The Cybersecurity and Infrastructure Security Agency (CISA) recently adopted a new tactic to improve the nation’s cyber defenses: rather than focus on what organizations should be doing to protect themselves, CISA’s new catalog of bad practices puts the spotlight on the worst security practices. The list currently contains three entries:
- Use of unsupported, end-of-life software that is no longer receiving security updates.
- Use of known, fixed or default passwords and credentials, which are easy to compromise using basic hacking methods.
- Use of single-factor authentication for remote or administrative access, leaving these two high-risk access types vulnerable to malicious actors using cracked or stolen credentials.
These practices are particularly dangerous in internet-accessible systems.
This list is expected to grow in response to feedback from cybersecurity experts. However, in an article introducing the new catalog, CISA Executive Assistant Director Eric Goldstein explains that keeping the list short and focused is intentional. Under the principle of “focus on the critical few,” highlighting the most dangerous practices helps organizations prioritize their cybersecurity efforts – if your organization isn’t sure where to begin improving your cybersecurity, start by closing these critical holes in your defense.
Other Practices to Avoid
As CISA looks for more bad practices to expand its list, there’s no shortage of potential candidates. Here are some other practices your organization can clean up to improve its cyber hygiene:
- Not applying updates in a timely manner: Security updates address known, exploitable vulnerabilities. The risk to your organization grows the longer these updates are delayed. Updates should be scheduled as part of a patch management strategy to ensure timely implementation.
- Providing too much access: In failing to follow the principle of least privilege, organizations are putting themselves at unnecessary risk when they grant broad or privileged access to users, devices or applications that don’t require it.
- Poor security awareness: Workforces that aren’t educated about cybersecurity risks often engage in a wide range of dangerous user practices from clicking links in suspicious, unsolicited emails to using and re-using weak passwords.
- Not maintaining reliable data backups and recovery options: Organizations that lack a predefined plan for backing up and recovering data may find their core business operations crippled in the event of a ransomware attack.
Is your organization guilty of bad cybersecurity practices? MBL Technologies provides an array of cybersecurity services, including security assessments and vulnerability management. We can help you identify dangerous practices in your organization and replace them with effective, sustainable solutions.