Threat Level: green Handler on Duty: Chris Mohan

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Helping the helpdesk help you

Published: 2012-05-03
Last Updated: 2012-05-03 13:43:26 UTC
by Chris Mohan (Version: 1)
1 comment(s)

What happens when your helpdesk gets a call from a frantic staff member who’s positive his computer is being hacked by Government X this very second?


The IT helpdesk is the face, voice or automated greeting that most staff and/or customers get to deal with when calling for help*. Most IT helpdesk staff have run sheets or scripts to walk the caller through common problems or perform basic tests. With scripts and the frequency of typical requests, helpdesk staff can become very slick and effective making everyone lives easier.  But what happens when a call comes through and it might be a security issue?

Here are some questions to pose to your organisation:

  1. Has there ever been any discussion between the helpdesk and security teams on what should be done if the call is security related?
  2. Is this scalable in time and work load to get every security related possible call routed to the security team answer?
  3. Should the IT helpdesk staff be provided scripts for basic security procedures other than “Tell them to touch nothing and you call me!”?

Each work place and environment has its own unique factors on how security related call are handled but let’s imagine the security team doesn’t want to field every call that may or may not be anything to do with a security issue. This is where a helpdesk team could, with guidance and coaching, be invaluable in saving time and effort to all parties.

A crucial first step is to define what the helpdesk should do and what they should definitely not do. This sets clear lines of demarcation, stopping any misunderstanding that can occur in the heat of the moment with someone attempting to do what they believe is the right thing and it ends up causing an awful mess.


On the “do” lists are:

- Get a clear description of the problem

- Provide standard details on the caller (username, computer details, IP address, location and so on)

- Record only the facts.


On the “should not do” lists are:

- Connect to the system to try and fix it themselves

- Offer advice on how to fix the problem

- Jump to unsupported conclusions

- Any other actions that may cause harm or impact.

 

From this point onwards both the security and helpdesk teams have some ground rules and can work together without causing problems.


Feel free to add any comments, thoughts or suggestions on your experiences, good or bad, on solving this problem.

 

Chris Mohan--- Internet Storm Center Handler on Duty

 

* Help – this covers actual questions on topics the IT helpdesk staff are trained in rather than those random questions such as why isn’t the fridge working. In case you were wondering, the correct answer was the fridge’s fuse had blown. Obvious really...

Keywords: Helpdesk
1 comment(s)
Diary Archives