Hacking the

Helpdesk: Social

Engineering Risks (AND HOW TO AVOID THEM)

CRAIG CLARK MSC, SDI(A), ITIL, MTA

Overview

This presentation will cover

• What is Social Engineering?

• Why are Helpdesks targeted?

• What are the most common attack types?

• What is the cost of a successful attack?

• How to prevent an attack

What is Social Engineering In a security context, Social Engineering (SE) can be defined as:

A combination of social, psychological and information gathering

techniques that are used to manipulate people for nefarious purposes.

In other words, SE targets humans rather then technology to exploit

weaknesses in an organisations security. By exploiting this human

element, it is possible to gain access to vast amounts of sensitive

information often without the victims knowledge. This information can

then be used for nefarious purposes including:

• Identity/Data Theft

• Corporate Espionage

• Financial Gain

• Unauthorised Access to Buildings or Systems

Why are Helpdesks TargetedThe Helpdesk function plays a key role within the Service Delivery

structure of an organisation. Key functions often include:

Being a first point of contact for an array of queries

Being the professional (and hopefully helpful) face of an

organisation

Providing quick fixes to a range of common problems such as

password resets, application queries or complaints

Measurement of how well a Helpdesk can deliver these functions is

often measured by the number of resolved queries or the speed at

which they are resolved

Why are Helpdesks TargetedBut:

Number of Resolved Requests x Speed of Resolution = SECURITY RISK

Helpdesk agents strive to meet their key functions quickly and as

efficiently as possible. They are trained to give the best service possible

as quickly as possible which means that in most cases “I’m sorry I

cannot do that for you” is not a response that is even considered

Social Engineers know this, and exploit it to gain access to a variety of

information that can be used in a variety of ways.

Why are Helpdesks Targeted

Examples of information that can be accessed by a Helpdesk include:

Building Opening

Times

Phone Numbers or

Extensions

Application status

User Names Passwords Password Expiry Dates

Management

Structure

Personal Identifiable

Information

Payment Information

Infrastructure Status Employee Calendar

Information

Corporate Information

Email Addresses Guest Account Login

Details

Print System Access

Purchase Order and

Invoicing Queries

Account History

including pervious

incident numbers

Active Directory

Container Names

Common Attack TypesWhaling: Whaling refers to using SE techniques to obtain information

relating to the activities, objectives or corporate information held by

high level employees including directors and executives. Examples

include financial reports, global contact lists, and sensitive corporate

information. A whaling strategy can be facilitated over a number of

months and the rewards can be extremely high.

Impersonating: Impersonation is one of the most common and effective tactics used by Social Engineers when calling a Helpdesk. In many organisations, a security check to verify identity consists of a

name and a date of birth, both of which are easily obtainable from

many places including social networks, profiles on corporate pages,

discarded rubbish etc.

Common Attack TypesPretexting: Pretexting refers to an attacker assuming a position of

authority to illicit information. A common example is for attackers to

pose as IT technicians in order to gain an agents username or

password. Once obtained, these details can be used to breach a

network and collect large amounts of data

Quid Pro Quo: This attack uses a promise of a reward, in exchange for

information. As an example, an attacker can call an agent claiming to

be from the HR department and in exchange for filling in a quick

survey delivered by email (which will contain a malicious link) the

attacker gives the agent information on an upcoming promotion.

Cost of a Successful AttackThe cost of a successful attack especially one that remains undetected, can have a wide reaching impact on business operations

Financial Loss: According to a the latest Government Survey, the average cost of a data breach is now £3.14 million per breach. The

cost is attributed to business disruption, loss of assets and intellectual

property and costs associated with restoring service and implementing

increased security measures.

Reputation Damage: Following a breach, the damage to an

organisations reputation can be catastrophic. Ashley Madison, Hatton

Garden Safe Deposit Ltd., and Thompson Holidays have all received

negative publicity following recent security breaches.

Cost of a Successful Attack

Litigation: The Information Commissioners Office is responsible for

investigating data breaches which contravene the Data Protection Act and other UK legislation that protects personal data.

There is a legal obligation on companies operating in the UK to

declare personal data breaches. The ICO can then issue a range of

punishments depending on the circumstances. Since 2005, the ICO has

issued close to £8million in fines and issued over 1000 compulsory audit

and improvement notices. In addition, investigation findings are

periodically published and distributed across media platforms.

Attack PreventionWith a robust Information Security strategy, the risks to the Helpdesk

from SE attacks can be significantly reduced.

Training: Alerting staff to the dangers of SE, and training them to spot attack types is one of the most cost effective strategies. Training should

be included as part of the initial induction period with periodic

refreshers as new threats develop. Several training methods can be

employed including:

• Online courses

• Role Playing Scenarios

• Workshops

• Call Monitoring and Feedback

Attack PreventionTechnology: Using the appropriate call handling technology that

displays both internal and external numbers (including those that have

been withheld) can alert an agent to a possible SE attack. Call monitoring and recording facilities are also highly recommended due

to their use as evidence in any breach investigation.

Software: Advances in Cloud Storage (Dropbox, iCloud, OneDrive etc.) capabilities are reducing the need for USB storage, which is a major attack vector for malware and keylogging.

A robust antivirus, antimalware and email screening platform will offer

significant protection against many current malicious threats that may

arrive via email or instant message.

Attack PreventionInformation Security Policy: Ensuring that your organisation has an in depth Information Security policy can prevent SE attacks originating from the Helpdesk and beyond. Things to consider within the policy include:

• Can people access only what they need to do their job?

• How is confidential waste destroyed?

• Are calls recorded?

• Can security checks be easily passed (is name, DOB and address sufficient to grant access/password changes etc?)

• What physical security is in place to prevent people obtaining information in person?

• What security training is provided to agents

• How are breaches investigated?

• Are USB sticks permitted or necessary?

• What email, antivirus, antimalware screening is in place?

Summary• Helpdesks, while essential to Service Delivery are a valuable target

to Social Engineering attacks due to the range of information they

can access.

• A successful attack can take many forms including in person, over

the phone or via technology

• Social Engineers can use this information to facilitate a range of

activities that can be extremely costly and damaging to an

organisation

• There are many ways that an organisation can reduce social

engineering risks