Special Offer w/ OnDemand or vLive: Get a 12.9" iPad Pro, Surface Pro, or $350 Off - Top Offers of 2018


Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

Announcing the SANS 2013 Help Desk Security and Privacy Survey Results!

Help desk services are a rich entry point for social engineers and technical attackers, but are you prepared?

  • Bethesda, MD
  • July 8, 2013

SANS announces the results of its survey on help desk security and privacy, sponsored by RSA, the security division of EMC. The full survey results will be released during a SANS Analyst Webcast on July 16 at 1 PM EDT.

Nearly all organizations have a help desk regardless of industry type and size. In the survey, respondents cut across various industries, including government (18%), finance (15%) and education (13%); health care, high tech and telecommunications were also well represented. Survey takers also represented a balance in terms of size of organization, with almost 20% supporting more than 25,000 users and 18% supporting 250 or fewer users.

The enterprise help desk is most often where a user turns to resolve a problem with all matters IT--access, endpoints and service--but for decades, the help desk has offered a back door to enterprise network resources through social engineering.

"One thing is clear--successful help desks need to be highly focused on customer service, yet they can present a security risk for the same reason they are in business--helping a user," explains Barb Filkins, SANS Analyst and author of the report. "The only real way to solve the problem is to build security into the business of help desk--from user-friendly but secure self-service tools, to training agents on ways to detect or prevent socially engineered attacks."

The good news is that awareness of and training for such attacks exists. In this SANS survey on help desk security and privacy, more than 70% of respondents reported that they are aware of social engineering, and some are even training their help desk staff to be suspicious. The bad news is that organizations are not factoring security into the overall help desk budget; security technologies are underutilized, and nearly 40% have weak or no security policy around their help desks.

"Self-service tools are viewed as a way to control costs associated with providing help desk services with live, but more expensive, human attendants," says Filkins. "But the success of automation depends on its usability. On-line tools can be so convoluted and difficult that an end user punches '0' to reach the human on the other end, to be led by the hand through the tool's use. Of course, all savings are lost when this happens."

Do the needs of the business trump the risks imposed by password reset and other self-service provisioning? Is an agent too rushed by resolution time limits to validate a caller's authenticity and successfully distinguish real users from social engineers? Can self-service and authentication be used to avoid these security risks and provide a more secure environment for those deploying such technologies?

Answers to these and other questions will be provided during a July 16 webcast where we release our results. Those who register for this webcast will be given access to the full results, in a whitepaper developed by Barb Filkins. During the webcast, attendees will learn:

  • How help desk managers measure success of their transactions
  • How to automate user self-service portals for improvements in risk and user education
  • What type of user vetting practices should automated and non-automated systems be taking to protect against social engineering attacks and other privacy and security threats identified by survey takers
  • How help desk managers view their own approaches to help desk efficiencies and security
  • Which budgeting and staffing practices are in use and their effectiveness

SANS Media Contact

About SANS Institute

The SANS Institute was established in 1989 as a cooperative research and education organization. SANS is the most trusted and, by far, the largest provider of cyber security training and certification to professionals at governments and commercial institutions world-wide. Renowned SANS instructors teach over 60 different courses at more than 200 live cyber security training events as well as online. GIAC, an affiliate of the SANS Institute, validates a practitioner's qualifications via over 30 hands-on, technical certifications in cyber security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers master's degrees in cyber security. SANS offers a myriad of free resources to the InfoSec community including consensus projects, research reports, and newsletters; it also operates the Internet's early warning system--the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to help the entire information security community. (https://www.sans.org)