How to prevent brute force webmail attacks

BROWSE BY TAG Information Security Threats,   Email Protection,   Application and Platform Security,   Email and Messaging Threats (spam, phishing, instant messaging),   Enterprise Identity and Access Management,   Password Management and Policy,   Identity Management Technology and Strategy,   VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Information Security Threats How to get rid of malware, botnets on a hospital IT network Should a national cybersecurity strategy include offensive botnets? How to prevent mobile phone spying How can search results lead to malware? What are today's antivirus software trends? How to detect input validation errors and vulnerabilities How to prevent and build protection against online identity theft Can secure USB devices prevent man-in-the middle attacks Is there a spy on my mobile device? When should new browsers be adopted in an enterprise? Email and Messaging Threats (spam, phishing, instant messaging) Messaging security risks have upper hand on solutions Web-based attacks skyrocket, pirating sites surge, security firms say Pushdo botnet uses Facebook to spread malicious email attachment Scareware report highlights successful business model How to prevent phishing attacks with social engineering tests Phishing protection begins with training, antiphishing evangelist Phishing attacks to remain a major problem, say security experts Barracuda acquires Purewire expanding Web security reach FBI raids phishing crime ring, nearly 100 arrested Massive phishing scheme affects Microsoft Hotmail accounts Email and Messaging Threats (spam, phishing, instant messaging) Research Password Management and Policy Two-factor authentication, vigilance foil password theft Group to shed light on secure identity management threats Brute force attacks target Yahoo email accounts Best Identity and Access Management Products Privileged account management critical to data security Making the case for enterprise IAM centralized access control Best practices for a privileged access policy to secure user accounts Mature SIMs do more than log aggregation and correlation PCI compliance requirement 2: Defaults PCI compliance requirement 8: Unique IDs

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary CAPTCHA  (SearchSecurity.com) crimeware  (SearchSecurity.com) Operation Phish Phry  (SearchSecurity.com) pharming  (SearchSecurity.com) phishing  (SearchSecurity.com) Register of Known Spam Operations  (SearchSecurity.com) Rock Phish  (SearchSecurity.com) Sender Policy Framework  (SearchSecurity.com) spam cocktail  (SearchSecurity.com) spear phishing  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

Great question. Brute forcing Web-based email accounts is popular because it's so easy. There are a number of publicly available brute-force password-guessing tools, which require minimal skill to use, including ones like "Brutus." You give Brutus a list of words (a "dictionary") to use as usernames or passwords, and it will try every possible combination until one works. Some tools will also try permutations on each password (i.e. "fluffy8", "fluffy9", etc.). The program is simple enough that a teenager could use it to point, click and break, or brute force, into webmail accounts.

The good news is that there are effective ways to foil enterprise Web-based email attacks. Probably the most straightforward strategy is to use two-factor authentication. It is often said that there are three forms of authentication:

1. Something you have (i.e. a debit card)
2. Something you know (i.e. a password)
3. Something you are (i.e. your fingerprint)

Password-protected Web email is an example of single-factor authentication (something you know). Since passwords are often remotely guessed or stolen, this is a fairly low-security method for restricting access.

For Web-based email, I recommend using at least two-factor authentication, such as RSA Security Inc.'s hardware SecurID token. These tokens fit in the palm of your hand, and they display a different password for every login. The password is never repeated, and the odds of guessing it at the right time are extremely small. The user generally also types in a personal PIN, combining the hardware token (something you have) with the PIN (something you know). There are also many other ways to implement two-factor authentication, such as software-based authenticators or cell phone-based systems.

You can also reduce the risk of brute-force webmail attacks by limiting login attempts (i.e. three failed logins in one minute results in a 15-minute lockout). This dramatically limits an attacker's number of guesses. Make sure you have a strong password policy so passwords are difficult to guess, and test accounts regularly. Finally, if you have a password reset system, ensure the answers to questions are not easily attainable from public records or social networking sites.