The Cybersecurity and Infrastructure Security Agency (CISA), the nation’s cyber central, is developing a catalog of cybersecurity “don'ts” for organizations to lower their threat profile.
While it's rare to see any federal agency put out a list of actions for organizations not to take, CISA's catalog is aptly dubbed “Bad Practices,” and is tailored to organizations supporting critical infrastructure or national critical functions. CISA describes the cybersecurity practices to avoid as “exceptionally risky.” The inclusion of single-factor authentication among the bad practices is newly added as of August 31, 2021.
Not by coincidence, MSP-focused software companies have been shifting to multi-factor and two-factor authentication (MFA and 2FA) requirements. The MFA and 2FA push is designed to harden MSP software platforms -- particularly RMM (remote monitoring and management) and remote access software that hackers increasingly target for supply chain ransomware attacks.
So what other security slip ups are cause for concern? CISA offers this list:
- Use of unsupported or end-of-life software in service of Critical Infrastructure and National Critical Functions is dangerous and significantly elevates risk to national security, national economic security, and national public health and safety. This dangerous practice is especially egregious in technologies accessible from the Internet.
- Use of known/fixed/default passwords and credentials in service of Critical Infrastructure and National Critical Functions is dangerous and significantly elevates risk to national security, national economic security and national public health and safety. This dangerous practice is especially egregious in technologies accessible from the Internet.
- The use of single-factor authentication for remote or administrative access to systems supporting the operation of Critical Infrastructure and National Critical Functions is dangerous and significantly elevates risk to national security, national economic security, and national public health and safety. This dangerous practice is especially egregious in technologies accessible from the Internet.
The list of bad practices is a moving target, which means CISA will be adding to it again as it sees fit. It also does not include every “inadvisable cybersecurity practice,” imaginable, CISA said. In other words, just because a bad practice isn’t listed in the catalog doesn’t mean that CISA endorses it or believes using it presents an acceptable level of risk.
“The presence of these Bad Practices in organizations that support Critical Infrastructure or is exceptionally dangerous and increases risk to our critical infrastructure, on which we rely for national security, economic stability, and life, health and safety of the public,” CISA said.