Brute Force
Brute Force
Category: Security Misconfiguration
Severity: High
Description
A brute force attack can manifest itself in many different ways, but primarily consists in an attacker configuring predetermined values, making requests to a server using those values, and then analyzing the response. For the sake of efficiency, an attacker may use a dictionary attack (with or without mutations) or a traditional brute-force attack (with given classes of characters e.g.: alphanumeric, special, case (in)sensitive). Considering a given method, number of tries, efficiency of the system which conducts the attack, and estimated efficiency of the system which is attacked the attacker is able to calculate approximately how long it will take to submit all chosen predetermined values.
Impact
Identity theft
Stealing someoneโs identity to access their accounts, such as bank accounts or credit cards. This enables the attacker to purchase goods using these details. In addition, information such as social security numbers can be sold for use in other cyber attacks.
Loss of data
Due to loss of confidentiality if data is stolen which could destroy company reputation. Additionally, there may be reputational damage caused by a leak of sensitive customer information that leads to public distrust and dissatisfaction with the business.
Downtime
This refers to system outages where websites or computer networks cannot be accessed due to a cyber attack. This is costly to the business in terms of lost revenue, customer satisfaction as well as loss of image.
Remediation
You can lock accounts after several failed login attempts and then unlock it as the administrator.
Progressive delays
You can lock out accounts for a limited amount of time after failed login attempts. Each attempt makes the delay longer.
Captcha
Tools like reCAPTCHA require users to complete simple tasks to log into a system. Users can easily complete these tasks while brute force tools cannot.
Requiring strong passwords
You can force users to define long and complex passwords. You should also enforce periodical password changes.
Two-factor authentication
You can use multiple factors to authenticate identity and grant access to accounts.
https://owasp.org/www-community/controls/Blocking_Brute_Force_Attacks
Last updated