A few days ago, an IT guy got a Slack message from his SVP. They were asking to have their credentials reset for the shared password vault.
Our friend went ahead and did that, and a few minutes afterward the same user asked to be added to an “owners” group in the password system. Our friend did that, too.
The good news is that the user in question was in fact who they said they were. But the bad news is that Our Hero didn’t stop to validate before the keys were handed over.
This got me thinking, and I did a little research. There are two main school of thought for how a “helpdesk” should verify the identity of a requestor who is looking for high-value access:
Use a two-factor verification method, like Duo
Get the requestor to join a video call, either with the helpdesk or with the requestor’s manager, to verify.
The two-factor method is better, but the overhead is high. The video-call method is easier… but.
If anyone from your company has done a webinar, or a training video, or a speaking engagement, chances are there’s enough information out there for a Bad Actor™ to manufacture a synthetic model good enough to stand up to cursory scrutiny. And as the attack on MGM shows us, a single user’s access is enough to cause real havoc.
What to do? I like the old ways: passphrases and dead-drops. Secret handshakes. Methods that are known, but not discussed and not written down.
If you don’t want to go cloak-and-dagger, though, it’s a good idea for all access changes (other than removal) to go through an approval process that involves at least one tinfoil hat. Does it slow things down? Yeah, but that’s kind of the point.