To Serve and Secure: the help desk is your front line of defense

Harden your first line of defense - your help desk! 🔒🛡️

As we learned from some of the highest-profile cyber attacks in 2023, your help desk is your front line of defense. One simple action from a well-meaning employee provided the necessary information for threat actors to reset a password and MFA, leading to extreme exploitation of vulnerabilities in the organization's technology.

So, what can you do to secure your help desk? Here are some best practices:

-Security Controls. Never allow a password and MFA to be reset simultaneously. Just don’t.

-Fix your Identity Verification. As much as possible, use rigorous and/or out-of-band verification methods for password and/or MFA resets. When I worked at Yubico, one customer required the employee to provide the serial number from the employee’s physical YubiKey to authenticate their identity. Other customers have required a video call to show a picture ID. In telephone voting, voters have been mailed a code that they must provide in order to authenticate. This could be a similar approach for employees.

-Education!

 -SHIELDS UP, help desk! Educate your help desk professionals. Consider running ethical hacking exercises to give them opportunities to experience a threat actor’s tactics first-hand, then train up those who fail the exercise. Integrate security awareness training into general process training wherever possible.

 -BE KIND, rest of the workforce! Educate all employees that there is a rigorous process for resetting passwords. Remind them that the protocol protects them and their fellow coworkers from what could be dangerous threats.

-Level up your MFA. Someone once told me you have to say something six times for people to hear it. But it’s probably been said more like 6 million times that using non-phishable MFA is basically the single most effective way to protect your organization. I mean I can’t think of a single security advisory I’ve seen that doesn’t mention MFA. But focus on FIDO-based authentication such as YubiKeys from Yubico that can’t be phished. There, make it 6,000,001 times you’ve heard this.