We at Citrix are attuned to the challenges faced by organizations who seek to ensure their systems balance user experience, productivity, and security. We maintain a Worldwide Customer Success team that advises customers how to implement, manage, expand, and support their environments to create a seamless experience while also protecting against rapidly evolving cyber threats.

In the wake of our own recent cyber event and the increasing prevalence of password spraying attacks against a wide range of entities, we will be launching a new series of technical articles from our leading experts that will cover security best practices that we advise our customers adopt to make their Citrix deployments as secure as possible. As part of this, we will share real world examples, lessons learned, and enablement webinars tackling our customers’ most pressing needs.

As the first in a series of Customer Success Insights, this blog will detail security improvements that can be used to combat password spraying. The cybersecurity industry, law enforcement, and organizations worldwide have seen a tremendous increase in password spraying attacks recently, as the growing volume of stolen credential stores circulating the internet allow criminals to more easily enter networks by guessing passwords. So, for starters, all should familiarize themselves with recent pronouncements around password security and authentication from the Federal Bureau of Investigation and U.S. Department of Homeland Security.

What Is Password Spraying?

Password spraying is a technique in which cyber criminals use passwords from previous breaches, or generated password lists, to attempt access to an environment. Slowly testing against many user accounts, from a variety of source networks, these attacks are hard to identify since many do not trigger threshold alarms.

How Do You Protect Yourself from Password Spraying?

Multi-factor authentication (MFA) and user education are the most traditional, and in many cases, the most effective deterrents. We will focus on these two protections in this article, but there are additional protections that can be layered in to provide added security. Increased audit, analytics, and defining a secure digital perimeter also help detect and protect against attacks.

The weakest link determines the ultimate strength of your security system. Often, this link is your users’ passwords. As a result, our most common security recommendation is to enforce MFA for all external entry points. In the Citrix world, this means enabling MFA on Citrix Gateway to protect entry points like StoreFront and Citrix Workspace. MFA protects from password spraying since the attacker requires a secondary authentication factor beyond what is available in the leaked password databases. Protecting your company at the boundary is paramount. Therefore, we see many customers implement MFA externally as a mandated requirement.

Enabling MFA on Citrix Networking appliances is straightforward. This functionality has existed in our products for quite some time, but capabilities have expanded in recent years. Most customers leverage an external second-factor authentication server through a RADIUS connection as described here. This allows for hardware or software-based tokens to be leveraged, seamlessly into the login process. Recently, Time-based One-Time Password (TOTP) functionality was added to Citrix Networking Appliances. Customers that do not have a second-factor token system deployed can now accomplish MFA with QR codes and software authenticator applications. Citrix Networking appliances also have nFactor capabilities, where we can configure any number of authentication factors and customize the user login experience. Many customers also leverage SAML to leverage external identity providers, and may introduce Federated Authentication Service (FAS) to enable single sign-on from an external identity provider.

Regardless of your chosen path, enabling MFA for external entry points can enhance your organization’s security posture.

User Education

As passwords are the key to unlocking your environment, your end users play a key role in ensuring their passwords deter rather than enable criminals. However, some users don’t fully understand, or aren’t aware of, security policies and best practices around password development. Therefore, user education is an important step in fortifying your systems’ password security. Too often we rely on password length and complexity requirements to enforce our password policy. What looks like a complex password scheme leads to a simple password that is trivial for a computer to crack. In addition, some organizations go further by periodically testing users’ passwords against known vulnerable passwords and discouraging users from using repeatable, easy patterns.

In Closing

Security safeguards and attacks against them are continually evolving. In light of new attack methods we’ve seen in recent months, multi-factor authentication and user education around passwords have become two important steps that every organization can take to help deter cyber criminals from gaining entry to their environment.