Question the typical helpdesk technician what they do all day, and they will most likely respond to by stating that they reset passwords. Certain, helpdesk experts do a good deal of other things too, but in numerous businesses, a disproportionate range of helpdesk calls are tied to password resets.
On the floor, obtaining a helpdesk technician reset a user’s password almost certainly doesn’t feel like a large deal. Immediately after all, the technician simply opens Active Directory People and Computer systems, correct-clicks on the consumer account, and chooses the Reset Password command from the shortcut menu. Resetting a password in this way is an uncomplicated method. Organizations can even choose to use an choice device these kinds of as the Windows Admin Centre or even PowerShell if they favor.
1 detail that most people today in all probability really don’t halt and assume about, nevertheless, is that even although the ways included in the password reset method are simple sufficient, the process as a complete constitutes a major security risk.
Security and the services desk
The to start with stage in the password reset procedure consists of a consumer finding up the phone and contacting the helpdesk to ask for a password reset. The trouble with this is that the helpdesk technician who solutions the phone has no way of understanding regardless of whether or not the person is actually who they assert to be.
Positively setting up a caller’s identification was less of an issue when just about all consumers labored in the company workplace, because a user’s caller ID information and facts could in some cases be made use of as a validation resource. Even though employing caller ID in this way does not wholly eliminate the likelihood of one consumer spoofing a different user’s identification, it does make it so that a consumer who needs to impersonate one more consumer would have to connect with the helpdesk from that user’s desk.
Today of program, factors are considerably distinctive than they when were being. As the pandemic drags on, quite a few personnel go on to perform from home. Even when the working day arrives when men and women can safely go back to the office environment, a important share of workforce will probably keep on to work remotely.
Unfortunately, caller ID is not an productive device for validating a distant user’s identity. When a distant consumer contacts the organization’s helpdesk, they are calling from an outside line. It is incredibly simple for an exterior caller to spoof caller ID info. Telemarketers and phone scammers use this strategy all the time. Fraudsters will typically, for illustration, alter their caller ID information to make it appear as although they belong to a authorities company or a important company. Basically put, caller ID can’t be reliable for calls originating exterior of the organization.
So, if caller ID information and facts is not trustworthy, corporations have to consider how best to validate a user’s id when they contact the helpdesk to request a password reset.
One particular specially popular validation method involves inquiring the user a security concern. The technician might for occasion inquire the caller what their pet’s identify is, or what town they have been born in. Sad to say, this system also poses a security risk.
The most obvious risk posed by security issues is that the Internet makes it reasonably uncomplicated to collect private details about an individual. An attacker may possibly make a number of calls to an organization’s helpdesk just for the intent of identifying what types of security inquiries they ask. The moment the attacker knows the queries that are most probable to be requested, they can use lookup engines and social media to analysis a unique user’s answers to individuals thoughts.
The other massive problem with working with security inquiries is that the helpdesk technician learns the remedy to the question. An unscrupulous technician could then use this information and facts for illicit purposes.
This delivers up an crucial place. There is absolutely nothing halting an unethical helpdesk technician from performing an unrequested password reset. The technician may recognize that a certain person is likely to be on vacation for a 7 days, and then reset the user’s password so that they or someone else can obtain the account in the course of the employee’s absence.
Ideal practices for company desk password reset
Unnecessary to say, there are some important challenges associated with the password reset process. The ideal way to defeat these worries is to undertake a 3rd-party password answer that can securely verify a user’s id prior to undertaking a password reset. There are various methods in which Specops Software program can do this. One instance entails sending a just one-time code to a user’s cellular gadget. On top of that, the Specops resolution helps prevent helpdesk experts from arbitrarily resetting passwords. A helpdesk technician are not able to reset a password right until the user has validated their id, creating it impossible for a technician to execute an unauthorized password reset.
Understand more about how Specops can enhance password reset security.
Discovered this write-up appealing? Observe THN on Fb, Twitter and LinkedIn to read through additional unique written content we put up.
Some parts of this article are sourced from:
thehackernews.com