The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has updated its list of cybersecurity bad practices that should be avoided. The Bad Practices Catalog was first published in July 2021 and, upon its launch, only included two entries. A third has now been added to the list.
The list includes practices that CISA advises against due to them being exceptionally risky. The entries on the list may seem obvious security errors to cybersecurity professionals; however, these mistakes occur at many organizations and are frequently exploited by cyber threat actors to gain access to internal networks.
All government organizations and private sector companies must ensure that these issues are addressed, but these practices are deemed exceptionally dangerous for any organization that supports critical infrastructure or national critical functions (NCFs), as these bad practices increase risk to the critical infrastructure relied upon for national security, economic stability, and life, health, and safety of the public.
There are many lists of cybersecurity best practices, and while they are useful to help organizations improve security it is important to ensure that bad practices are eliminated.
The first bad practice to be listed is the continued use of software after it has reached end of life and support for the software has been withdrawn. This practice is especially egregious for software and technologies that are accessible over the Internet. The second bad practice is the use of default or known passwords and credentials, and again, this is especially egregious for any systems that can be accessed over the Internet.
CISA has now added the use of single factor authentication for remote or administrative access to systems to the list. It is especially important to ensure that 2-factor (2FA) or multi-factor authentication (MFA) are implemented on all systems that are accessible over the Internet.
Single-factor authentication is the use of a username and password to provide access to a system. While this method of security can prevent unauthorized individuals from gaining access to a system, passwords are vulnerable to brute force and phishing attacks, passwords can be obtained by malware such as keyloggers that have been installed on a system, or by other methods such as packet sniffing. With 2FA or MFA, an additional authentication factor is required before access to a system is granted. 2FA or MFA are not infallible, but they will make it much harder for attackers to gain access to systems.
Alex Weinert, Microsoft Director of Identity Security, explained in a July 2019 blog post that studies have shown that MFA will block in excess of 99.9% of attacks and a study published by Google, and New York University and the University of California San Diego showed MFA will block 100% of automated bot attacks, 99% of bulk phishing attacks, and 66% of targeted attacks.