User validation

[Aspman]

We had a minor incident the other day where a user had phoned up to request a password reset. Nothing odd there but the helldesk operator just thought that the voice on the end of the phone was wrong.

She phoned back and sure enough the 'person' that had requested the reset was off sick. To cut a long story short X needed to get to a file in Z's my docs. Z was off. X phoned up Z and agreed that X would impersonate Z to get to the file and provided the answers to the required questions to change the password. X phoned from Z's phone so helpdesk would see the right ext.

This gave us a few questions.

1)Why did X need to reset the password? Why didn't Z just give X the password?

2)How can we better validate users requesting changes that affect the security of the system.

3)How can we protect aganst users impersonating other users when they are willingly giving up the details?

The only solution we can come up with at the moment is to have 2 factor ID. Where 1 of the factors is a physical token that must be carried by the user (i.e. clocking in card) to stop the token being left in a drawer for other to use.

This would work but isn't feasable in the short term.

Asking users to physically present themselves isn't possible due to the geographical distribution of workers.

Asking users to channel all such requests through line managers could cause unacceptable delays.


We're trying to figure a way of guaging how big an issue this is and if it's an isolated incident or normal working practice.

The users involved in the actual incident have been roasted royally (but not formally) by managers.

[phobia]

THere are plenty of things you can do. I would personally recommend that all requests must be made via managers. While this does cause an added amount of time in the process. It is a measure that is dually needed.

You could do that, or you could simply require all personnel to present some personal information. Something vital that no one is just willing to tell another person. This would cut down on some of the people doing this. I wonder why person Z needed to have the password changed and not just ask for the password. Maybe it was X's way of insuring they didn't get in trouble. No actual idea about that one.

The thing I wonder is if Z actually was suppose to have access to the file on X's computer. If so you guys need to better implement your access options. This situation would of been saved if this paticular file was on the network giving all users that should have access to it, access.

The answer that is probably too cost incuring would be make there one person at each branch with the ability to reset passwords. This would save from this situation. I don't think it would be too bad to give the supervisor of the branch the ability. It would also cause people to be more likely to not lose their passwords. Though this would probably also cause people to write their password down more.

[nihil]

Hello Aspman,

First thing is to give the "helldesk" operator a box of chocolates or a bottle of the McAllan (the 1963 is just about drinkable, but I must admit to a sneaking preference for the 1950). They performed excellently, and should be noticed for it.

Also, the worker who refused to give the password should be credited for that? they protected that which they should do, did they not? And they did not blindly trust a co-worker, which is laudable.

I guess that to call back is a good move, and to involve the line manager is excellent. Please remember that it does not have to be their line manager, just someone with that authority level, who is on the same site and can physically see them.

I would then recommend something like websites..............ask for some personal details like their employee number, National Insurance number etc....................

Just a few thoughts

[Aspman]

Something vital that no one is just willing to tell another person.

That did come to mind. But what would you want your company to know that you wouldn't want your work collegues to know? There could be issues with the company asking for and storing 'very' personal information.

The thing I wonder is if Z actually was suppose to have access to the file on X's computer.

Good point, Z had stored a file incorrectly on the hard drive of the local machine rather than on the network share. User are given a little freedom to use the machne for personal user under the understanding that everything can (and is) checked and that their pesonal work is no backed up and can be deleted at anytime.
But yes the file was stored incorrectly.
Correctly X should have gone to the line manager who would then request access to Z's account.

The answer that is probably too cost incuring would be make there one person at each branch with the ability to reset passwords.

There is a little bit of this. We have some remote admins with basic rights such as password reset. But there would still be the issue of correct validation of a user for these guys too. Especially if Z is complicite in X gaining access to the network.

[Aspman]

Morning Nihil (do you sleep? )

Praise for helldesk, check!

We don't know why the user didn't just supply the password. they did everything to help the work collegue to change the password and so gain entry. We think it was a kind of misplaced attempt to be secure/correct?? I won't give out my password coz that's bad, but here are the details how to get it changed?

We thought about personal details too. But Z was happy for X to change her password so why wouldn't she give details such as the employee number, especially if it was a work friend. What do we (the company) ask for as a security check that they wouldn't tell any work collegue?

[FanacooL]

Originally posted here by Aspman

1)Why did X need to reset the password? Why didn't Z just give X the password?

Well it seems Z's password was very confidential, something he never wanted X to know thats why he asked him to get the password reset.

If they are willing to give details then this personal information sort of thing might not work. The best thing Phobia mention is authorizing a person in the branch as he/she could clearly recognize the voice on the phone whether the person calling is the one he is telling or not.

One thing i have in mind is that, you go ahead with personal infromation thing something that could be more confidential than normal things. For reseting ask that information and then tell them ok fine the password will be reset but be sure to change it within an hour. What this gona do is that if Mr X is persuming to be Z he must change the password (as you will be implementing in the policy everypassword that get reset must be change to some new one in an hour if not then account gets locked), now what will happen is people won't ask others to reset passwords on there behalf otherwise account might get locked.

Well you might understand what i am trying to say here.

[Aspman]

Good point regarding (1)FanacooL . I think you could well be right in that the user (Z) might have been using that password for another purpose, banking/personal email. Making it something she wouldn't want X to get. Thework account not being her personal property she wasn't so worried about it.

Now apparently we are getting 10-20 password reset requests a day, more after holidays. That could mean around 2000-3000 a year (or more). Having all of these pushed through a line manager could cause a significant disruption if that manager is unavailable or unwilling to make the request quickly.

Fanacool I do get what you mean. I think that this would only work AFTER the account had been locked out once before. That is that the user would know the potential inconvienience by having a locked out account. Also during that hour we still have a successful unauthorised access.

This is a useful brainstorm guys thanks, keep it coming.

[FanacooL]

Now I am feeling relax....

So yes either the Z will get the locked account due to reseting by X or he have to reset it as X must have changed the password in order to avoid the account get locked and has not given Z password.

There could be one more thing if X changes the password after reseting and gave it to Z, still Z will change the password as he knows X have it and he must be physcological effected that man i shouldn't given the password now i have to reset otherwise X might again access my PC with my authorization, the more time spent they more tense he will be and if Z forgot to change password and realizes when he get back home, he will surely get annoyed and will realized the lesson.

[nihil]

Hi there Aspman

We have a nice, bright, sunny morning here; although it is only 3C outside........

What do we (the company) ask for as a security check that they wouldn't tell any work collegue?

I would go for National Insurance number.............for our American friends that is your SSN equivalent over here Hey, do your work colleagues need to know it?

I think that the worker who gave out the information was reasonably correct, insofar as they did not disclose their password...........it just shows that they did not want any actions wrongly traced to them? BUT, it shows that you need to tell them the WHYs of security, not just the HOWs?

OK, I am a bit of a "hacker" and a "cracker" when it is required..........but when your IT Director brings the Managing Director carrying written authorisation to do it, then you know that at least some of them have listened to your perpetual moaning about security.

You might also consider some sort of policy regarding "out of office" situations?

And please emphasise the need to store stuff on the server, not the local HDD

[Aspman]

I would worry that they would give the NI to a trusted collegue or could be bullied into giving it out.

Now thinking about using something like their flexi clocking in card to ID themselves. It's not something they are going to leave behind (can't get in the building) and affects their wages, which always concentrates the mind.

Or any request for a password reset has to be done from a PC with a web cam.
Or any request has to be accompanied by a fax/scan of a photo ID + another ID

+ the flexi system should be checked that the staff member is on site.

We have to watch we don't cause a DoS by making the password reset process overly complex.

No denying user education is a key issue, there is an Infosec awareness program being developed.

We have no home workers as such but yes out of office situations have crossed my mind especially for senior managers wanting to get to OWA etc.