September 26th, 2005, 02:17 AM
say a scenario like this. Staff A poses as the helpdesk and calls up Staff B. Staff A asked for Staff B's password to do some administration stuff..Thinking that Staff A is helpdesk , Staff B gives the password to him. How can we prevent such things from happening.? Security awareness is one way. How about preventing this from a technical perspective. ?
September 26th, 2005, 02:40 AM
I'm sorry but I am not very tolerant about any one giving out passwords for any reason. Staff B should be fired or at the very least denied access to restricted (passworded) areas.
Your company SOP's should have policy laid out so that giving a password to anyone on the phone would be a firing offense. If staff A was legitimate they would either already know the password, or have a more secure venue of getting it.
There is not any good technical fix for user stupidity.
\"Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, Champagne in one hand - strawberries in the other, body thoroughly used up, totally worn out and screaming WOO HOO - What a Ride!\"
September 26th, 2005, 03:14 AM
Training is going to be the best answer for this. There are some technical controls that may help but the human is the weakest link in any network. Social Engineering is the most effective type of attack out there because people have weaknesses, kindness, greed and stupidity are a few of them.
On way we can prevent the problem would to be implementation of some controls that would require several passwords. One-time passwords may also be effective to a degree.
\"Common Sense, isn\'t that common\"
\"It is a lot easier to raise a child then it is to repair an adult\"
September 26th, 2005, 03:52 AM
There is no technical means to prevent this. I know my password. I can speak, too. So unless my computer is equipped with a psychic communications array to hear my thoughts with, and a flyswatter to slap me upside the head with before I give out my password, it can't stop me.
You can limit the impact by enforcing password changes regularly, watching for multiple logins, and limiting physically where passwords can be used.
Another possibility is the use of smart cards, of which employees are issued only one. I have also seen keyfobs with a serial number that changes every 30 seconds or so, which is linked to a password database. That serial number is the user's passwor dfor those 30 seconds. But neither will prevent employees from lending them. The only other solution would be the use of biometrics.
But a technological measure against password sluts would be as impossible as a car that won't let stupid drivers inside it.
Government is like fire - a handy servant, but a dangerous master - George Washington
Government is not reason, it is not eloquence - it is force. - George Washington.
Join the UnError
September 26th, 2005, 04:15 AM
The device that's being accessed needs the finger print from Staff B
edit:sorry just saw Strieks part about biometrics.
StreetsCrack.com Join The Best Music Social Network Online.
Music downloads, promotions, forums, profile, games etc...
September 26th, 2005, 06:42 AM
Have all your workes read the Art of descption by kevin mitnick
Every thing that has a begining has an end.
September 26th, 2005, 08:49 AM
kruptos has the answer 'training'.
Staff need to be made aware of the value of their username/passwords and also made aware of the consequences if they hand them out.
If your company doesn't have a password policy and if you do hasn't made an efforet to make staff understand a password policy then you probably won't be able to discipline the staff never mind sack them.
This sort of thing has to be started from the top with policy driven by senior management.
September 26th, 2005, 09:03 AM
My answer would be to have help desk verify that they are who they say they are and/or not give him the time of day if he doesent show up on Caller ID. Generally you call help desk they dont call you!
September 26th, 2005, 02:38 PM
thanks for all your input.
The main concern on my part is how , in the scenario mentioned, the staff B is going to identify that helpdesk is who they are.
So firstly, helpdesk should not ask for passwords from users at all. This is enforced by policy.
secondly, users should just say no, no and no when being asked for password (enforced by policy )
lastly, as a identifying mechanism, use caller ID...
September 26th, 2005, 04:28 PM
You could have a system where no member of staff is allowed to tell anybody their password (as you currently do) and your help desk call around during quiet times and attempt to obtain a password from users. Those who hand over a password could then be sent on a training course to show them the error of their ways. If the staff know about this process then they will be very suspicioius of anybody who asks for their password.
If everything looks perfect, then there is something you don\'t know