Security-Service-Desk

The Security Question at the Service Desk

The service desk has long been recognized as a potential vulnerability for enterprises – especially in the age of social media. The modern cyber threat artist is like the Viking raiders of the 10th century. They search the coast for weak points, storm the defenses and take away their spoils before the defenders can react.

Though strong security technology exists to protect enterprises from the bits and bytes that could threaten them, leaders today must take a further step and prepare their defenses to the threats that social media attacks present. According to Exploits at the Endpoint: SANS 2018 Threat Landscape Survey, phishing, ransomware and advanced persistent threat (APT) attacks are on the rise. In the first months of 2018, companies lost millions of dollars because of ransomware.

Of course, the service desk exists to be helpful, but when service desk employees do not have the proper training, they can inadvertently offer information to people who are not authorized to receive it. This is a verbal form of the kind of phishing attack we see on the internet and in email. The service desk cannot prevent cyber threats, but well-trained service desk agents can. In fact, they may just be the best and most cost-effective solution to protecting the enterprise.

An end user typically calls the service desk when they believe services on their device or the application they are accessing are running slowly. This is the first alert point. Agents need to be trained and have the tools to quickly evaluate the security implications of what the end user is experiencing. Too often, the first priority is restoring the end user to full service and closing a ticket, when really there should be concurrent action with the security team(s) to assess what caused the event.

Validating the caller is often a secondary event, if it occurs at all – and this is where the social media conmen excel. By acting as a troubled and none-too-bright end user, a social media grifter will ask for more and more information, and the unsuspecting service desk agent will offer more and more assistance in their effort to resolve the perceived issue.

When embarking on securing your service desk, keep in the mind the following key tasks:

  1. Create a thorough security policy. Disseminate it to the entire enterprise. Then monitor compliance and enforce the rules.
  2. Develop a risk exception process. Due to the ever-increasing complexity of today’s enterprise IT environment, the rapid evolution of technology and the continual assimilation of companies into external networks, exceptions at the service desk are inevitable. A risk exception process evaluates and weighs the risks of issues or actions that violate information security policies and standards against the needs of the business. The ultimate objective of any risk exception is to fully remediate the identified violation and align it with corporate policy.
  3. Train service desk agents on system access standards. And plan to refresh training on at least a semi-annual basis. Restrict access to any enterprise system to the least privilege possible in alignment with business need. One of the best guides for validation of authorized users is the recently published NIST Digital Identity Guidelines: Authentication and Lifecycle Management.
  4. Use a role-based access control (RBAC) methodology to properly assign authorizations. Put in place approved corporate authentication solutions whenever possible to ensure proper identity tracking. Limit administrative access to systems to only those individuals who absolutely require elevated privileges and then only through approved methods. Prohibit use of shared system accounts unless authorized by information security. Refer to authentication requirements in the Information Security Authentication Standard.
  5. Expect all end users to conduct themselves in a professional manner. Make known the enterprise code of conduct and other applicable policies and guidelines and ensure end users follow them when using or accessing any enterprise technology resource. Enterprise technology resources may include, but are not limited to:
  • Client computing systems
  • Electronic messaging
  • Telephony and cellular phone usage
  • Handheld device usage
  • Internet usage
  • Internal Application usage
  • Service desk access

Standards, training and constant monitoring are the keys to a secure service desk and end user environment. ISG helps companies secure their service desks against real threats today and potential threats tomorrow. Contact me to discuss further.

About the author

Andy assists clients in the rationalization and selection of service providers in the complex technology and retail industry segments. His experience and technical knowledge in the service desk and end user computing areas is critical in helping clients recognize the industry trends and business impacts.