Here’s the hypothetical scenario: It’s a normal business day. Then partway through, right after lunch, your internal wiki stops responding. That wiki is housed here at Contegix. You are also seeing emails and texts from other employees indicating it’s not just you; they cannot reach the site either. So you pick up the phone and call Contegix to let us know about the problem. We are polite on the phone, but refuse to give you any information! We keep requesting you submit an email or login to the portal, and still will not give out information over the phone. No verification of up or down, we won’t even tell you WHO is an authorized contact so you can have a ticket submitted. We even offer to create the ticket for you, but still won’t tell you what’s happening beyond that. What gives!?!? Read on to find out!
Now before I go any further, let me point out one very important thing: In the above situation, if something under our control is down, we are not just going to ignore the issue until a ticket is placed. We WILL be looking into the problem and working on a solution regardless of what we do or do not tell you over the phone. Now, that being said, let me explain why we have these security policies and why they are beneficial to you.
Every day security researchers release more information about the latest exploits, the latest hacks, and things people dealing with computers and the internet should be worried about. The subjects that are rarely mentioned are the other types of “hacks” that don’t involve the latest hacker script, virus, or exploit. They involve an age-old method of gaining access and intelligence on people and organizations, called social engineering.
Many people are well aware of common online scams such as the email from the “Prince in Nairobi” who is just dying to give you millions and millions of dollars as soon as you send him some of your money first, and are prepared to avoid and ignore those types of scams. What most people are not prepared for are the scams that start when your phone rings. These types of social engineering scams are becoming more commonplace because human nature is easy to exploit, and most people are not on their guard over the phone like they would be when reading a new email. While everyone may have seen a few phishing emails before, not everyone has encountered a social engineering call.
The basic gist of it is, someone calls up and pretends to be one of our customers or a vendor. They claim to not be anywhere near their email, but really need some sensitive information, “So, can you just give it to me over the phone, you know, as a favor?” They ask for things like who the authorized contacts actually are, the names and IPs of servers homed here, proper usernames (“what was Jimmy’s email addy again”). Sometimes, they’ll try for a password reset or to add themselves as an authorized contact. Even, “Could you just reboot this one thing (core server critical to the infrastructure…)?” They could also play the role of the super-duper-mad customer for XYZ reason, demanding things NOW or they’ll drop the contract and sue everyone and their children’s children!!!!!! Basically hoping that we may just take care of the customer issue without pushback to avoid confrontation.
What both of the above approaches use against us is human nature, and what both of the above methods lack is any way to verify the identity of the person on the other end of the phone. This malicious combination of factors has been used often, to victimize people all over the world. This is why we will not just “take the word” of an anonymous voice on the other end of the line. By Contegix security policies requiring you to either submit an email or login to our portal to action on your environment, we avoid these social engineering style attacks almost completely. While the bad guy (or girl) may have grabbed your personal information off your corporate website to try to talk their way past our technicians, they likely do NOT have your email or Contegix support portal username/password.
So, before we would make any changes on your environment at all, we require somebody to notify us via a ticket, which means either emailing us or logging into the portal. This is meant to do two primary things: First, confirm your identity as somebody who is authorized to make requests and changes to your environment housed here at Contegix.
Second, it also provides one other very tangible benefit in today’s online culture: A full written audit of what happened, who requested what, at what time, and what was done about it. So 3 weeks later, when upper management is requesting clarification on why XYZ happened, you will have that entire ticket to reference to versus trying to remember details that occurred on a phone conversation that happened long ago. This record also comes in handy for reoccurring problems; we can backtrack to the notes taken the last time XYZ happened and try to spot the trend.
How can you increase security even further?
1.) Maintain your Authorized Contacts: Regularly review and update your authorized contacts listing. Our portal system allows granular permissions inside your own organization. At least one person in your organization has full access to the account and can make changes as needed in our portal system. Make sure you are regularly checking the portal listing of authorized contacts so you can remove any employees who have been let go, retired, fired, etc, add new employees, correct/update contact information, and change permissions for employees who have changed positions. You know your employees and the permissions they will need much better than we would, which is why we recommend you be the one to add/remove/modify the designated authorized contacts.
2.) Start any problem, idea, or question you have for us with a ticket: We will be happy to schedule a follow up phone call to discuss things further if necessary, but start out with a ticket. Regardless of the issue, we will require the ticket either way so this will result in faster turn-around time. Along with that, if a structured phone conference is needed it will be much easier for us to schedule this out ahead of time, so we can
ensure you have the correct people at the meeting. If you are calling in out of the blue, you won’t be able to get the information you want (due to no ticket), and you likely won’t be able to talk to the person you want to, as they were not expecting your call and/or may not be available.
Another benefit of using emails/portal to keep tickets updated (vs. phone calls): We work 24/7, 365 here. We have 3 different shifts of engineers who work together to keep this data center humming along. If the details on what’s happening are all contained within the ticket, we can continue working on your issue across all shifts
3.) Password management and complexity: Make sure your email passwords (and portal passwords) are complex, and do not involve names or birthdates of your family or close acquaintances. If possible, change them on a regular basis, (e.g. quarterly). Don’t use the same password on all of the various sites you visit. One site gets hacked; they will have access to EVERYTHING using that password. A good idea is to utilize some type of password manager. This would allow you to come up with super-complex passwords for all your various accounts, and have the password manager remember all of those. Then you are just responsible for memorizing the complex password you use for the password manager’s master password.
I hope this post was helpful in understanding why our security measures are so important. We certainly do not intend to come across as rude, nor do we wish to make requesting service a pain. We are merely looking out for the best interest of your company’s privacy and infrastructure.