A survey revealed that 48% of organizations don’t have a user verification policy for password resets, which could pave the way for social engineering vulnerabilities among IT help desks.

Despite the rise in identity theft across various sectors globally, some organizations are still not maintaining a robust verification process to secure their employee data. According to a survey from Specops Software, nearly 48% of organizations don’t have a user verification policy in place for incoming calls to IT service desks. The survey, based on the responses from more than 200 security leaders from the private and public sectors in North America and Europe, found that 28% of the companies that are having user verification policies are not satisfied with their current policy due to security and usability issues.

It was also found that most organizations rely on knowledge-based questions like what is employee ID, manager’s name, or HR-based information like what an employee’s date of birth or address is. This data can be easily obtained by cybercriminals.

Despite several self-service password-reset options, most organizations go to the IT help/service desk for resetting passwords. Threat actors often target an unwitting remote workforce with various social engineering attacks by impersonating an IT service desk. Besides, the National Institute of Standards and Technology (NIST) urged organizations to avoid using knowledge-based questions, for which the answers are based on static information pulled from Active Directory or HR systems.

What is a user verification policy?

A user verification or authentication policy is a process to verify a user who is attempting to access services and applications. The verification can be performed via a variety of authentication methods like entering a password, using two-factor authentication (2FA), or multi-factor authentication (MFA) methods. Verifying users helps determine the appropriate access privileges to the users and also minimizes the risk from hacker intrusions. With the spike in digitalization, organizations must ensure that the right users are given access to the critical digital infrastructure.

“Based on our recent findings, password resets at the service desk are a serious vulnerability for organizations of all sizes. In the absence of a self-service password reset solution, it is up to the service desk agent to verify that the caller is the legitimate owner of the account before issuing a new password. Unfortunately, without a secure verification policy in place, service desk agents can provide account access to unauthorized users without even knowing it – exposing businesses to an increased risk of costly cybersecurity breaches,” said Marcus Kaber, CEO of Specops Software.

Curtesy: cisomag.eccouncil.org