Is Your Business Vulnerable to Password Spraying?

April 16, 2018

Password security has always been one of the most important aspects of ensuring good cyber hygiene for enterprises. However, passwords - regardless of length or complexity, are not sufficient as a security measure on their own.  Multi-factor authentication should always be utilized.  

The US-CERT recently released a threat alert regarding the increase in brute force attacks using a technique called Password Spraying. Traditional brute force attacks occur when a malicious actor uses one username with multiple passwords in an attempt to gain access to a system. Employing a lockout functionality, which locks the user out after a set number of login attempts, is an effective means of dealing with tradition brute force attacks.

Password Spraying is a type of brute force attack which circumvents the lockout functionality by trying only a few of the most common passwords against multiple user accounts, trying to identify that one person who is using the default or easy-to-guess password.

In this technique, cyber criminals are able to target single sign-on (SSO), cloud-based, and email applications that use federated authentication protocols as this can help mask malicious traffic. 

Typically, attackers carry out password spraying in environments that lack the use of multi-factor authentication (MFA), allow easy-to-guess passwords, use inbox synchronization (which allows emails to be pulled from the Cloud to remote devices), or use single sign-on with a federated authentication method, etc. 

Successful password spraying can have severe impacts on an organization.  Aside from financial and reputational losses, hackers may gain access to proprietary information for enterprises or disrupt normal operations, causing significant damage.

So what can enterprises do to tackle this issue? Here are our recommendations:

• Remind employees to change passwords every 60 days, especially for corporate accounts
• Set up password protocols that restrict the use of easy-to-guess passwords
• Enable multi-factor authentication (MFA) for all web-based applications. If MFA practice is already in place, review current protocols thoroughly to ensure it is maintained well
• Ensure password policies align with NIST guidelines
• Set up mandatory specialized security awareness training for all employees - from the boardroom to the break room

We believe that protection against attacks like password spraying relies heavily on implementing, and maintaining, good cyber hygiene.

To learn more about the importance of cyber hygiene, please read our latest 2018 Cybersecurity Conversations For The C-Suite Report here.