CISA Bad Practices
The CISA (Cybersecurity & Infrastructure Security Agency) is America’s premier Risk Advisor for all things related to cybersecurity. It was set up in November 2018. Its primary role is to improve cybersecurity across all government assets and protect them from hostile individuals and states.
CISA has been developing a catalog of bad security practices which could harm organizations. This is primarily targeted at organizations that are engaged in ensuring national security. But the Bad Practices contain sensible advice which also applies to individuals and non-government organizations. Hence, it merits taking a closer look at this catalog.
The list currently contains three Bad Practices. It is expected to be updated periodically:
1. The use of unsupported (or end-of-life) software is dangerous.
Vulnerabilities in software are found over time and fixed. But unsupported software does not receive fixes and so may develop exploitable vulnerabilities. Unsupported software might not work on newer systems and this could cause business disruptions. Continued use of unsupported software could force you to delay upgrades elsewhere in your system. You may be forced to defer upgrading to a later, more secure version of an operating system because your outdated software application will not run on the new OS. This makes you more vulnerable.
2. The use of known/fixed/default passwords and credentials is dangerous.
Many systems come with default passwords (many modems and routers for instance). Anyone can access them. Default passwords should be replaced with strong passwords during first set up or use. Weak and frequently used password lists are commonly available on the web and are known to hackers. Reused passwords are problematic: if a poorly designed authentication system reveals the password, all other authentication systems where the password is reused crumble as well. Establishing strong and unique passwords is necessary to secure any asset.
3. The use of single-factor authentication for remote or administrative access to systems is dangerous.
A traditional single-factor authentication (SFA) system uses a single authentication method: usually a combination of a user id and password. A password is relatively easy to crack because humans tend to create passwords that are easy to remember. People also tend to reuse passwords across systems. A 2FA (2-Factor Authentication) or MFA (Multi-Factor Authentication) is recommended instead. These use two or more authentication methods in tandem to allow access to systems. They are a lot less easy to attack.
To see the Bad Practices on the CISA page:
