Sign up for the Software newsletter

Hello helpdesk, can I hack you?

Seven out of 10 internal hack attacks come from helpdesk staff...

By Pia Heikkila on 30 January 2002 13:30

NEWS Helpdesks and technical support workers pose a serious threat to internal corporate security. Speaking at the 'Turning IT On' security event in London held by London First , Richard Hollis, managing director of security consultancy Orthus, claimed nearly 70 per cent of all internal breaches can be traced back to the support desk. He said: "These guys have access to your network 24 hours a day, they know every single one of the company's passwords. They are highly skilled technically, but often unmotivated because of lack of career prospects. "They might even feel unrewarded and bored, all of which makes them commit attacks." Hollis added that technical support workers often have emotional problems. He said: "They might want to do damage because of emotional issues with their bosses or might have a desire to embarrass their target and show off their techie skills as a revenge." Most IT professionals are generally aware of the fact that internal security breaches cause more damage than external hacks, but few companies know how to protect against them. Hollis gave strict guidelines to IT managers on how to protect the corporate network from internal breaches. He told silicon.com: "Identify potential hackers and protect the targets, report any suspicious behaviour to management immediately and develop strong internal policies."

Comments

There is 1 comment. Join the discussion

  1. 1. pascal olin

    After my (late) reading of this article, I want to make some comments.

    1) "These guys have access to your network 24 hours a day"
    R) Does this mean you have helpdesk staff online 24/24 while your users are home or does this mean that your business is running unprotected from say 17h00 'till 08h00 ? I believe you should hire a security officer and the relevant tools...

    2) "they know every single one of the company's passwords"
    R) Why have the helpdesk been given any password apart from their own account(s). There is a plethoric number of ways to allow Helpdesk staff to perform their duty without having to have any kind of special accounts ( from scripts to Sudo, to rights delegation.

    3) "but often unmotivated because of lack of career prospects.(...) They might even feel unrewarded and bored, all of which makes them commit attacks.""
    R) Do you mean that you employ unreliable staff or contracts? if this is the case, it is your company's policy that needs revising.
    R2) A good helpdesk staff has got a lot of career prospects, if they don't, they are not good, so why are you hiring them?
    R3) If Mr Hollis implies that unrewarded and bored workers are prone to commit attacks, I wonder how he is not afraid of living in London, with so many Civil servants, bank employees accountants... these all are (usually) bored and unrewarded , are they committing any attacks ?

    4) "They might want to do damage because of emotional issues with their bosses or might have a desire to embarrass their target and show off their techie skills as a revenge."
    R) I fail to see the rational behind this. why would they become emotional ?. HD staff are doing their job and are trained for this, including dealing with some difficult customers, additionnaly "showing off their techie skills" is not a hacker practise, if you show off, you show yourself off, and get fined for this. Mr Hollis seems to have a lot to learn about the psychology of hackers.

    5) "Most IT professionals are generally aware of the fact that internal security breaches cause more damage than external hacks, but few companies know how to protect against them."
    R) Most IT professionals are also aware that the most damages are done by users using the wrong tools, ignoring security advices and downloading unscanned software to their computers.
    R2) Most It professional know how to deal with these issues ( portscanning, Centralised antivirus system, automated response to threats, up to date systems patching, Global and group policies, etc etc)

    6) "Identify potential hackers and protect the targets, report any suspicious behaviour to management immediately and develop strong internal policies"
    R) Maybe Mr Hollis could let us understand how he himself identifies the "potential hackers" and how he intends to protect the targets. Apart from making the management understand the issues, the IT professionals have little choice but to adopt standard and rigid behaviours and implement policies that may not be adhered to by the company's management.

    R2) The IT security is an issue for all of us, the overall security of any company must be part of the company policy. IT security is one of these aspects and must be taken as part of the whole security issue.



    Finally: for all the replies given above, I believe this article by Mr Hollis is pointing in the wrong direction, simply pointing fingers and making unexplained statements is certainly not the right way to ensure the application of standards and ethics that WE, IT professionals, are constantly faced with.


    Pascal Olin

    IT Manager.

    • 5 November 2003 19:29
    • Add comment

Post your comment

In order to post a comment you need to be registered and logged in.

You can also log in with Facebook. Log in or create your silicon.com account below

  • Login

Will not be displayed with your comment

By signing up for this service, you indicate that you agree to our Terms and Conditions and have read and understood our Privacy Policy.

Questions about membership? Find the answers in the Membership FAQ

Get silicon.com's daily newsletter

  • Register on silicon.com

    Enter your email to register

Keep in touch with silicon.com

silicon.com newsletters