The federal Cybersecurity and Infrastructure Security Agency (CISA) released a few cybersecurity “bad practices” this week to assist in decreasing the volume of knowable and preventable cyber mistakes. These bad practices are aimed at educating critical infrastructure owners and operators, as well as the defense industry and the organizations that support the supply chain for national critical functions. Any disruption, compromise, or degradation to these systems creates a national security threat so in addition to the list of best practices that the CISA has published, CISA aims to highlight some of the biggest cyber mistakes made by these entities.

The first bad practice: Use of unsupported (or end-of-life) software in service of Critical Infrastructure and National Critical Functions is dangerous and significantly elevates risk to national security, national economic security, and national public health and safety. This dangerous practice is especially egregious in internet-accessible technologies.

A well-known example of this occurred in 2017 with the WannaCry incident [view related post], which affected about 300,000 computers across the globe and across almost every economic sector.

Why are critical infrastructure organizations not updating software or operating systems? Well, these updates can often be timely, difficult, and costly. Additionally, patching these systems and implementing updates can also result in downtime, which is often viewed as unacceptable.

The second bad practice: Use of known/fixed/default passwords and credentials in service of Critical Infrastructure and National Critical Functions is dangerous and significantly elevates risk to national security, national economic security, and national public health and safety. This dangerous practice is especially egregious in internet-accessible technologies.

The reason short, simple, easily guessable passwords can be easily cracked, especially with free, widely available hacking tools. Further, many users recycle passwords; this makes it easier to crack or gain access to a password for one account and then have access to all other accounts that use that same password. Further, hackers often use a method called password spraying where they use a common password (e.g., abc123) to gain access to as many accounts as possible.

While these ‘bad practices’ are not new or unknown, unfortunately, they repeatedly cause minor to major security incidents and breaches.

CISA says that this is only the beginning of its list of “bad practices” and intends to release more of these practices in order to develop a complete catalog of the exceptionally risky practices that are still used all too often.