Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


social engineering / helpdesk

Posted on 2009-05-20
Medium Priority
Last Modified: 2012-05-07
We are trying to get together a list of best practice controls and countermeasures to thwart any social engineering type attacks against our IT helpdesk. The main concerns we identified or ways a social engineer could try and attack us were users (impersonate an employee) trying to get new network or application accounts setup, password resets, requesting their passwords by passed over the phone, (impersonate a network admin) request configuration details of servers and applications over the phone.

Have we considered every way a social engineer would operate to attack a helpdesk or would there be other ways or types of information that would be tried to be lured out a helpdesk?

What controls and procedures do you train your IT helpdesk staff so they dont fall victim to social engineer, i.e. ask the person logging the call with the helpdesk some security questions to check they are who they say they are? Any other techniques outside of security questions that you use or could recommend? Or do you not divulge anything sensitive over the phone, do you use email to communicate sensitive data?
Question by:pma111
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 33

Expert Comment

by:Dave Howe
ID: 24431023
first pass for social engineering attacks usually targets names of internal staff (particularly senior management or senior technical), email addresses for them, direct dials (etc etc)

not only useful for "cover" when doing later social engineering, but valuable in their own right (to telemarketing and recruitment types)

Author Comment

ID: 24431318
Hi Dave, Do you mean they may ring up the helpdesk asking for employees contact names and details etc?
LVL 33

Expert Comment

by:Dave Howe
ID: 24432788
pretty much. A typical script would run something like "Hi, I am from <name of big company> and need to talk to <name you never heard of> in accounts - however, his email bounces with a message saying he has left the company. Can you tell me who has replaced him in Accounts Receivable?"

"Oh, ok. is he on <standard number with 123 added to the last three digits> like <guy mentioned> was?"


"so, would that be <guy's first name>.<guy's last name>@<company domain> ?"

the important thing is to get another line into the company bypassing the helpdesk; normally, people who aren't on the helpdesk will transfer you almost anywhere to get rid of you if you "accidentally" dial the wrong number (so it is worth trying random numbers a couple up from the helpdesk/general dial number, to see who answers). you can also usually convince people that you are an internal caller if you are transferred, but that depends on their telephony solution.

your helpdesk/reception/published number is like a perimeter firewall - you can get it to the point where it is impenetrable, but that's no use if someone can connect in by another method and bypass it entirely.  that is why, once you have a name, trying random numbers can help - you can often get them to transfer you or even tell you your target's extension (and direct dial usually maps directly to the extension number)

Author Comment

ID: 24438885
Thanks DaveHowe, Do you have any generic suggestions how to protect against SE, and to tighten the helpdesk to act as a tight permiter firewall
LVL 33

Accepted Solution

Dave Howe earned 1000 total points
ID: 24441731
do regular testing would be my best recommendation - give them deliberately fuzzy-timescale warnings like "we will be performing Social Engineering testing next month - anyone who gives out internal information, particularly usernames, passwords, names of people in roles or internal phonebook numbers, will have their photo and details of the leak posted to a 'wall of shame' noticeboard near the employee entrance for one month" - actually doing the pentesting is optional.

Work up a few example scripts and distribute them, ideally on an internal website (saves costs, and you can even record some audio files for playback and host them there)

if your company structure is appropriate, try posting the audio files (and transcripts) to a site, and offer a small prize for the best summary of the issues revealed, recommendations for ways to politely refuse information and so forth. the answers themselves aren't important, but the benefit is in getting people thinking about the transcript, in context, and what they would do to avoid that attack.

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
Ransomware, the malware that locks down its victim’s files until they pay up, has always been a frustrating issue to deal with. However, a recent mobile ransomware will make the issue a little more personal… by sharing the victim’s mobile browsing h…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question