Help desk services are a rich entry point for social engineers and technical attackers, but are you prepared?
BETHESDA, Md., July 8, 2013 /PRNewswire-USNewswire/ -- SANS announces the results of its survey on help desk security and privacy, sponsored by RSA, the security division of EMC. The full survey results will be released during a SANS Analyst Webcast on July 16 at 1 p.m. EDT.
Nearly all organizations have a help desk regardless of industry type and size. In the survey, respondents cut across various industries, including government (18%), finance (15%) and education (13%); health care, high tech and telecommunications were also well represented. Survey takers also represented a balance in terms of size of organization, with almost 20% supporting more than 25,000 users and 18% supporting 250 or fewer users.
The enterprise help desk is most often where a user turns to resolve a problem with all matters IT—access, endpoints and service—but for decades, the help desk has offered a back door to enterprise network resources through social engineering.
"One thing is clear—successful help desks need to be highly focused on customer service, yet they can present a security risk for the same reason they are in business—helping a user," explains Barb Filkins, SANS Analyst and author of the report. "The only real way to solve the problem is to build security into the business of help desk—from user-friendly but secure self-service tools, to training agents on ways to detect or prevent socially engineered attacks."
The good news is that awareness of and training for such attacks exists. In this SANS survey on help desk security and privacy, more than 70% of respondents reported that they are aware of social engineering, and some are even training their help desk staff to be suspicious. The bad news is that organizations are not factoring security into the overall help desk budget; security technologies are underutilized, and nearly 40% have weak or no security policy around their help desks.
"Self-service tools are viewed as a way to control costs associated with providing help desk services with live, but more expensive, human attendants," says Filkins. "But the success of automation depends on its usability. On-line tools can be so convoluted and difficult that an end user punches '0' to reach the human on the other end, to be led by the hand through the tool's use. Of course, all savings are lost when this happens."
Do the needs of the business trump the risks imposed by password reset and other self-service provisioning? Is an agent too rushed by resolution time limits to validate a caller's authenticity and successfully distinguish real users from social engineers? Can self-service and authentication be used to avoid these security risks and provide a more secure environment for those deploying such technologies?
Answers to these and other questions will be provided during a July 16 webcast where we release our results. Those who register for this webcast will be given access to the full results, in a whitepaper developed by Barb Filkins. During the webcast, attendees will learn:
- How help desk managers measure success of their transactions
- How to automate user self-service portals for improvements in risk and user education
- What type of user vetting practices should automated and non-automated systems be taking to protect against social engineering attacks and other privacy and security threats identified by survey takers
- How help desk managers view their own approaches to help desk efficiencies and security
- Which budgeting and staffing practices are in use and their effectiveness
About SANS Institute
The SANS Institute was established in 1989 as a cooperative research and education organization. SANS is the most trusted and, by far, the largest source for world-class information security training and security certification in the world, offering over 50 training courses each year. GIAC, an affiliate of the SANS Institute, is a certification body featuring over 20 hands-on, technical certifications in information security. SANS offers a myriad of free resources to the InfoSec community including consensus projects, research reports, and newsletters; it also operates the Internet's early warning system—the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to help the entire information security community. (www.SANS.org)
SOURCE SANS Institute