Brute-Force Attacks: How Organizations Can Protect Themselves

When you hear the term “brute-force attack,” you may think about a savagely violent person or animal aggressively attacking another being. But if you’re in cybersecurity, you may envision something completely different—although no less frightening. In technology, a brute-force attack is when a hacker uses automated software to hammer an organization’s system with usernames, passwords, or passphrases until it successfully guesses the right combination and gains entry to that system. Such attacks are often the most successful when system passwords are fairly short because a brute-force attack moves quickly and isn’t as effective if there are longer passwords or passphrases to handle.Hackers use brute-force attacks to gain entry to a system illegally so they can steal valuable data from that website, shut it down, or execute another kind of attack. Another tactic is for the hacker to gain access to your system and then wait to use that access later. A recent six-month study by Proofpoint of major cloud service tenants finds that there are “massive” brute-force attacks coming mainly from Nigeria, but also from China, Brazil, South Africa, and the United States. Most of those attacks leveraged IMAP and used compromised network devices such as routers and servers to launch attacks. Unfortunately, the brute-force attacks found success 44 percent of the time. Despite the increasing frequency of such attacks, there are ways that organizations can protect themselves. Among them:

1. Three strikes and you’re out. Systems need to lock out users who have three failed login. A downside is that implementing such a protocol means that one hacker can lock up several accounts, which can lead to a denial of service for users and one big headache for the administrator who must unlock each account.
   
   One way around this may be to use a progressive delay, which locks the account for a certain period, each time longer than the previous one. Such delays take the teeth out of a brute-force attack because it becomes slow and inefficient.
2. Employ CAPTCHA. Are you human? That’s what CAPTCHA (completely automated public Turing test) tries to ensure by requiring the user to type the letters of a distorted image. Be aware that some users don’t have kind words for CAPTCHA and find it difficult to decipher—it takes the average person about 10 seconds to solve a typical CAPTCHA.
3. Require strong passwords. Passwords need to be at least eight letters with both uppercase and lowercase letters, numbers, and at least one special character. Consider password manager tools like LastPass, Dashlane, Roboform and KeePass.
4. Rely on two-factor authentication. Having a password isn’t enough for a two-factor authentication, which also requires something like your cellphone number or a code that is sent to you via SMS. Some companies will allow users to verify a device only once, while others will require authentication every month or every year.

With the increase of brute-force attacks from abroad and at home, it’s clear that companies must get smarter about how they keep the bad guys from coming in the front door—and employ the right security to lock them out.