Last year, the United States Computer Emergency Readiness Team (US-CERT) issued an alert that hackers were targeting organizations in the United States with a massive wave of attacks based on successful guesses of common passwords.
These password-spray attacks seek to identify accounts at targeted organizations that use common or simple passwords, and then use those accounts to steal sensitive information. Nine Iranian nationals were indicted last year in New York for hacks of U.S. universities, companies and government agencies using this method.
In a password-spray attack, the attacker does not need advance knowledge of a user’s password. Unlike social engineering, in which the attacker tricks a user into revealing his or her password, spray attacks rely on the fact that, unless prevented, users will choose easy-to-remember passwords.
Password-spray attacks require only rudimentary knowledge of the target organization and simple internet research skills.
What Is a Password-Spray Attack?
The attacker begins by gathering the usernames of as many agency employees as possible. This work is made easier by the fact that most government email addresses take the form email@example.com, and that most usernames are a formulaic combination of a person’s first name or initial, last name, and perhaps a numeric identifier. The attacker uses this knowledge to create a list of as many usernames as possible.
Next, the attacker obtains a list of commonly used passwords. These include passwords that on the surface meet the agency’s password complexity requirements, but are still quite predictable. “Passw0rD2019!” for example, might beat the complexity filters but is still easy to guess.
With these lists in hand, the attacker launches an automated script that attempts to log in to systems with every possible combination of known usernames and predictable passwords. To succeed, the attacker needs to find only one account with a password on the list, providing an entry point to the system.
This kind of attack isn’t the only way that passwords can be used to breach an account. Attackers know that users commonly reuse the same strong passwords across multiple accounts. Password dump files from large-scale data breaches are easily found on the dark web; attackers can search for account names with a .gov email address, and then attempt to log in to agency systems using a password discovered in an external breach.
With this in mind, here are four strategies that agencies should follow to protect themselves from password-based attacks.
MORE FROM FEDTECH: Find out how the government plans to reskill workers for cybersecurity roles.
Agencies Should Implement Multifactor Authentication
The best way to protect against any password-based attack is to supplement basic password authentication with a second authentication factor. This approach, known as multifactor authentication, requires the use of either an object in the possession of the user or a physical characteristic of the user to confirm his or her identity.
In an online system, the easiest way to implement multifactor authentication is through either a smartphone or an authentication key fob carried by the user. When attempting to enter the system, the user first provides a password and then authenticates his or her identity by entering the passcode texted to the phone or generated by the key fob.
Percentage of State Department high-value devices protected by multifactor authentication in 2018
Source: Sens. Ron Wyden, Edward Markey, Jeanne Shaheen, Cory Gardner and Rand Paul, Letter to Secretary of State Mike Pompeo, Sept. 11, 2018
Multifactor authentication completely defeats password-spray attacks by requiring possession of a preregistered device. A spray attack might stumble across a valid username/password combination, but that information is useless without access to the user’s smartphone or authentication token. Improve Password Policies Most agencies already have strong password policies that require the use of complex, lengthy passwords. Many also prohibit the use of dictionary words.
Agencies can further strengthen these policies by prohibiting the use of any passwords that appear on a list of commonly used passwords. This technique isn’t 100 percent effective, but it does slow down password-spray attacks.
MORE FROM FEDTECH: Find out where to turn when the cybersecurity hiring well runs dry.
Educate Federal Employees About Password Reuse
Password reuse is one of the gravest threats to systems that depend on password authentication. Agencies can implement extremely strong password policies, but those policies are only effective if users don’t compromise their passwords in other ways.
There are no technical controls to prevent a user from using the same password for their agency account and their personal email account or website login. The only way to mitigate this threat is to educate employees about the perils of reusing passwords and encouraging the use of secure password managers, which maintain unique passwords across many different accounts.
MORE FROM FEDTECH: See how CISA is establishing itself in the federal cybersecurity realm.
Monitor Agency Authentication Systems
Password-spray attacks are not subtle. They are noisy, brute-force attacks that should be immediately apparent to anyone watching agency authentication systems. Unfortunately, these systems often go unmonitored, allowing attacks to continue for hours or days before analysts notice and block the source of the attack.
Agencies should create automated alerts that immediately notify cybersecurity professionals of an increased rate of password authentication failures. Security information and event management systems may also block future authentication attempts from IP addresses that exceed a predefined threshold.
Password-spray attacks are dangerous and threaten to compromise the security of any agency that depends only on passwords to secure its authentication systems. Agency leaders seeking to mitigate this threat should expedite the adoption of multifactor authentication technology, improve their password policies, educate their workforce and actively monitor their authentication systems.