Breaking Down CISA’s “Bad Practices” Guidance

Many cyberattacks are a product of easily preventable mistakes.

The Cybersecurity and Infrastructure Security Agency (CISA) has sought to remedy this paradigm with a long-running list of best practices that’s offered organizations frameworks for important cybersecurity functions such as training, risk management, and incident response.

Now, to raise awareness and put an end to certain avoidable security pitfalls, CISA has released a new catalog of cybersecurity “bad practices” that organizations should avoid at all costs.

Since CISA is primarily concerned with combatting national security threats, the list primarily targets government organizations such as critical infrastructure operators, organizations that support the supply chain for national functions and the defense industry. Thus, it is based on common mistakes made by those entities in particular.

That being said, the bad practices listed so far are universal, ones that any organization should be aware of if they are currently dealing with any kind of cyber threat. To be included, a practice must be “exceptionally risky, especially in organizations supporting critical infrastructure and NCFs [National Critical Functions]” and must increase “risk to our critical infrastructure, on which we rely for national security, economic stability, and life, health, and safety of the public.”

So far, the non-comprehensive list contains only two bad practices, though CISA intends to update the list over time. For now, let’s take a look at the first two, both of which CISA describes as “especially egregious in internet-accessible technologies.”

Use of Unsupported or End-of-Life Software

This one may seem obvious, but updates to security software are often overlooked. Like most software or hardware, there comes a time in a cybersecurity tool’s life where the producer stops updating, marketing, or selling it. At that point, it’s a matter of time before it becomes useless and starts diluting the effectiveness of every aspect of your security program, impeding your ability to defend against, identify and mitigate the damage of security incidents. Likewise, some software may not be compatible with others, so it’s important to not only collect all the pieces but ensure you have a plan for them to work in tandem with each other.

What can go wrong? A prime example of this is the 2007 WannaCry ransomware incident, a ransomware cryptoworm that targeted Microsoft users and used a leaked hacking tool developed by the National Security Agency. Hackers got their hands on the tool and launched the ransomware campaign. Microsoft pushed a patch to their operating system that would defend against the ransomware, but many users – both individuals and organizations – failed to install the update in time, causing them to fall victim to the attack. Some estimated that the total economic losses from the attack were close to $4 billion.

It’s tempting to put off updating software; the hassle, time, cost and disruption that comes with upgrades can seem overwhelming– especially if installing and implementing the new technology will result in downtime that leaves your organization disarmed.

Unfortunately, the reasons and inconveniences don’t matter: outdated software will fail to work as effectively. To quell any doubts you may have, keep an open line of communication with any software providers to see why changes are being made and what you can do to best employ the software.

Use of Known, Fixed or Default Passwords and Credentials

This one resonates on the individual level too – making your password “123456” is just not a good idea.

On the surface, a password that is the name of your organization followed by a random set of numbers may seem hard to crack. It would take hackers hours of guessing to come up with the correct combination, right? Of course, there is a wide range of complex hacking software that can run through countless passwords in seconds. To ensure maximum security, your password should be something a robot, let alone a human, couldn’t crack.

Using a fixed password for multiple purposes falls in the same category. If the password to your organization’s databases is the same as the password to its financial accounts, unwanted access to your organization’s systems will spread like a parasite once attackers get their hands on one set of credentials.

Make the message clear to your employees as well. When choosing a password for their email, Slack or any other confidential records, force them to set the bar high when it comes to complexity. For the same reason, make them change their passwords frequently for maximum security.

In fact, relying on credentials for security might be outdated anyways. Multi-factor authentication is a much more secure way to build a wall between attackers and your sensitive information.

Stay tuned for more updates on CISA’s “bad practices.”