Technology giant Citrix, a Florida-based software company, recently disclosed a security breach after international cyber criminals gained access to their internal network. The FBI, which alerted Citrix to the threat, said hackers attacked the company’s network by using a tactic known as password spraying.
Currently, Citrix is working with numerous cybersecurity firms, as well as the FBI, to ensure their network’s security is iron-clad. And, they’re using the incident to share lessons learned and best practices other organizations should keep in mind in order to protect their own networks.
So, what is password spraying and how can you ensure your organization’s network is protected?
Read this article to learn more about how to identify and detect password spraying, and steps your organization must take to avoid potential attacks.
What is password spraying, and how does it work?
Password spraying, which refers to a type of brute force attack, is a technique that exploits weak passwords.
A traditional brute force attack occurs when a hacker attempts to access an account by merely guessing a password. The result can end in one of two ways:
- The hacker can guess the right password, or;
- They’ll get locked out due to too many bad password attempts
However, during a password spraying attack, hackers avoid the lockout risk by using one password against multiple accounts. This “low-and-slow” method allows hackers to attempt access by using several passwords until finding one that ultimately grants them access.
Indicators you’ve been hacked and typical victim environments
According to a letter Citrix submitted to California’s attorney general, company officials determined that hackers had ‘intermittent access’ to their network from Oct. 13, 2018, to March 8, 2019.
That’s five months of criminal activity before the hackers were even noticed, and eventually discovered, by the FBI.
And, this type of breach is not uncommon.
Verizon’s 2017 Data Breach Investigations Report revealed that weak or stolen passwords were the main culprit for more than 80% of hacking-related breaches.
Is your organization an easy target? Many victims of password spraying share similar characteristics that contribute to easy access, such as:
- No multifactor authentication
- Passwords are easy to guess – think ‘Spring2019’ or ‘Password1234’
- Email is synched – allowing it to be transferred from the cloud and onto a remote device
There are some top indicators that may suggest your organization has been attacked by password spraying, including:
- An unusual spike in attempted logins
- IP address logins from employees that are not consistent with their typical location
- The use of automated tools that originate from a common user-agent string
Impact of password spraying attacks
The impact of a password spraying attack is multifaceted.
After Citrix’s breach, they sent a notice of data breach letter to everyone affected by the cyberattack. In the aforementioned letter to California’s attorney general, Citrix noted that the “Cyber criminals may have accessed and or removed information relating to certain individuals who are current and former employees as well as certain beneficiaries and dependents.”
The type of information that may have been stolen, according to the company, included names, Social Security numbers, and financial information.
There are various potential impacts from a password spraying attack, like:
- Damage to an organization’s reputation
- Distrust of current and former employees as well as anyone else affected
- Financial loss related to restoring and resecuring a system or network
- Loss of sensitive information
- Disruption of day-to-day operations
This type of attack will remain a huge headache for an organization long after the initial breach is detected. For example, Citrix’s investigation is ongoing, and will most likely remain open for quite some time.
5 steps to take to avoid password spraying attacks
The National Cyber Security Centre in the U.K. conducted a research study to assess just how susceptible organizations are to a password spraying attack.
The results were startling. The study concluded that:
- 75% of participating organizations had passwords included in the top 1,000 list
- 81% of participating organizations had passwords included in the top 10,000 list
Even though this study was conducted in the U.K., these attacks are happening globally. To prevent a password spraying attack, organizations must take these five measures:
- If not already in use, two-factor authentication is key to adding an additional layer of security
- To avoid easily guessed passwords, employers must implement and enforce strong password policies
- Create security policies and focus on what sensitive data and information can be accessed and shared remotely
- Offer additional assistance and security awareness training to every employee
- Review current protocols and make any necessary security changes that will help prevent password spraying attacks
Taking these steps will ensure your organization is less susceptible to attacks. If you’re unsure where to start, begin with the implementation of strong passwords.