"During one pentesting assignment, Dixon tried to find out how easy it would be to steal someone's account using social engineering. The answer: barely an inconvenience. Dixon telephoned IT security and pretended that he was the head of security who had lost his password. When they asked him challenge questions, he said he had forgotten the answers to those also. Then he gave them the password he wanted to use over the phone and they did a reset for him. After that, he was able to get into the network and do whatever he wanted there."
"There's so much that's obviously wrong here that it's hard to know where to begin with our lesson-taking. The IT support agents should not have taken Dixon's word that he was the security manager, especially after he failed challenge questions, and should have denied his request to reset the password. They were probably thinking "this guy is an executive and we don't want to piss him off" rather than "we have procedures that everyone must follow.""
"The other problem here is that the IT department entered Dixon's suggested password for him over the phone. First of all, the IT department should have sent a password reset to the real employee's ema"
A penetration tester evaluated how easily social engineering could be used to steal an account. He called IT security and claimed to be the head of security who had lost his password. When asked challenge questions, he said he forgot the answers. He then provided the password he wanted to use, and IT performed a password reset. After the reset, he gained access to the network and could perform actions of his choosing. The failures included accepting the caller’s identity without verification, granting a reset despite failed challenge questions, and entering the caller-supplied password instead of following secure reset procedures.
#social-engineering #account-takeover #password-reset-security #it-helpdesk-procedures #penetration-testing
Read at theregister
Unable to calculate read time
Collection
[
|
...
]