A Complete Guide to Brute Force Attacks: Part 2
More about brute force attacks, types, and protecting your businessA business network can easily become compromised by brute force attacks if the right cybersecurity measures are not in place. Hackers and cybercriminals have developed many different types of brute-force attacks to break into business networks and systems.ORAM Cybersecurity Advisors looks at various types of brute force attacks and methods businesses can employ to layer their cybersecurity for the best protection against brute force attacks.Simple Brute Force AttacksA simple brute force attack happens when a cybercriminal attempts to guess a user’s login and credentials manually without the use of software. This may seem tedious, but it can be simple to guess login credentials as they are often an email address that is public. Using multiple username and password combinations, or even personal identification numbers (PIN), bad actors can often stumble upon the correct login credentials.Passwords are often trickier to guess but simple combinations and information available on social media sites can make this an easier process such as a pet’s name or favorite sports team. People still often use weak passwords such as “password123.” Additionally, people have a bad habit of reusing passwords so once one account is cracked, this can make it easier for hackers to get into other accounts.Dictionary AttacksA dictionary attack involves selecting a target and then testing possible passwords against the target’s username. The term “dictionary attack” is rooted in the hacker running through dictionaries and adapting words using special characters and numbers that are common replacements for letters. For example, using a numeral 3 in place of an “e” or using the @ symbol for an “a.” This form of brute force attack tends to be more time-consuming for the hacker and has a lower chance of success compared to more modern forms of attack such as those using software.Hybrid Brute Force AttacksThis type of brute force attack combines a simple brute force attack with a dictionary attack. If a cybercriminal already has a username such as an email address, it’s easier for them to figure out a password with a combination of simple and dictionary brute force attack methods.The attacker using a hybrid brute force attack may begin with a list of potential passwords based on information from a social media platform, experiment with special characters and numbers in place of letters, and then find the correct combination. This attack method often allows attackers to crack simple, commonly used passwords such as “Boston2022” or “P@ssword123!”Credential StuffingBad actors prey on weak password etiquette to perform credential stuffing. Whether they have found username and password combinations on the Dark Web or have stolen them using phishing emails, hackers will test log-in credential combinations on a variety of websites to see if they can gain access to other accounts. Credential stuffing works great against people who have reused usernames and passwords on multiple accounts from bank logins to social media platforms.Reverse Brute Force AttacksIf an attacker already has a known password, they can reverse engineer a brute force attack by then figuring out the username. Passwords are often found when a network breach occurs, which is why it’s imperative to change passwords frequently, making a password manager an important tool in cybersecurity.It’s not hard for a bad actor to use a password to search for a matching login credential using lists of millions of usernames. Weak passwords also make it easy to search for usernames online for a match. This is especially true if the attacker already knows the full name of the password they have in their possession.Use High Encryption RatesTurn to the highest encryption rates available (256-bit) to encrypt system passwords. This limits the odds of a successful brute force attack and makes login credentials that much harder to break.Your business can also employ a virtual private network (VPN). This is ideal for businesses that have remote workers either part-time or full-time. A VPN will encrypt all traffic between the company network and sources outside of the network from personal devices to the cloud.Add SaltAnother security tactic is to salt the hash on passwords. System administrators can strengthen passwords even further by adding random letters and numerals with passwords. This is known as “salting” the hash just as you might add salt to a dish. Salting makes passwords even more complicated and less hackable.Employ Multifactor AuthenticationBy adding authentication to user logins for your business, you’re adding even more security. Multifactor authentication requires users to provide extra proof of their identity when logging in. This may be something as simple as a personal identification number sent to their smartphone or even facial recognition. Unless a hacker has access to a user’s smartphone or face, it’s practically impossible to breach the login even with standard credentials.Limited Login AttemptsSimply limiting the number of login attempts by users reduces the success rate of brute force attacks as well. A potential attacker can be deterred when they can no longer try to log in after two or three failed attempts. This helps prevent simple brute force attacks, dictionary attacks, and hybrid brute force attacks. After meeting the number of login attempts allowed, an account can be locked down completely and the IT department must be contacted to reset and access the account.Using Internet Protocol Blacklists and CAPTCHAPrevent attackers from using computer software and websites to breach your business network by using internet protocol (IP) blacklists and CAPTCHA. A blacklist of IP addresses helps to protect your network and users from known threats. By stopping any traffic from bad IP addresses, your business systems are better protected.Adding a CAPTCHA box to your business’s login process can also prevent cybercriminals that are using computers and software to deploy brute force attacks. A CAPTCHA box may require typing in a text image, checking multiple boxes, or even identifying objects in images in order to log in.Remove Unused AccountsAnother tip for preventing brute force attacks is to remove old or unused user accounts. As soon as someone leaves your business as an employee, be sure to disable their account quickly. Not only will this help prevent brute force attacks, but it can also help prevent insider attacks. This is especially true for disgruntled employees that left on less than ideal terms.Get the Right SoftwareORAM Cybersecurity Advisors also recommends using Fortinet’s FortiWeb as a great option for protecting against brute force attacks. FortiWeb offers a web application firewall (WAF) that shields businesses against advanced attacks that target both known vulnerabilities and zero-day attacks. This helps businesses fight against potential breaches in the ever-changing threat landscape. It also helps stop brute force attacks and ensures businesses remain secure with new features and updates.For assistance securing your business against brute force attacks, training employees in cybersecurity best practices, or shoring up your cybersecurity, contact ORAM Cybersecurity Advisors at (617) 933-5060.