According to new research from cybersecurity and antivirus protection firm, ESET, remote working has brought with it a sharp global increase in ‘brute-force’ attacks on small businesses. But what is a brute force attack? Why are they on the rise? And what can you do to protect your business?
What is a ‘brute-force’ attack?
Cybersecurity terms rarely do what they say on the tin, but a ‘brute force’ attack is precisely what it sounds like. Brute force attacks break into systems by trying millions of possible passwords or ciphertexts in the hope of guessing correctly.
Once upon a time, this was a time-consuming (and incredibly tedious) manual task. Think: hacker sitting in a darkened room, deep into the early hours with nothing but extra-strong coffee for company. However, new technology has made our hacker’s job much easier.
Most modern brute force attacks use automated software or a bot that can run billions of combinations of numbers, letters and symbols repeatedly. Statistically, eventually, the combination will be correct and crack the code, granting hackers access to whatever they’re looking for.
The five most common types of brute-force attack
Brute force attacks typically take one of five approaches.
1. Simple brute-force attacks
The old school approach. Hackers attempt to logically guess your details, without the aid of software or a bot. This approach is only useful for cracking simple passwords or attacking victims the hacker knows.
2. Dictionary attacks
In this form of attack, a hacker picks a target then runs possible passwords against their username. It’s called a dictionary attack because some hackers will quite literally run through an entire unabridged dictionary, adding special characters in as they go. As you can imagine, this approach is incredibly slow work without the help of an automated program.
3. Hybrid attacks
As the name suggests, hybrid attacks combine approaches one and two. Cybercriminals use this tactic to figure out passwords that mix common words with random characters. For example, ‘padlock1234!’ or ‘opensea3me456’.
4. Reverse brute-force attacks
A reverse attack starts with a known password rather than a username. Once they have a password, hackers will trawl millions of usernames until they find a match. This form of attack is becoming more frequent and often starts with a password sourced from existing leaks of user data.
5. Credential stuffing
Many of us use the same password across multiple websites. We know it’s bad practice, but human memory only extends so far. Unfortunately, hackers also know this and use credential stuffing to take advantage. Once they have the password/username combination for one site, they’ll try it on anything else they can think of including your online banking, social media and email.
What’s in it for cybercriminals?
Brute-force attacks are high-effort, low reward most of the time. Until recently, many cybersecurity experts were predicting attacks of this kind would only become rarer due to their lack of sophistication and the effort involved. So what’s in it for cybercriminals?
Sensitive data – This one’s pretty simple. A successful brute-force attack can unlock a treasure trove of data. Most companies store everything from employees’ personal and bank account details to tax information and confidential corporate data – all of which can be sold on for profit or used to steal employees’ identities.
Ransomware – Brute force attacks are perfect for installing ransomware on company systems. Again, the core motivation here is profit. Once the hacker is in and has installed their malware, they can threaten to release sensitive data or cripple internal systems until you pay a ransom.
Hijacking your website and devices – There tend to be two reasons why criminals are interested in hijacking a business’s website or devices. The first is computing power. All that malicious activity takes a lot of computing power, often more than hackers have at their disposal. So, one way around it is to infect an army of unsuspecting devices with malware to form a ‘botnet’ network to power it. This army can then be used to run everything from phishing scams to more brute-force attacks.
The second reason is advertising. With access to your website, cybercriminals can cover it in spam ads to generate profits from clicks or reroute traffic to their own site.
Why are brute-force attacks becoming more common?
As we tackled in a recent blog, the shift to remote working during the COVID-19 pandemic has brought with it extra cybersecurity risks. Many employees are working on unsecured or poorly secured home networks and devices. Businesses just haven’t had time to develop clear cybersecurity and password policies in all the COVID-related disruption. And, as research has shown, many employees think they can get away with riskier behaviour while working from home.
All of these factors combine to produce a hackers dream. Employees are simply more vulnerable to attack working from home, putting their employers at risk too.
How can your business protect itself?
Brute-force attacks are on the rise, but being breached needn’t be inevitable. Fortunately, attacks of this kind are quite easy to protect your business against, provided you follow a few simple principles.
Maintain good password hygiene – Making every password in your business as hard to crack as possible will protect you from all but the most sophisticated brute-force attacks. Create complex passwords, change them regularly, and use two-factor authentication and encryption for an extra layer of protection.
Ensure your policies are clear – Many businesses are guilty of assuming staff know what bad practice looks like, without providing any guidance. This leaves too much to chance. Instead, provide your employees with clear, easy-to-follow security policies for both remote and office working.
Create a personal vs professional divide – We all use work devices to browse the news or check our bank balance from time to time. Or use our own laptop for work. The problem is, the more sites you visit and the more entry points into corporate systems and applications, the higher the risk of a breach. Encourage your people to keep work devices for work and personal devices for everything else.
Give employees the right security – The most brilliant security policy in the world won’t save your organisation if employees are using outdated software or security tools. Check your employees are regularly installing software updates and patches and all equip all corporate devices with the latest security capabilities.
Looking to improve your cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.