We talk a lot about caller verification and best practices in this blog, but what does that actually mean for you and your organization? Here are a few guiding principles to think about when setting up verification for your callers:  Don’t use information that can be guessed   Yes, this means no security questions. With social media more popular than ever, it’s easy for fraudsters and bad actors to look up information about your callers and impersonate them. If you’re relying on a caller providing their employee number or their cat’s name, you can’t be sure if it’s your caller. Anyone could have looked up that information online.    Think twice about biometrics   Voice authentication may seem like a simple solution, but not in the new world of AI. Voice authentication is easily phished or faked, whether with AI imitation or a good old-fashioned phishing phone call. Is that really a bad connection, or is someone splicing together a recording of your caller’s voice?    Consider device-based factors   Since knowledge or biometric factors are not secure, what should you use instead? We recommend device-based factors, such as an authenticator app or code.    Using an authentication code or prompt sent to a device the user controls is best. You can set this up by having your callers install an authenticator app and use the app to authenticate. For corporate devices, you can increase the security of this method by requiring the device owner to set up a PIN or passcode to access the verification.     Can’t use an authenticator app? A TOTP (time-based one-time pad) code sent to a phone number or email the user controls can be an OK substitute, though there is a risk of compromise if an attacker compromises the caller’s email or SIM (e.g. via a SIM swap).    Keep it simple   The simpler your verification is, the easier and quicker it will be for callers and call center employees to manage. Surprise and delight your callers by verifying them quicky and easily and helping them move onto the purpose of their call faster. Not only will your callers be more secure, they’ll be happier too!    Don’t go it alone   Call in some expert help to make your call center verification the best it can be. We’re here at TechJutsu  to help set you up with caller verification that keeps you secure and your business moving with Caller Verify . Book a Demo to learn more

Okta Partner Awards: Celebrating our 2024 Partner Award winners We are proud to announce that TechJutsu has been nominated for an award in the Okta Elevate Partner Program for our innovative Caller Verify product! This recognition highlights our commitment to delivering top-notch security solutions through a productive and successful partnership with Okta. Caller Verify continues to revolutionize caller authentication for organizations, and this nomination is a testament to the dedication of our team and the trust of our clients. We are proud to be on this journey with Okta and look forward to continuing to drive success together! Oktane24

Canadian Cybersecurity Network Remember when Wayne Gretzky, "The Great One," famously said he skates to where the puck is going to be, not where it is? Cybersecurity professionals need to embrace this concept. Most of our current security measures are focused on where the puck is now, protecting online and mobile applications. Meanwhile, clever hackers are targeting areas where our defenses are weak: the call center, chatbots, and video calls. These oft-neglected targets are a hat trick of opportunities for fraudsters. Terrifyingly, many people call their bank's call center and are verified with easy-to-guess security questions that can be easily found on social media. Or worse yet, verification relies on voice ID that can be easily mimicked by AI-generated voices. We wouldn’t bank with a financial institution that does not have multifactor authentication (MFA) like biometrics or SMS codes protecting their website and mobile banking, but we still accept these outdated and insecure practices when we pick up the phone. Expecting fraudsters to play nice and only attack us where we have a goalie in place is a losing strategy, since they are finding places where our defensive players aren’t. Today’s fraudsters are scoring against the call center, chatbots, and video calls - all of which have insufficient or sometimes no identity verification in place. The FBI has released an advisory on a particularly effective game plan being used by a Russian hacker group named "Scattered Spider." This team of hackers has been calling help desks and impersonating real employees whose profiles were found on LinkedIn. The attackers convinced help desk employees to reset passwords and grant access to sensitive systems. Once inside, they accessed critical systems and data, causing significant operational disruptions and millions in financial losses to companies ranging from energy infrastructure to financial institutions and even well-known Vegas resorts. The victims of these attacks had their heads down and were left dazed after a big financial hit. To meet these rising cybersecurity threats, we need to be aware of those dirty areas and put our defenders where they can break up plays that cost us goals. The help desk staff getting drafted are our team’s enforcers. Ensure they are first-round picks, not beer league irregulars. You get what you pay for in your first line of defense. Enhanced training for help desk employees is crucial, ensuring they can recognize fraudulent calls and understand the importance of thoroughly verifying a caller’s identity. Budgeting appropriately for technology is as important as making sure you have money for helmets and pads. No team would take the ice without proper protective gear, and no organization should face the digital landscape without investing in robust cybersecurity measures. Establishing and enforcing standardized procedures for caller verification is essential. Employees should follow the team playbook for every interaction. Help desk teams must be coached to follow the game plan. A key strategy employed by fraudsters is to elicit a false sense of urgency to coerce help desk agents into breaking the rules. Without any referees to call penalties, the help desk must keep their heads in the game and avoid coughing up the puck, no matter how urgent it seems. Business rules can reduce the stick handling you need your help desk to do. These rules can be enforced with technology and ensure callers are who they say they are before high-risk actions are taken. Leveraging technology to aid in identity verification can further bolster defenses, such as advanced call monitoring systems that flag suspicious activity or secure, encrypted communication channels for help desk interactions. Regular audits of help desk interactions can help identify gaps in identity verification processes, reinforcing training and ensuring compliance with established procedures. Leadership plays a crucial role in fostering a culture of security within an organization. As with coaching, it’s essential for leaders to set priorities. Focusing on cybersecurity and providing the necessary resources and support for robust user authentication processes is critical. This includes investing in technology and training and creating an environment where employees feel empowered to adhere to security protocols, even if it means delaying service to verify identities thoroughly. As cyber threats continue to evolve, so too must our defenses. The weakest link in security defense is often the human element. By focusing on strengthening identity validation processes for help desk interactions, organizations can significantly reduce their vulnerability to social engineering attacks. It’s a proactive step that requires investment and commitment but can ultimately safeguard against the potentially devastating consequences of a security breach. Implementing hardware tokens or authenticator apps in your MFA strategy can greatly improve your defense for help desk interactions. MFA are the shot-blockers to your helpdesk’s goalie – an additional layer of protection keeping the puck out of your own net. In the matchup against cybercrime, we need to play the right way. Ensuring that help desk employees are well-equipped to validate identities effectively is not just a best practice—it is a critical component of a comprehensive cybersecurity strategy. By addressing this often-overlooked vulnerability, organizations can build a more resilient defense against the ever-present threat of cyberattacks. Applying compliance frameworks to all vectors of attack can help keep your opponent off the scoreboard. Ongoing maintenance of your cybersecurity program is like training for the next season. Even if you win the cup this year, there’s no guarantee that you have a dynasty on your hands. Your opponent is continually coming up with new offensive strategies, so you must ensure your team is always prepared. This maintenance includes technology upgrades, ongoing team training, and playbook reviews. There are no Zamboni drivers to clean up the ice, intermissions, or off-season breaks. Your organization needs to keep moving and training to stay ahead of the bad guys. When your cybersecurity practices are robust and protect the security of your employees, customers, and their data, you will be well on your way to the Cybersecurity Hall of Fame! Just a few thoughts from a hockey fan in cybersecurity. To learn more, Book a demo  with us today.

The recent CrowdStrike incident led to widespread system failures and put a spotlight on the critical need for robust identity verification methods. As organizations grapple with the aftermath, one pressing issue is the management of BitLocker recovery key requests. With systems down and traditional identification methods like knowledge-based factors proving insufficient, IT teams face a unique challenge. How can IT departments confidently confirm that callers are who they claim to be? Providing elevated access with admin credentials or BitLocker keys is a highly sensitive operation that increases security exposure and should only be permitted when callers are securely identified. The Challenge of Non-Functional Systems The CrowdStrike incident has rendered many computers non-functional, presenting a significant obstacle for identity verification. Typically, IT departments might use the affected device itself as a part of the verification process—such as sending a verification code to the device or requiring a specific action to be taken on it. However, with systems down, these methods are no longer viable. This situation necessitates alternative approaches to ensure secure and reliable identification. The Limitations of Knowledge-Based Authentication Traditionally, knowledge-based authentication (KBA) methods, including passwords and security questions, have been a cornerstone of IT security. However, these methods are increasingly viewed as inadequate. The reasons are multifaceted: Data Breaches and Information Availability : The prevalence of data breaches has made it easier for attackers to access personal information, including answers to common security questions. Publicly available data and social media profiles further exacerbate this issue, making it relatively easy for attackers to impersonate legitimate users. Password Weaknesses : Passwords are often weak, reused across multiple platforms, or stored insecurely. These vulnerabilities are well-known and frequently exploited by attackers. Additionally, passwords alone do not provide adequate protection against sophisticated phishing attacks or social engineering tactics. Given these limitations, relying solely on KBA for verifying requests for BitLocker recovery keys is risky. Organizations need more secure, multi-layered approaches. Multi-Factor Authentication (MFA) Multi-Factor Authentication (MFA) is a more robust solution that addresses many of the shortcomings of KBA. MFA requires users to provide two or more verification factors from different categories: Something you know : A password or PIN. Something you have : A hardware token, a mobile device, or an email account for receiving verification codes. Something you are : Biometric data, such as fingerprints or facial recognition. By requiring multiple forms of verification, MFA significantly reduces the risk of unauthorized access. For instance, even if an attacker knows a user's password, they would still need access to the user's mobile device or biometric data to proceed. This layered security approach makes it much harder for attackers to compromise an account. Call Center Authentication Strategies When dealing with sensitive information like BitLocker recovery keys, it is crucial to use secure communication channels. This means avoiding insecure methods like standard email or unverified phone calls. Instead, organizations should use encrypted messaging services or secure portals that require user authentication. An increasingly common strategy is the use of out-of-band authentication methods. In situations where a caller needs to be verified, rather than requesting information via that voice call, the help desk can send a push notification  to a registered mobile device. Such push notifications provide a secure way for callers to quickly and easily confirm their identity, as they typically require real-time interaction and physical access to a user’s device, making it difficult for attackers to intercept or spoof the authentication process. Call-back verification is another effective technique. After receiving a request for a recovery key, IT support can call the user back using a pre-registered phone number. This method adds an extra layer of verification, ensuring that the person making the request is indeed the authorized user. It also provides an opportunity to verify other information, such as recent activities or specific security questions. The downside of call-back verification is that it is extremely time-consuming and is not automatically logged in the ITSM. Use of Pre-Registered Verification Information Organizations should leverage pre-registered information that only the legitimate user would know or have access to. This can include: Pre-set security questions : These should be unique and not easily guessable based on publicly available information. Codewords or passphrases : These are agreed upon during account setup and are not used elsewhere, providing an additional layer of security. Secondary email addresses or phone numbers : These can be used to send verification codes or to confirm the identity of the caller. It is important to regularly update this information and ensure that users are aware of its importance in the verification process. Logging and Monitoring            Every request for a BitLocker recovery key should be meticulously logged and monitored. This includes recording the time, date, identity of the requester, and the IT personnel involved. Monitoring these logs helps identify suspicious activities and potential unauthorized attempts to access recovery keys. Regular audits of these logs are essential. They ensure that all requests are legitimate and comply with security protocols. In the event of a security incident, these logs can provide critical forensic evidence to help identify and mitigate the threat. Logging can be automated with Caller Verify, which logs every verification in the ITSM. Training and User Awareness Finally, training and user awareness are critical components of a comprehensive security strategy. Users should be educated on the importance of securing their accounts and the risks associated with sharing sensitive information. They should also be familiar with the organization's verification processes and know what to expect when requesting a BitLocker recovery key. Users should be encouraged to use strong, unique passwords and to enable MFA wherever possible. Regular security training sessions can help keep users informed about the latest threats and best practices for protecting their information. Conclusion: Evolving Security Practices The CrowdStrike crisis highlights the need for robust and evolving security practices. As threats become more sophisticated, organizations must adopt more advanced methods to verify identities and protect sensitive information. Relying solely on knowledge-based factors like passwords and security questions is no longer sufficient. Instead, a combination of MFA, secure communication channels, call-back verification, and careful logging and monitoring should be used. By implementing these measures, organizations can protect against unauthorized access to BitLocker recovery keys and other sensitive information. In doing so, they can safeguard their data, maintain their reputation, and ensure the trust of their users, even in the face of significant technical challenges. To learn more, Book a demo  with us today.

The Health Sector Cybersecurity Coordination Center (HC3) within the Department of Health and Human Services (HHS) is at the forefront of healthcare cybersecurity. In April 2024 HC3 put out an urgent alert titled “Social Engineering Attacks Targeting IT Help Desks in the Health Sector”. The full document can be found here: Help Desk Social Engineering Sector Alert . The alert outlines examples of some recent, high-profile attacks targeting healthcare IT help desks. Threat actors are employing sophisticated tactics to manipulate help desk agents into providing unauthorized access to corporate resources, posing significant risks to data integrity and organizational security. Amidst these threats, Caller Verify has emerged to bolster security measures. Caller Verify extends Okta Multi-Factor Authentication (MFA) to contact centers and IT help desks for hospitals, providing a robust defense against social engineering attacks. Let's explore how Caller Verify can effectively combat these threats: Out-of-band Authentication NIST (the National Institute of Standards and Technology) recommends using out-of-band authentication channels  to enhance security during the authentication process. Out-of-band authentication involves verifying a user's identity using a separate communication channel or device from the one being used for the primary transaction or interaction. This approach helps mitigate the risk of attacks, such as man-in-the-middle attacks, by separating authentication data from the main communication channel. These may include methods such as: sending authentication codes via SMS or email sending push notifications to a user's mobile device time-based one-time passcodes (TOTP codes) on a mobile device dedicated hardware tokens By leveraging out-of-band authentication for caller verification, organizations can enhance the security of their authentication processes and reduce the risk of unauthorized access and fraud.    Modern Identity Verification Caller Verify modernizes help desk methods for caller authentication. Instead of relying solely on easily compromised security questions or personal information, Caller Verify can utilize more trustworthy out-of-band authentication factors such as TOTP codes and push notifications. Requiring callers to authenticate themselves via phishing resistant verification factors significantly reduces the likelihood of unauthorized access by malicious actors. Real-Time Caller Authentication With Caller Verify, organizations can authenticate callers in real-time, ensuring that only authorized individuals gain access to sensitive systems and data. By verifying the authenticity of callers before granting access, organizations can thwart social engineering attempts, even when threat actors possess partial employee information obtained through public sources or previous data breaches. Unified Verification Experience Caller Verify offers a unified verification experience across all communication channels, streamlining the authentication process for both callers and help desk staff. Whether callers reach out via phone, email, or chat, Caller Verify ensures consistent and robust identity verification measures are in place, regardless of the communication medium used. Mitigation of Social Engineering Tactics The sophisticated social engineering tactics used in recent breaches are blocked in organizations protected by Caller Verify. By requiring out-of-band authentication, Caller Verify adds layers of security that make it significantly harder for threat actors to succeed in their malicious activities. Proactive Security Measures Caller Verify empowers organizations to take proactive security measures against evolving social engineering threats. By providing user awareness training and implementing policies and procedures for enhanced security, organizations can stay ahead of emerging threats and ensure their help desk staff are equipped to identify and thwart social engineering attempts. In conclusion, Caller Verify emerges as a powerful ally in the fight against social engineering attacks targeting healthcare IT help desks. By fortifying identity verification processes, providing real-time authentication, and offering a unified verification experience, Caller Verify helps organizations mitigate risks and safeguard sensitive data from malicious actors. As organizations continue to prioritize cybersecurity, solutions like Caller Verify play a vital role in enhancing resilience and protecting against evolving threats. To learn more, Book a demo  with us today.