CISA Releases “Bad Practices” with Hope of Decreasing Cyber Blunders

Kathryn Rattigan
Robinson+Cole Data Privacy + Security Insider
Contact
LinkedIn
Facebook
X
Send
Embed

The federal Cybersecurity and Infrastructure Security Agency (CISA) released a few cybersecurity “bad practices” this week to assist in decreasing the volume of knowable and preventable cyber mistakes. These bad practices are aimed at educating critical infrastructure owners and operators, as well as the defense industry and the organizations that support the supply chain for national critical functions. Any disruption, compromise, or degradation to these systems creates a national security threat so in addition to the list of best practices that the CISA has published, CISA aims to highlight some of the biggest cyber mistakes made by these entities.

The first bad practice: Use of unsupported (or end-of-life) software in service of Critical Infrastructure and National Critical Functions is dangerous and significantly elevates risk to national security, national economic security, and national public health and safety. This dangerous practice is especially egregious in internet-accessible technologies.

A well-known example of this occurred in 2017 with the WannaCry incident [view related post], which affected about 300,000 computers across the globe and across almost every economic sector.

Why are critical infrastructure organizations not updating software or operating systems? Well, these updates can often be timely, difficult, and costly. Additionally, patching these systems and implementing updates can also result in downtime, which is often viewed as unacceptable.

The second bad practice: Use of known/fixed/default passwords and credentials in service of Critical Infrastructure and National Critical Functions is dangerous and significantly elevates risk to national security, national economic security, and national public health and safety. This dangerous practice is especially egregious in internet-accessible technologies.

The reason short, simple, easily guessable passwords can be easily cracked, especially with free, widely available hacking tools. Further, many users recycle passwords; this makes it easier to crack or gain access to a password for one account and then have access to all other accounts that use that same password. Further, hackers often use a method called password spraying where they use a common password (e.g., abc123) to gain access to as many accounts as possible.

While these ‘bad practices’ are not new or unknown, unfortunately, they repeatedly cause minor to major security incidents and breaches.

CISA says that this is only the beginning of its list of “bad practices” and intends to release more of these practices in order to develop a complete catalog of the exceptionally risky practices that are still used all too often.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Robinson+Cole Data Privacy + Security Insider | Attorney Advertising

Written by:

Robinson+Cole Data Privacy + Security Insider
Robinson+Cole Data Privacy + Security Insider
Contact
more
less

Robinson+Cole Data Privacy + Security Insider on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide