Learnings from the Citrix Breach — Five Steps to Protecting Your Organization from Password Spraying

Cyber Risk

/

March 27, 2019

Karen Walsh

Another day, another data breach. On March 6, the FBI contacted international software provider Citrix to let them know that international cyber criminals appeared to have gained access to their internal network. The company provides server, application and desktop virtualization, networking Sofware-as-a-Service, and cloud computing technologies. Rather than using network control weaknesses, the cybercriminals used an infiltration process called password spraying, which can affect any company. The first step to protecting your small or mid-sized business is understanding the attack so that you can keep yourself from being the next newsworthy data breach.

What is Password Spraying?

Password spraying occurs when cybercriminals use passwords leaked from other data breaches to try to obtain access to data and networks. In May 2018, the United Kingdom’s National Cyber Security Centre conducted a research study that indicated 75% of the participant organizations had accounts using passwords listed as part of the top 1,000 most commonly used passwords list. These weak, commonly known passwords place those organizations at risk for a data breach.

How Do Cybercriminals Attack Passwords?

Cybercriminals no longer sit at computers for hours trying to manually log in to each account individually nor do they need to code their own programs. Rather than targeting individuals, they target the weak password. Since most organizations use common combinations of firstname.lastname@organization or firstnameinitial.lastname@organization, a cybercriminal merely needs the formula and organization’s users. Then they use a popular password and try it with all the different user login IDs.

In short, they use publicly available information about the organization and use an educated guess based on people’s poor password hygiene to locate a backdoor to networks and systems.

Why Do Cybercriminals Like Password Spraying?

As more companies migrate to the cloud, their users increasingly rely on password access to a variety of Software-as-a-Service (SaaS) third-party vendor platforms. Since most SaaS login IDs use employee email addresses, cybercriminals can spray mail logins and often find a way to gain access to data.

These SaaS applications store nonpublic personally identifiable information (PII) and other sensitive data. For example, a marketing database may include potential customers’ names and email addresses. A payroll application may incorporate an employee’s name, date of birth, and social security number. All of this information can be sold on the Dark Web.

Additionally, as more cloud services providers (CSPs) continuously monitor their networks, applications, and servers, cybercriminals find themselves stymied. For example, regularly updating software to protect against commonly known security vulnerabilities closes the gate to these locations.  Rather than trying to gain entrance through external methods, cybercriminals choose to compromise internal access.

How Can an SMB Protect Itself from Password Spraying?

Establish a Password Policy

Any strong cybersecurity program incorporates a password policy. At a minimum, your policy should incorporate the following:

  • Minimum length of 10 characters
  • No directly identifiable information
  • Unique password for each account
  • Avoid common dictionary words
  • Use phrases that you can remember
  • Replace letters with unique characters such as: ! @ $
Require Employees to Use a Password Manager

Password managers such as OneLogin, LastPass, and CommonKey create “password vaults” where they can store their passwords. The password manager application encrypts the information both at rest and in transit. Even more importantly, most password managers recognize weak passwords and prompt users to create stronger ones. SMBs can use enterprise solutions that allow their IT administrators to manage details or take away permissions to maintain access control.

Incorporate Multi-Factor Authentication (MFA)

MFA uses a combination of the password (something you know) and either something you have (a smartphone or token) or something you are (biometrics such as fingerprint or face identification). Even if a cybercriminal obtains a login ID and password, multifactor authentication can keep them from gaining entrance to your systems, networks, and software since they won’t be able to meet the second requirement in the access process.

Monitor User Access and Authentication

As part of creating a strong cybersecurity program, you need to make sure that you not only establish policies and procedures but that your employees follow them. Moreover, you need to make sure that as users within the organization move around, you ensure “least privilege necessary” that follows their job function.

For example, you don’t need someone in marketing to have access to payroll. However, if that marketing person moves to human resources, you may want to change the access. They should no longer have marketing SaaS application access when you add SaaS payroll access. To protect yourself from the dangers associated with weak passwords, you need to regularly review data access and use.

Obtain a Cyber Risk Insurance Policy

Cybercriminals are always thinking of the next potential threat methodology. What you do today and the controls you maintain over your environment may be obsolete tomorrow. No matter how well you mitigate and protect against cyber attacks, you need to make sure that you also prepare for the worst -- a data breach.

A cyber risk insurance policy gives you the assurance that in the event of a data breach, you have coverage available for the inevitable costs associated with it, including:

  • Business interruption
  • Disaster recovery
  • Data reconstruction
  • Legal costs

Zeguro Offers End-to-End Protection for SMBs

Zeguro understands small and mid-sized businesses and their cybersecurity struggles. As such, we created an end-to-end security first solution to help them protect information. Start protecting yourself from a data breach today by contacting us for a cyber policy quote.