CISA Emphasizes Urgency of Avoiding 'Bad' Security PracticesAgency Warns of Impact on National Security
Failure to take very basic security steps - such as avoiding using end-of-life software and default passwords - can create serious national security risks, the Cybersecurity and Infrastructure Security Agency stresses.
CISA has just begun developing a catalog of "bad practices" that should be avoided. It's a move designed to help organizations set security priorities.
CISA Executive Assistant Director Eric Goldstein notes these bad cyber practices are "exceptionally risky for any organization and especially dangerous for those supporting designated critical infrastructure or national critical functions."
Goldstein recommends "urgent conversations" to address technology bad practices, given "the risks facing our nation's critical infrastructure."
CISA acting Director Brandon Wales will speak at Information Security Media Group's upcoming Virtual Cybersecurity Summit: Government on the bad practices catalog initiative and other topics.
Practices to Avoid
In its first iteration of the catalog, CISA lists two bad practices to avoid:
- Use of unsupported - or end-of-life - software: This is "dangerous and significantly elevates risk to national security, national economic security and national public health and safety," CISA stresses. That's because products at the end of their life cycle generally cannot receive security updates and technical support.
- Use of known/fixed/default passwords and credentials: This practice creates risks, in particular, for internet-accessible devices, the agency notes. Cybercriminals can easily obtain standard login details, making network devices exceedingly vulnerable to takeover.
After it collects additional feedback from risk managers and cybersecurity professionals, CISA will expand its list of bad practices in the catalog.
Calling the bad practices list a helpful "rubric for prioritization," Goldstein adds: "The principle of 'focus on the critical few' is a fundamental element of risk management. Based on the understanding that organizations have limited resources to identify and mitigate all risks, it should also be an essential element of every organization's strategic approach to security."
The continued use of outdated and unsupported hardware is a long-standing cybersecurity problem, says Erich Kron, a former security manager for the U.S. Army’s 2nd Regional Cyber Center.
"End-of-life and old software often lacks the ability to be patched, leaving known vulnerabilities for attackers to exploit," he says. "Hard-coded passwords, or the inability to handle complex or secure passwords, is a significant risk in both the private and public sectors."
Kron, a security awareness advocate for the security firm KnowBe4, adds that the bad practices catalog from CISA "makes for good overall guidance for improvements in cyber hygiene. There is power in the government setting the example for the private sector by bringing light to these bad practices."
Frank Downs, a former U.S. National Security Agency offensive analyst, offers a similar perspective.
"This collection of practices can act as a single point of truth for the field … a universal touchstone that can provide a baseline for all organizations. As such, it will provide that opportunity to all federal organizations, which, previously, followed disparate and different practices," says Downs, director of proactive services for the security firm BlueVoyant.
This week, CISA also released a Ransomware Readiness Assessment audit tool to help organizations size up their ability to defend against and recover from attacks, expanding the agency's broader Cyber Security Evaluation Tool (see: CISA Tool Helps Measure Readiness to Thwart Ransomware).
NIST Takes Action
Meanwhile, The National Institute of Standards and Technology recently began fulfilling some of the requirements laid out in President Joe Biden's executive order on cybersecurity by defining "critical software" that government agencies must carefully evaluate before acquisition and implementation (see: NIST Releases 'Critical Software' Definition for US Agencies).
Under the order, federal agencies must develop new ways to evaluate critical software as well as embrace modern approaches to security, such as "zero trust" and using multifactor authentication and encryption.
CISA will publish a list of products that fall under the "critical software" definition, and then it will create new security rules for how government agencies buy and deploy software for use within federal networks.
Biden's executive order is an effort to curtail supply chain attacks along the lines of the SolarWinds incident.
"CISA is applying the lessons learned from the recent large incidents using a focus on supply chain security, procurement and third-party security management, as these were 'nominally' the cause of these incidents," says Mike Hamilton, former vice chair for the Department of Homeland Security State, Local, Tribal, and Territorial Government Coordinating Council. "Implementation of the president's executive order on cybersecurity creates this focus for CISA, which is working with NIST on standards. The application of these standards, and how the private sector will react, are still to be determined."