit. One example is the IT help desk.

Help desks are being leveraged as a side door for cybercriminals, and for anyone questioning just how big an oversight this is, look no further than a leading Las Vegas resort. Last September, cybercriminals leveraged LinkedIn to get details on a report employee, which was then used to socially engineer the IT help desk into resetting the user’s account. That kicked off a cascading series of unfortunate events leading to a full-on ransomware attack. The full impact was apocalyptic: digital key cards for rooms stopped working, credit card terminals shut down, slot machines went out of service, and more.

In a battle where businesses exhaust vast sums of money to mitigate increasingly sophisticated attacks, incidents such as this stand out because the access point, a user account, and the tactics employed were actually both very low-tech. Yet, despite its simplicity, this approach allows attackers to skip several steps in a short amount of time.

As I’ve been hearing more and more lately, “Attackers don’t break in; they log in.” The resort above is by no means alone. Many other companies have been victimized through the help desk and are responding with investments in secure multifactor authentication (MFA), which requires that employees provide multiple types of verification information. MFA is a great first step, but on its own is not enough.

Many businesses fail to seal all gaps by not investing in processes to validate users before help desk personnel comply with requests to reset credentials. As a result, attackers armed with key pieces of personal information needed to pass the verification processes can cajole help desk personnel into resetting account credentials or the MFA method. From there, they gain free rein to an array of privileged information.

To fully seal the side doors and prevent breaches, some additional steps for help desk personnel to employ include a multi-step verification process. Multi-step verification requires additional verification factors, which decreases the likelihood of a threat actor taking over an account. The key is asking users to provide details beyond any information they could glean from a site such as LinkedIn and other social media destinations. Yes, I’m talking about those overused security questions relying on relatively accessible information such as your mother’s maiden name, the street you grew up on, or high school mascot.

Another element that can help is adding visual verification components. This could be as simple as a video call where the employee’s manager or a team member jumps on Zoom to verify that the person is who they say they are. Businesses can also take the next step and employ face-recognition technologies while tying in contextual information.

A final set of verification factors to consider are location, network, and time of day. Each of these can be valuable in verifying that the person is who they say they are.

Train Your Help Desk

Take the time to educate your help desk team on the latest tactics used by attackers. For example, attackers often create a fake sense of urgency, hoping that this need for immediate help or access will result in staff skipping key verification steps and giving the attacker what they are asking for. This is especially true when attackers are impersonating someone high-ranking at the company. Since this is a tried-and-true tactic, all help desk personnel should be trained to spot it and manage it accordingly.

Well-trained help desk employees should also be able to pick up on other cues. For example, when the help desk team asks a series of personal questions, there is an opportunity to not just wait for answers but to pick up on behavioral cues. There may be instances when a help desk employee may notice that the caller or person on chat takes an unusual amount of time to answer basic questions. This can be a strong indication that they aren’t who they claim to be.

Stop Oversharing

In addition to the help desk, the company’s security team should work to educate all employees regarding the information they share on social media channels. As many of us know from personal experience, many sites ask the same verification questions when you cannot recall your password. You know the ones—what street you grew up on, the name of your first school, what was your high school mascot, what is your mother’s maiden name, etc.… I also know that many people inadvertently share the answers to these questions through the information they post on social media. As a result they put them out there where anyone can grab them. Work closely with your team to ensure the that information they are tying into key verification questions is not the same as what they could be posting online.

In a world where increasingly sophisticated cybercriminals are waging battle against highly innovative security solutions, the simplicity of a help desk attack stands out, and in all likelihood, other bad actors are taking notice. That’s why companies must act now and take the necessary steps to help ensure that help desk personnel are not giving away the company keys to the wrong people, or even unlocking the door for them.

The good news is that by investing in additional solutions and providing help desk personnel and general employee education, you will be able to fortify the help desk side door.

__

Ryan Bell, Threat Intel Manager, Corvus Insurance

Ryan has been at Corvus Insurance for over a year as the Manager of the Threat Intelligence Team. His role revolves around keeping Corvus insureds a step ahead of threat actors using a wealth of cybersecurity expertise. During his time at Corvus, the Threat Intelligence team has matured proactive alerting and intelligence analytics capabilities, supporting Corvus’s leading loss ratio and stature as a thought leader in cybersecurity. His background includes a graduate degree in sociology, undergraduate degrees in sociology and digital forensics, and numerous experiences starting and leading threat intelligence teams.