Brute-Force Attacks – a Growing Cyberthreat
“If at first you don’t succeed…” must be the motto of brute-force attackers. Determined to steal valuable data, they try, try again to find out passwords and encryption keys and break into computer systems.
They succeed pretty often, too. Some studies report that they’re responsible for 5 percent of confirmed break-ins.
Brute-force attacks target computer systems of all sizes, those of large organizations and individuals. Let’s look at the methods they use and what we can do to protect against brute force attacks.
How they work
The concept is simple. To open an encrypted file or break into a system, a brute-force attack tries all possible combinations of characters or numerals that might constitute a username and password. The means of attack are often applications and scripts that can run at dazzling speed, not limited by manual operation. A “dictionary” approach uses letters; a mathematical approach uses an algorithm.
What makes these attacks so formidable is their sheer persistence – and their speed. Computers are getting faster by the day, enabling faster attacks by the second. They bombard any number of devices and services exposed to the Internet. And because they’re trying everything and just won’t quit, they can be effective even against highly encrypted systems.
These attacks can exploit common user traits, too. For example, since many users employ the same user ID and password for many of the systems they use, a brute-force attack has only to enter those credentials once to use against all of those systems.
Systems on the Internet can resist these attacks effectively through such measures as CAPTCHA, which will stop a robotic attack after only a few failed attempts. But hackers who can get hold of an encrypted file offline have all the time they need to break the encryption.
What to do
Organizations need to address brute-force attacks in their security policies. Here are some sound policies:
- Limit the number of attempts permitted on a given password.
- Enforce delays between successive attempts.
- Lock accounts out after unsuccessful logon attempts.
- When attacks come from a specific IP address, prevent that IP from making more than a predetermined number of password attempts against any account on your site.
Tools such as Fail2ban and DenyHosts can protect servers by automating some of these rules.
Individual users can help defend against brute-force attacks:
- Avoid using common or “typical” passwords.
- Use strong passwords, long and complex enough to slow down or stop brute-force algorithms.
- Keep your encrypted data safe where attackers can’t get access to it and try brute-force attacks against it at their leisure.
Applications such as LastPass make it easy to generate strong unique passwords for every site, as well store encrypted data.
Individuals and organizations should anticipate brute-force attacks when planning data protection strategies, creating encryption algorithms, and devising passwords. Using the right tools and enforcing secure policies will help mitigate and prevent these threats.