The DHS recently issued a warning against the use of common and or easily guessed passwords after several government agencies have been targeted by “password spray” attacks.
In these attacks brute force login attacks, attempt to break into accounts using these simple passwords with the goal of stealing sensitive information and unlike social engineering, these attacks require little more than rudimentary knowledge of the target organization and internet search skills.
An attacker first obtains a list of usernames of as many agency employees as possible which is made easier by the fact that most government email addresses take the form firstname.lastname@example.org, and that most usernames are a formulaic combination of a person’s first name or initial, last name, and perhaps a numeric identifier.
The attacker then launches an automated script that attempts to log in to systems with every possible combination of known usernames and predictable passwords.
Ryan Wilk, vice president of customer success for NuData Security, told SC Media that government agencies should adopt multilayered security technologies that include passive biometrics and behavioral analytics to detect non-human behavior both at the server and the endpoint.
“This allows these types of attacks to be quickly identified and mitigated even as bad actors change their strategy,” Wilk said. “These passive biometrics technologies also help verify that the right user is accessing the environment without requiring additional authentication steps, putting agencies back in control one step ahead of the bad actor.”
These sort of attacks can be prevented with the use of strong passwords, multi-factor authentication, no password reuse, and some sort of authentication verification software