This is the first in a series of training presentations to highlight the need for Information Security education and training in the workplace

1. Hacking the
Helpdesk: Social
Engineering Risks
(AND HOW TO AVOID THEM)
CRAIG CLARK MSC, SDI(A), ITIL, MTA

2. Overview
This presentation will cover
• What is Social Engineering?
• Why are Helpdesks targeted?
• What are the most common attack types?
• What is the cost of a successful attack?
• How to prevent an attack

3. What is Social Engineering
In a security context, Social Engineering (SE) can be defined as:
A combination of social, psychological and information gathering
techniques that are used to manipulate people for nefarious purposes.
In other words, SE targets humans rather then technology to exploit
weaknesses in an organisations security. By exploiting this human
element, it is possible to gain access to vast amounts of sensitive
information often without the victims knowledge. This information can
then be used for nefarious purposes including:
• Identity/Data Theft
• Corporate Espionage
• Financial Gain
• Unauthorised Access to Buildings or Systems

4. Why are Helpdesks Targeted
The Helpdesk function plays a key role within the Service Delivery
structure of an organisation. Key functions often include:
 Being a first point of contact for an array of queries
 Being the professional (and hopefully helpful) face of an
organisation
 Providing quick fixes to a range of common problems such as
password resets, application queries or complaints
Measurement of how well a Helpdesk can deliver these functions is
often measured by the number of resolved queries or the speed at
which they are resolved

5. Why are Helpdesks Targeted
But:
Number of Resolved Requests x Speed of Resolution = SECURITY RISK
Helpdesk agents strive to meet their key functions quickly and as
efficiently as possible. They are trained to give the best service possible
as quickly as possible which means that in most cases “I’m sorry I
cannot do that for you” is not a response that is even considered
Social Engineers know this, and exploit it to gain access to a variety of
information that can be used in a variety of ways.

6. Why are Helpdesks Targeted
Examples of information that can be accessed by a Helpdesk include:
Building Opening
Times
Phone Numbers or
Extensions
Application status
User Names Passwords Password Expiry Dates
Management
Structure
Personal Identifiable
Information
Payment Information
Infrastructure Status Employee Calendar
Information
Corporate Information
Email Addresses Guest Account Login
Details
Print System Access
Purchase Order and
Invoicing Queries
Account History
including pervious
incident numbers
Active Directory
Container Names

7. Common Attack Types
Whaling: Whaling refers to using SE techniques to obtain information
relating to the activities, objectives or corporate information held by
high level employees including directors and executives. Examples
include financial reports, global contact lists, and sensitive corporate
information. A whaling strategy can be facilitated over a number of
months and the rewards can be extremely high.
Impersonating: Impersonation is one of the most common and
effective tactics used by Social Engineers when calling a Helpdesk. In
many organisations, a security check to verify identity consists of a
name and a date of birth, both of which are easily obtainable from
many places including social networks, profiles on corporate pages,
discarded rubbish etc.

8. Common Attack Types
Pretexting: Pretexting refers to an attacker assuming a position of
authority to illicit information. A common example is for attackers to
pose as IT technicians in order to gain an agents username or
password. Once obtained, these details can be used to breach a
network and collect large amounts of data
Quid Pro Quo: This attack uses a promise of a reward, in exchange for
information. As an example, an attacker can call an agent claiming to
be from the HR department and in exchange for filling in a quick
survey delivered by email (which will contain a malicious link) the
attacker gives the agent information on an upcoming promotion.

9. Cost of a Successful Attack
The cost of a successful attack especially one that remains
undetected, can have a wide reaching impact on business operations
Financial Loss: According to a the latest Government Survey, the
average cost of a data breach is now £3.14 million per breach. The
cost is attributed to business disruption, loss of assets and intellectual
property and costs associated with restoring service and implementing
increased security measures.
Reputation Damage: Following a breach, the damage to an
organisations reputation can be catastrophic. Ashley Madison, Hatton
Garden Safe Deposit Ltd., and Thompson Holidays have all received
negative publicity following recent security breaches.

10. Cost of a Successful Attack
Litigation: The Information Commissioners Office is responsible for
investigating data breaches which contravene the Data Protection
Act and other UK legislation that protects personal data.
There is a legal obligation on companies operating in the UK to
declare personal data breaches. The ICO can then issue a range of
punishments depending on the circumstances. Since 2005, the ICO has
issued close to £8million in fines and issued over 1000 compulsory audit
and improvement notices. In addition, investigation findings are
periodically published and distributed across media platforms.

11. Attack Prevention
With a robust Information Security strategy, the risks to the Helpdesk
from SE attacks can be significantly reduced.
Training: Alerting staff to the dangers of SE, and training them to spot
attack types is one of the most cost effective strategies. Training should
be included as part of the initial induction period with periodic
refreshers as new threats develop. Several training methods can be
employed including:
• Online courses
• Role Playing Scenarios
• Workshops
• Call Monitoring and Feedback

12. Attack Prevention
Technology: Using the appropriate call handling technology that
displays both internal and external numbers (including those that have
been withheld) can alert an agent to a possible SE attack. Call
monitoring and recording facilities are also highly recommended due
to their use as evidence in any breach investigation.
Software: Advances in Cloud Storage (Dropbox, iCloud, OneDrive etc.)
capabilities are reducing the need for USB storage, which is a major
attack vector for malware and keylogging.
A robust antivirus, antimalware and email screening platform will offer
significant protection against many current malicious threats that may
arrive via email or instant message.

13. Attack Prevention
Information Security Policy: Ensuring that your organisation has an in depth
Information Security policy can prevent SE attacks originating from the
Helpdesk and beyond. Things to consider within the policy include:
• Can people access only what they need to do their job?
• How is confidential waste destroyed?
• Are calls recorded?
• Can security checks be easily passed (is name, DOB and address
sufficient to grant access/password changes etc?)
• What physical security is in place to prevent people obtaining
information in person?
• What security training is provided to agents
• How are breaches investigated?
• Are USB sticks permitted or necessary?
• What email, antivirus, antimalware screening is in place?

14. Summary
• Helpdesks, while essential to Service Delivery are a valuable target
to Social Engineering attacks due to the range of information they
can access.
• A successful attack can take many forms including in person, over
the phone or via technology
• Social Engineers can use this information to facilitate a range of
activities that can be extremely costly and damaging to an
organisation
• There are many ways that an organisation can reduce social
engineering risks