Another year and another batch of grey hairs for network security engineers tasked with keeping their organization's data safe and secure. For this article, we're going to narrow our focus to two specific types of attacks in cyber security: Password Spraying and Ransomware.
I wrote a blog about combating password spray attacks last year and the description still holds true. The attacks are an attempt to learn end-user's credentials, but they have the side-effect of potentially acting as a Denial of Service if they are overly aggressive and trigger your Account Lockout protections.
One of the main reasons I wanted to write about this topic is because it is on the rise. We are hearing from an increasing number of our customers that they or organizations they know are regularly receiving these cyber security attacks. Dealing with the symptoms by continually unlocking accounts still results in lost productivity for end-users and your help desk and does not tackle the root cause.
The prior blog posting had numerous ways to mitigate this type of cyber security attack including:
- Multi-factor will help ensure attackers cannot fully authenticate if a password is learned, but it does prevent the Denial of Service aspect of this attack.
- Rate limiting – This is how PortalGuard's IP Lockout feature works to dynamically detect and block back-end login requests from Office 365 servers.
- Image-based CAPTCHA can be used to prevent it for "front-end" logins, but try not to rely on text-based CATPCHA systems which are starting to show vulnerabilities to automated methods. A recent PortalGuard version added support for this on its main logon screen.
Ransomware is an especially insidious attack that requires running a program on the targeted machines. This program searches for specific file types, encrypts them using a randomly generated key, then sends that key back to the attacker. Talk about using technology for illicit purposes! The attacker then demands a specific amount of money in order to return the encryption key which, in theory, allows the victim to decrypt and recover their data. Adding to the heartburn are the possibilities that the ransomware is poorly written which may render the data corrupt and there are no guarantees that the cyber security attack won't recur in the future.
According to Barkly, ransomware attacks actually diminished in the first half of 2018. Counter to this, CPO Magazine cites a report from Datto that claims these attacks are becoming more prevalent and Beazley concurs, especially in the healthcare industry. Regardless of the trend, these remain very serious attacks which occur across verticals. Last year saw high profile private companies like PGA of America, local government agencies such as the City of Atlanta and large health care agencies have highly publicized infections. Do not sleep on this attack as it easy for hackers to reproduce and compromised systems, especially servers, can cripple your infrastructure.
Protections include regular off-site backups, regular software updates, multiple tiers of network Intrusion Detection and Prevention systems and anti-virus software. For backups, this includes individual files, SQL databases & file servers which must be then kept offline to prevent possible propagation.
Again, there is no shortage of cyber security attacks being carried out against your own infrastructure, much less the internet at large. As long as attackers can achieve their goals of making money or sowing discord, they will continue to innovate and perpetrate. Security models will continue to evolve with those threats to help keep organizations and their data safe enough until the next iterations of attacks arrive.