Beyond Passwords: Verifying Callers Amidst the CrowdStrike Crisis

The recent CrowdStrike incident led to widespread system failures and put a spotlight on the critical need for robust identity verification methods. As organizations grapple with the aftermath, one pressing issue is the management of BitLocker recovery key requests. With systems down and traditional identification methods like knowledge-based factors proving insufficient, IT teams face a unique challenge. How can IT departments confidently confirm that callers are who they claim to be? Providing elevated access with admin credentials or BitLocker keys is a highly sensitive operation that increases security exposure and should only be permitted when callers are securely identified.

The Challenge of Non-Functional Systems

The CrowdStrike incident has rendered many computers non-functional, presenting a significant obstacle for identity verification. Typically, IT departments might use the affected device itself as a part of the verification process—such as sending a verification code to the device or requiring a specific action to be taken on it. However, with systems down, these methods are no longer viable. This situation necessitates alternative approaches to ensure secure and reliable identification.

The Limitations of Knowledge-Based Authentication

Traditionally, knowledge-based authentication (KBA) methods, including passwords and security questions, have been a cornerstone of IT security. However, these methods are increasingly viewed as inadequate. The reasons are multifaceted:

1. Data Breaches and Information Availability: The prevalence of data breaches has made it easier for attackers to access personal information, including answers to common security questions. Publicly available data and social media profiles further exacerbate this issue, making it relatively easy for attackers to impersonate legitimate users.

2. Password Weaknesses: Passwords are often weak, reused across multiple platforms, or stored insecurely. These vulnerabilities are well-known and frequently exploited by attackers. Additionally, passwords alone do not provide adequate protection against sophisticated phishing attacks or social engineering tactics.

Given these limitations, relying solely on KBA for verifying requests for BitLocker recovery keys is risky. Organizations need more secure, multi-layered approaches.

Multi-Factor Authentication (MFA)

Multi-Factor Authentication (MFA) is a more robust solution that addresses many of the shortcomings of KBA. MFA requires users to provide two or more verification factors from different categories:

Something you know: A password or PIN.

Something you have: A hardware token, a mobile device, or an email account for receiving verification codes.

Something you are: Biometric data, such as fingerprints or facial recognition.

By requiring multiple forms of verification, MFA significantly reduces the risk of unauthorized access. For instance, even if an attacker knows a user's password, they would still need access to the user's mobile device or biometric data to proceed. This layered security approach makes it much harder for attackers to compromise an account.

Call Center Authentication Strategies

When dealing with sensitive information like BitLocker recovery keys, it is crucial to use secure communication channels. This means avoiding insecure methods like standard email or unverified phone calls. Instead, organizations should use encrypted messaging services or secure portals that require user authentication.

An increasingly common strategy is the use of out-of-band authentication methods. In situations where a caller needs to be verified, rather than requesting information via that voice call, the help desk can send a push notification to a registered mobile device. Such push notifications provide a secure way for callers to quickly and easily confirm their identity, as they typically require real-time interaction and physical access to a user’s device, making it difficult for attackers to intercept or spoof the authentication process.

Call-back verification is another effective technique. After receiving a request for a recovery key, IT support can call the user back using a pre-registered phone number. This method adds an extra layer of verification, ensuring that the person making the request is indeed the authorized user. It also provides an opportunity to verify other information, such as recent activities or specific security questions. The downside of call-back verification is that it is extremely time-consuming and is not automatically logged in the ITSM.

Use of Pre-Registered Verification Information

Organizations should leverage pre-registered information that only the legitimate user would know or have access to. This can include:

Pre-set security questions: These should be unique and not easily guessable based on publicly available information.

Codewords or passphrases: These are agreed upon during account setup and are not used elsewhere, providing an additional layer of security.

Secondary email addresses or phone numbers: These can be used to send verification codes or to confirm the identity of the caller.

It is important to regularly update this information and ensure that users are aware of its importance in the verification process.

Logging and Monitoring           

Every request for a BitLocker recovery key should be meticulously logged and monitored. This includes recording the time, date, identity of the requester, and the IT personnel involved. Monitoring these logs helps identify suspicious activities and potential unauthorized attempts to access recovery keys.

Regular audits of these logs are essential. They ensure that all requests are legitimate and comply with security protocols. In the event of a security incident, these logs can provide critical forensic evidence to help identify and mitigate the threat. Logging can be automated with Caller Verify, which logs every verification in the ITSM.

Training and User Awareness

Finally, training and user awareness are critical components of a comprehensive security strategy. Users should be educated on the importance of securing their accounts and the risks associated with sharing sensitive information. They should also be familiar with the organization's verification processes and know what to expect when requesting a BitLocker recovery key.

Users should be encouraged to use strong, unique passwords and to enable MFA wherever possible. Regular security training sessions can help keep users informed about the latest threats and best practices for protecting their information.

Conclusion: Evolving Security Practices

The CrowdStrike crisis highlights the need for robust and evolving security practices. As threats become more sophisticated, organizations must adopt more advanced methods to verify identities and protect sensitive information. Relying solely on knowledge-based factors like passwords and security questions is no longer sufficient. Instead, a combination of MFA, secure communication channels, call-back verification, and careful logging and monitoring should be used.

By implementing these measures, organizations can protect against unauthorized access to BitLocker recovery keys and other sensitive information. In doing so, they can safeguard their data, maintain their reputation, and ensure the trust of their users, even in the face of significant technical challenges.

To learn more, Book a demo with us today.