Brute Force Attack

What is actually a Brute-force Attack, and how can i protect my CRM system against it?

A Brute-force attack is the most simple way to try to access in a system without being authorized; but it’s effective. With this technique, an attacker has the mathematical certainty to find a way to go inside.

Definition

A Brute-force attack satisfies the following characteristics:

• guess every possible password;
• time to break the system depends on the length and complexity of the password choosen;
• usually ine system could be considered safe if it forces users to adopt  long and complicated passwords.

How it works

A Brute-force attack consists of an enormous continued repetition of attempts to find the right combination of user names and passwords.
It’s usually conducted by bots, automatic programs that replicates human enterings.

Like in every battle, there are some factors that could help the attacker while others help the defender; let’s focus on the first ones in order to strengthen the protections:

Admin user

If the Crm Administrator uses “admin” as its username, half of the attacker’s job is already done, because it has only to try all the combinations of passwords with any length and any carachter.

CRM URL

If your CRM system location is predictable, like:

• crm.yourcompanyname.com
• www.yourcompanyname.com/crm

then the attacker knows where to intervene and how to set its automatic bots.

In case the attacker is an old workmate or a former employee, the CRM URL is obviously known. It’s “overkill” to change URL:  think of the disorder that would be caused to the colleagues that should save the new link in their browsers or Apps.

But don’t worry; there are easier solutions.

Protection in Passwords

One classical way to protect your system is to oblige your employees to use a strong password. You can easily set the password requirements in the Password Management panel in the admin page: https://support.sugarcrm.com/Documentation/Sugar_Versions/6.5/Ent/Administration_Guide/Password_Management/index.html

Please note that some of the settings showed in the previsious link are related to SugarCrm paid versions. You can always achieve that with custom development.

Think different

Instead of wasting precious energy, fighting against potential threats and trusting the procedures to ensure that employees adopt strong passwords and\or renew them often, you can introduce an automatic barrier that bans any potential intruder as soon as you exceed the maximum number of allowed attempts.

With a solution like CRM Defender there will be no way to hijack your system, because the Web Server itself, duly instructed by CRM Defender, will block intruders.