3

If users forget their password, lose their one-time-password tokens, or otherwise become unable to access their accounts, they call the help desk.

In certain circumstances, help desk support is allowed to set a temporary password and suspend multi-factor requirements. This is kept to a minimum, but is unavoidable. As far as we can tell, nothing malicious has been done. Yet.

I was thinking of adding a step for the help desk team to note certain details every time they have to do this (time, account, phone number, ...) and following up with the account holder to make sure everything is OK, but this could leave hours of an attacker having access to a system.

Is there a standard approach to detecting someone maliciously getting a password reset to gain illegitimate access to an account?

Is there a way I could restrict the permissions of any account that had a password reset or multi-factor suspension automatically?

ztk
  • 2,267
  • 14
  • 22
  • I'm sure you could do anomaly detection for these kind of requests... users likely access certain systems at certain times and thus resets come in clustered around those times. Whether your users follow enough of an access pattern or you have enough data to reliably detect this is a big question though. – Dave Mar 15 '16 at 17:39
  • What sort of users do you have, and what other channels do you have to authenticate them? For example, if "users" are employees, you can send a password to their manager. If users are remote people over the internet, your choices are different. – Adam Shostack Mar 15 '16 at 19:19
  • Most of the multi-factor accounts are IT and Dev, but all told there are a little less than 100 of them, including support and contractors. There are several times that amount of non IT and Dev accounts, only a few of which use multi-factor. The other authentication channel is knowledge-based questions over the phone, but I don't like having to rely on that. Also, to answer Dave's comment, some of these guys keep unusual hours, and plenty work remotely from different timezones. – ztk Mar 15 '16 at 19:23
  • "What's your phone number" "it's 1-800-DOM-INOS" sounds like a lame idea. Configure the system so they themselves can use the OTP that they are required to setup when they setup Multi-Auth the first time, then don't reset anyone's password, without physical proof they are who they claim they are – Ramhound Mar 16 '16 at 02:03

1 Answers1

5

I'm not sure about "standard", but my company does the following:

  1. User forgets password
  2. User calls IT / Help Desk / etc.
  3. IT gathers basic info for making sure the user exists (name, branch, office, etc.)
  4. IT says "Thanks, we'll get right back to you" and hangs up
  5. IT calls back the user on the desk-number / cell-number listed for them in the corporate directory. (odds are if the attack has pwned these already, there's a much bigger problem...)
  6. User picks up, IT vocally confirms their password request, and if it is confirmed, gives the one-time-password. If it is not confirmed, IT forwards the event to our security team.

This way, the IT desk has a much lower chance of being socially engineered into giving passwords orally to someone over the phone, even if they have all of the victims corporate info (barring physical access to their phone).

WorseDoughnut
  • 759
  • 5
  • 18