September 30, 2024
The New York State Department of Financial Services (NYDFS) has recently released urgent guidance for IT and help desk personnel in light of the latest cybersecurity threats emerging in October 2024. This advisory emphasizes the need for heightened vigilance, particularly around social engineering tactics aimed at bypassing security measures through IT and help desk channels.
In this new wave of cyberattacks, threat actors are increasingly targeting IT and help desk professionals via phone calls. Their primary tactic is to request password resets or claim issues with multi-factor authentication (MFA) in attempts to gain unauthorized access to user accounts. This sophisticated attack method aims to exploit the trust placed in IT personnel, leveraging their role as gatekeepers to sensitive systems.
To mitigate these risks, NYDFS has requested that all IT and help desk staff remain on high alert and follow stringent verification processes before resetting any credentials or granting access to systems. A key element of the guidance is the reminder for organizations to train their staff on recognizing the signs of social engineering attacks. This includes revisiting established protocols for verifying the identity of individuals requesting password changes or MFA resets.
For further protective measures, NYDFS advises personnel to refer to guidance from the Cybersecurity and Infrastructure Security Agency (CISA), which offers comprehensive resources on preventing social engineering and phishing attacks. CISA’s documentation details best practices, such as requiring secondary confirmations and verifying through known channels such as a callback number, to reduce the chance of falling victim to these schemes.
Key Recommendations from NYDFS
In response to this growing threat, NYDFS has provided several recommendations for regulated entities:
Strengthen Help Desk Verification Procedures: IT and help desk personnel should be trained to enforce multi-layered verification methods, such as requiring employees to answer security questions or confirming identities through multiple channels before resetting passwords or MFA settings.
Monitor for Unusual Activity: Organizations should implement tools that monitor for unusual login attempts or device activations. Flagging any suspicious activity related to password changes or MFA settings can help mitigate unauthorized access.
Educate Employees on Social Engineering Risks: Regular cybersecurity training should be mandatory for all employees, emphasizing how to recognize and respond to social engineering attempts. Employees should be encouraged to report any suspicious behavior they encounter.
Limit the Exposure of Personal Information: Companies should review what information is publicly available about their employees online. Reducing the amount of sensitive personal data on company websites, social media, and professional networks can make it harder for attackers to build convincing social engineering narratives.
Network experts dedicated to 99.9% uptime