The U.S. Cybersecurity & Infrastructure Agency (CISA) has added the use of single-factor authentication for remote or administrative access to its list of “Bad Practices” of exceptionally risky cybersecurity practices.
Single-factor authentications is a common low-security method of authentication that only requires matching one factor, such as a password to a username to gain access to a system.
CISA advises all organizations to avoid single-factor authentication. For organizations that support critical infrastructure, this method is especially dangerous.
Recent incidents have proved cyberattacks against critical infrastructure can have significant impacts on national security, economic stability, life, health, and safety of the public — all critical functions of the government and private sector.
The first bad practice on CISA’s list is the use of unsupported (or end of life) software in services of critical infrastructure organizations.
An example of this is the 2017 WannaCry incident — a global ransomware attack that spread through computers using Microsoft Windows.
About 300,000 computers around the globe and across almost every economic sector were impacted. User’s files were held hostage and a Bitcoin ransom was demanded for their return.
For some organizations, updates can be timely, difficult, and costly. Patching systems and implementing updates can result in downtime, which some critical infrastructure organizations don’t want to lose.
The second bad practice is the use of known/fixed/default passwords and credentials “[Default passwords are] dangerous and significantly elevates risk to national security, national economic security, and national public health and safety,” says CISA in a blog post.
Easily guessable passwords can be easily cracked. Hackers can use a spraying technique to gain access to as many accounts as possible causing anywhere from minor security incidents to major breaches.
CISA says this is only the beginning of the list of bad practices and intends to release more to develop a complete catalog to educate critical infrastructure owners and operators, as well as the defense industry and the organizations that support the supply chain for national critical functions.
CISA’s addition to the bad practice list can be applied to every organization — not just those organizations who provide critical infrastructure. Cybersecurity should be a risk management priority at every organization.