When Attackers Come Knocking
Earlier this year, we discovered that an angry ex-employee at one of our customer’s organization tried to guess the CEO’s password more than 300 times. The day he was fired, he went to work trying to crack the CEO’s password. What if he had been able to break in? It would have been devastating for the company. Fortunately, the would-be-attacker was unsuccessful. The sad part is that a simple setting in Windows could have hampered his efforts significantly. The fix takes 10 seconds…
When we audit companies, it has become commonplace to discover attacks like this in progress. Place emphasis on the past two words. This isn’t a coincidence. The reality is that attackers are now constantly attempting to break into organizational accounts, from anywhere in the world, using guessed usernames and passwords. In some cases, the attackers are successful.
What you need to know: An important feature, the account lockout policy, is often overlooked when networks are configured.
Your servers can monitor failed logon attempts. It only takes your IT professionals 10 seconds to configure a policy that tells the servers that if a user enters the wrong password five times within five minutes, then his account is disabled for five minutes before he can attempt to logon again. And all of those numbers are easy to adjust individually; none of them need to be five.
The bad part of an account lockout policy is that, for the users who cannot remember their password, they only get to make a certain number of incorrect guesses at a time. That’s why you might use the number five for the values shown above. Even those basic restrictions can significantly frustrate an attacker. Locking out a user for 30 minutes after three wrong guesses may sound more secure, but it is also much more inconvenient for a forgetful user.
There is a long conversation to have about the pros and cons of setting a lockout policy, but one thing is certain: If an attacker ever gains access to your network through guessing passwords, you will wish that you’d asked your IT professional to configure the account lockout policy.
Please forward this to your friends whose organizations you care about.