Preventing Brute Force Attacks and Navigating CMMC AC.2.009 Compliance

Understanding how to prevent brute force attacks by limiting unsuccessful logon attempts, a.k.a. CMMC AC.2.009, is essential for your business.


‘Your account has been locked out. Please see an administrator for assistance.’ 

Most likely, you’ve seen this text or similar before when using too many incorrect passwords. While it can be a pain, it’s essential for your security. 

In this blog, we’ll review the details of CMMC AC.2.009, brute force attacks, and how to keep your business & data protected.

What is CMMC AC.2.009?

By definition, CMMC AC.2.009 requires limiting unsuccessful logon attempts. But, what does that even mean?

In simpler terms, after a user enters a predefined amount of incorrect password attempts when signing onto their domain account, the user account becomes disabled. Once an account is locked out, the user will then have to reach out to a network administrator. 

The Importance of CMMC AC.2.009

In some cases, you forget your password and enter countless tries, then get locked out. While this can be frustrating, aside from the password, your account doesn’t have a way to determine if it’s you logging in or a brute force attack. 

What is a Brute Force Attack?

A brute force attack is the use of a dictionary to create endless combinations of potential passwords. This attack will continue to run through combinations until it receives network access. Once access is granted, depending on your account level (admin or standard), confidential data can be accessed and your network can be compromised

In even simpler terms, the sky's the limit. 

If someone accesses your network through a brute force attack and the user has admin privileges, the hacker can now access or install anything and everything they want. Most likely, the hacker will install tracking software such as SpyWare or Ransomware

Pro Tip! If you follow CMMC best practices, day-to-day user accounts shouldn’t have admin privileges, which can potentially prevent this entire situation. For more information on admin privileges & security, check out our recent blog on Complying with CMMC AC.2.008.

How to Prevent a Brute Force Attack

Although the most obvious way to prevent a brute force attack is to follow this guide and set up policies to limit unsuccessful login attempts, there are other alternatives. 

Here are two ways to prevent a brute force attack. 

  1. Creating password complexity requirements
  2. Implementing a password history rule

1. Creating Password Complexity Requirements

Most likely, you’ve created an account that requires a password with a number or special character. This rule is in place mainly to prevent brute force attacks. 

Think of numbers and special characters as a shield against brute force attacks. When you include them in your passwords it increases the difficulty of the attack and hopefully doesn’t allow the hacker to get access.  

Your network administrator should set password complexity requirements in place to ensure you have a shield and defense against brute force attacks. 

2. Implementing a Password History Rule

In a technology-savvy world, remembering every password for all of your accounts is a nightmare. Although it’s easy to choose a password and implement it across every account you have, it sets you up for brute force attacks. 

To prevent this in the workplace, your network administrator should set password history requirements. For example, if you used the password, “ILoveOmnisTech1” in a previous password for this account, you can’t use it again. 

Protecting Yourself, Your Business & Data

When it comes to your business, IT isn’t a priority and that’s understandable. However, as a decision-maker for your business, your job shouldn’t be to make sure that everyone updates their password. 

But, we get it. What’s the point of hiring an IT professional when I don’t have many IT needs?

Fortunately, outsourced IT has resolved this issue that many business owners face. With Omnis Technologies, we partner with your business to solve your tech issues even on an as-needed basis. 

If you have one-off situations you need help with, are looking for a cybersecurity plan, or want a comprehensive IT solution, Omnis Technologies can do it all. Spend time on what matters the most to your business and don’t waste time changing passwords. 

Similar posts