How to protect the company from a brute force attack
A brute force attack is a way of accessing login details by systematically trying all combinations of characters and is often carried out by script or bots that target a selected login page. Brute force is therefore a common method of data breach, and is something that both companies and individual users need to protect themselves against.
Find out more about what a brute force attack actually is and how it is carried out, as well as how to protect yourselves against them!
How is a brute force attack carried out?
In a brute force attack, an attacker sets up a computer to try different passwords until it finds one that works. There is no intellectual strategy behind the attack, just different combinations of characters being tested until a correct combination is discovered. You could compare it to a thief trying to break into a combination lock on a safe by trying every possible combination of digits until the safe opens.
The most common aims of brute force attacks are to crack passwords and encryption keys, which can be part of a company’s API or remote logins (such as SSH). The consequence of a successful attack can be disastrous, resulting in business secrets leaking out, important data disappearing or the attacker posing as users to send phishing links or to spread false content under your name.
One far too common scenario is when a password database with encrypted passwords is breached, an event that often causes major headlines when it becomes pubic knowledge. In connection with leaked password databases, the attacker will often use computers with a high processing capacity that can attempt guesses millions of times per second. It is then only a matter of time and processing power before a password is cracked and a data breach is a fact.
How do you protect yourself from a brute force attack?
Brute force attacks usually depend on weak passwords and sloppy network administration. Luckily there are many ways of enhancing your IT security in order to reduce vulnerabilities and the risk of attacks. If you take steps such as using strong passwords, only permitting a limited number of login attempts and enabling MFA, you move one step nearer to preventing brute force attacks. Here are five tips on how to protect yourselves!
- Use MFA (multi-factor authentication)
With multi-factor authentication, you apply an extra layer of protection to your login. MFA is an effective way of stopping breaches by adding requirements for identification to the login, such as a code that is sent to your mobile number. MFA also means that even if the attacker has accessed your password, this prevents the login from succeeding.
- Limit the number of login attempts
One way of preventing successful brute force attacks is to limit the number of login attempts within a specific time frame. Or to let each login attempt take longer and longer. If there are no limitations on how many attempted guesses may be made for one account, the consequence can be that the attacker will find the correct password more quickly, but also that the attack affects performance on the servers. If the attacks are on an extremely large scale, this can result in an overload and affect entire IT environments.
- Choose passwords that are difficult to guess
If the password is so simple that it can easily be guessed, it does not matter how good the rest of your protection is. The password must therefore be sufficiently difficult for other protective functions to be activated. Make sure that you choose a password that contains several characters and combine upper and lower case letters, digits and special characters.
Also use unique passwords for different logins. If an attacker finds a password that works for one service, it can try to reuse the same login and password in many other popular services. The drawback in having a lot of different and advanced passwords is that it becomes impossible to keep track of them. A password manager is strongly recommended to make this easier.
- Combine passwords with additional mechanisms
Captcha is a technology used to make sure that there really is a person sitting behind the screen. There are many different variants of captcha, one example being four pictures, where the user has to select all of the pictures containing boats, or a variant where you have to enter the characters displayed. As it is a picture (and not characters), it is harder for basic computer-based attacks to get past this control.
- Choose an advanced password encryption solution
In the best of all worlds, no outsider should be able to access a password file, but a large part of IT security is about working proactively and being prepared for the worst. If the password file were to leak out, it all depends on how advanced the encryption is and how difficult it is to crack. You should therefore make sure you prioritise an advanced password encryption solution.
Do you want us to help you review the security level in your IT environment today?
Apart from activating the right password policy and MFA, it is every bit as important to make sure that you educate the organisation about the importance of password strength and general information security habits. Even employees with a strong password can become a victim if security is not a strong part of the culture.
We would be happy to meet you to tell you more about how Nordlo can help your business by creating good protection for your IT environment and strengthen your culture when it comes to IT security. By taking a look at how your company is working at present, and which technology and tools you are using, we can put forward tangible, customised suggestions for the security solutions that are right for you and your needs.