Holding the Line Against Brute-Force Attacks

Viruses, Trojans, malware, spyware — the types of nefarious digital attacks is too long to list. Companies know they need robust protection against both web-based and offline threats, but in the midst of concerns about sophisticated hackers, the simple—yet highly effective—brute force attack may be overlooked.

Et tu, Brute?

Brute-force attacks don’t bother with complicated hacking or decryption techniques. Instead, these website attacks rely on the sheer force of numbers, trying to gain system entry by running through a list of random password combinations. One common type of brute-force attack is the so-called “dictionary attack,” which, according to Search Security, skips numbers and symbols in favor of common words — which are often used as employee passwords.

A Brief History of Brute Force

In the 1990s, RSA Security issued a series of challenges to hackers to highlight the vulnerability of the Data Encryption Standard (DES). When the DES was first deployed in the 1970s, the 56-bit key length was more than a match for available computing technology, but by 1995, networked computers were powerful enough to try every possible DES key. In 1997, the DES was cracked by the DES Challenge (DESCHALL) project in 81 days by trying 7 billion keys per second.

In 2012, Ars Technica reported on a 25-GPU cluster that was able to run 350 billion password guesses per second, which meant that in less than six hours, the cluster was able to try every possible 8-digit Windows passcode used by businesses.

Brute-force attacks continue to evolve, as The Next Web reports. The WordPress content-management system recently came under attack, with content-delivery network CloudFlare defending against more than 60 million attacks in one hour.

According to company co-founder and CEO Matthew Prince, while the first decade of the new millennium was largely considered with the vulnerability of Windows PCs, the second decade is going to be all about the insecurity of server software. Many attacks now focus more on dedicated denial of service (DDOS), using inherent server vulnerabilities to handicap access.

Who’s at Risk for Brute-Force Attacks?

Organizations of all sizes may be susceptible to these kinds of website attacks. Nothing — no industry, no type of business, no operating system — is naturally immune to brute-force attacks. The most basic risk of a brute-force attack is an attacker gaining system entry and then stealing or deleting crucial company data.

According to How-to Geek, web-based services, such as email or social media accounts, have better protection from these attacks because they’ll often require users to answer CAPTCHA image questions, which neutralizes brute-force threats. If an attacker has obtained encrypted files from your network, however, they may be able to masquerade as a local device and convince web services to accept more password attempts.

How to Defend Against Brute-Force Attacks

There are several ways a company can limit the effects of brute-force attacks. First, consider blocking IP addresses that attempt multiple failed logins. Second, don’t use predictable failure behavior. Text strings such as “bad password” or “failed login” let hackers know they need to keep trying; automated brute-force systems in particular are vulnerable to false “success” results, which lead to another layer of password protection.

Finally — and perhaps most importantly — companies need to address passwords. Instead of using a single-word entry system, consider a multiple-word scenario. The concept, described in a recent XKCD comic, shows that a random set of numbers, letters and symbols has approximately 28 bits of entropy and can be cracked by brute force in three days with 1,000 guesses per second. A random four-word phrase, meanwhile, is not only easier for employees to remember but also has 44 bits of entropy, requiring approximately 550 years to crack.

Brute force remains a popular attack vector, but while hardware speed increases the success rate of these attacks, taking simple steps to block IP addresses, change default behavior and educate employees can help keep company walls intact.

[image: KentWeakley/iStock/ThinkStockPhotos]