emPower

Don’t Let Your Helpdesk Help the Wrong People!

Here’s a blog post by Simon Herring of Ubersecure which describes how (during an authorized penetration test) he was able to “persuade” a helpdesk agent of a large company to reset his password by pretending to be a salesman in a panic. Once the password had been reset, he was able to log in to their Outlook Web Access system, open a ticket requesting VPN access and, ultimately, gain access to their entire computer network.

Obviously, this is a case where training helpdesk staff about social engineering attacks, and having well-understood procedures for handling urgent requests is critical.

Jessica Holland

Jessica Holland

Like this post? Subscribe to receive updates directly in your inbox.