CISA Creates Catalog of Bad Practices in Cybersecurity

The Cybersecurity and Infrastructure Security Agency (CISA) of the U.S. Department of Homeland Security has published a catalog of bad practices in cybersecurity. These practices are commonplace and exceptionally risky. If these practices are not eradicated, organizations will be vulnerable to hacking.

Improving critical infrastructure cybersecurity is a major focus of the U.S. government following the recent SolarWinds Orion supply chain attack, and the ransomware attacks on Colonial Pipeline and JBS. Following the attacks, President Biden signed a Cybersecurity Executive Order to improve the cybersecurity posture of federal agencies and critical infrastructure operators. This week, the National Institute of Standards and Technology published a definition of “Critical Software” that must be safeguarded, which was one of the first requirements of the Cybersecurity Executive Order.

The eradication of cybersecurity bad practices is one of the most important steps to take to improve security. In a recent blog post, CISA Executive Assistant Director (EAD) Eric Goldstein explained that exceptionally risky bad practices in cybersecurity are especially dangerous for any individual, company, or organization that supports critical infrastructure or national critical functions.

While there are many resources available that detail cybersecurity best practices, CISA felt an additional perspective was required to help eradicate some of the most serious risks given recent attacks in which threat actors have exploited serious security failures.

“Based on the understanding that organizations have limited resources to identify and mitigate all risks it should also be an essential element of every organization’s strategic approach to security,” said Goldstein. “Addressing bad practices is not a substitute for implementing best practices, but it provides a rubric for prioritization and a helpful answer to the question of “what to do first.”

The bad practices catalog currently only includes two bad practices in cybersecurity, but the catalog will be expanded and will have more bad practices added over the coming weeks.

First in the list is the continued use of unsupported software that has reached end-of-life. Plenty of notice is provided by software developers when their software solutions are approaching end of life and will no longer be supported. Continued use of unsupported software is exceptionally dangerous and greatly increases the risk of a successful cyberattack, especially in the context of critical infrastructure, the compromising of which has implications for national security, economic stability, and life, health, and safety of the public.

Second is the use of known, fixed and default passwords, which CISA says is “especially egregious in internet-accessible technologies.” Organizations need to implement password policies that require users to set complex, unique passwords for each account. However, creating and implementing such a policy is only part of the story.

End users must be taught best practices and given the necessary tools to allow them to be part of the security solution. For instance, end users should receive regular security awareness training, be taught how to create strong passwords, and password managers should be provided that will automatically generate strong, complex passwords for accounts. With a password manager, it is easy for users to set strong and complex passwords that will be resistant to the brute force tactics of hackers. Without such a solution, shortcuts are invariably taken that greatly increase risk.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of