The Human Firewall

I once received a low grade in a customer’s survey, though I was later vindicated when I demonstrated that the incident was simply the result of a properly functioning human firewall.

What Happened

The user stated she’d forgotten her user name and her password seemed to be locked. Users for this application frequently locked their accounts due to forgotten simplified sign-on passwords, using special characters in the password that the website didn’t permit or use of the wrong password. Users sometimes called with access problems due to using the wrong user ID for the website, which differed from other standard company apps. So issues with the user ID or password were common – but not both. This was the first red flag.
The second red flag was the phone number on my caller ID. The customer said she had called on a personal cell phone at a remote site. I said I’d look at the user account and call her back. There were repeated login failures on the user’s account, so there had been access attempts. I then called the user’s desk phone and work cell phone, and there was no answer. Phishing starts with an email or phone call. I was trying to reach the customer through known contact methods, and it had failed. The user called me back from the same personal cell phone number, stating she still could not get in.
I told the user her login attempts had failed, but she could reset the password if she could reach a Directory Services site on the network, answer the security questions and reset it. She said she didn’t know how to access that, could I just give her the user ID and reset the password? I told her I could not help her, notified an information security professional, and closed the ticket the first level support person had created for the user. I emailed the user’s work account to inform her that there had been multiple login failures on her account, a suspicious phone call, and information security was working on it.
The user returned to site the next day and called me from her desk. She had actually been at site, having forgotten all of her login credentials after a long, stressful day. When she called from her work station, I was able to tell her the correct user ID to use. Then she was stepped through the process of resetting her password on a website on the corporate network. After answering the security questions, she was able to reset it. Yet I received my first bad customer review in ages.
While infuriating for the customer, the help desk manager gave me a pass. The human firewall was working correctly.

Lessons I’ve Learned as a Human Firewall

• Investing in human resources security is a good use of time and money. Train staff to recognize signs of phishing – whether via email or phone calls. A recent IIE article pointed out that help desks are a likely target.
• Set moderate to high levels of password security for all applications. And ensure that the same password isn’t used for logging into the network as the most commonly used applications.
• Use caution when setting up Simplified Sign On. With SSO, when someone has that one password, they can access almost anything else.
• Don’t overlook the information provided by automated support systems. When customers access online support, ensure that it doesn’t reveal information hackers and intelligence analysts would value.
• Don’t neglect the human side of the physical firewall. Ensure that those maintaining routers and firewalls have the necessary expertise and training to support them.
• Keep administrative account credentials and passwords separate from general user account credentials and passwords. And change administrative passwords regularly.
• Require staffers to log off of remote desktops like Citrix regularly, especially on shared computers.
• Develop additional means to verify off site employees, when the standard verification method is “call them back on their work phones”.
• Encourage staff to report the suspicious, even when there is a good excuse.
• Train employees not to give in to angry customers because they are angry. Legitimate requests may be delayed, but one inconvenienced customer is far better than a compromised IT network.
• Teach users to have patience for security measures. The inconvenience of security questions, dual factor authentication and regular password changes should be understood as the cost of security.