Thought leadership. Threat analysis. Cybersecurity news and alerts.
Top 3 Worst Cybersecurity Practices
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently listed three cybersecurity practices as dangerous practices that can give rise to enhanced damages to technologies accessible from the internet.
Below are the three practices that CISA has deemed as “dangerous” practices. The presence of these bad practices in organizations, CISA said, “is exceptionally dangerous and increases risk to our critical infrastructure, on which we rely for national security, economic stability, and life, health, and safety of the public.”
1. Use of Unsupported (End-of-Life) Software
Security vulnerabilities in software are but normal. Software vendors, within a specified timeframe, are always on the lookout for these software security vulnerabilities. During this specified period, regular or unscheduled security updates, also known as patches, are released by security vendors to fix known security vulnerabilities.
After the specified timeframe, also known as the software’s end-of-life (EOL), software vendors will stop releasing patches. Attackers love to exploit software that have reached their end of life on the premise that many users still use software that have reached their EOL.
An example of software that has reached its end of life is Windows 7 operating system. On January 14, 2020, Microsoft ended its support for the Windows 7 operating system. Customers who purchased an Extended Security Update (ESU) plan can still receive support or security updates from Microsoft. In this case, the continued use of Windows 7 without ESU is a dangerous practice.
“In 2017, roughly 98 percent of systems infected with WannaCry employed Windows 7 based operating systems,” the Federal Bureau of Investigation (FBI) said in its Private Industry Notification (PDF File). “After Microsoft released a patch in March 2017 for the computer exploit used by the WannaCry ransomware, many Windows 7 systems remained unpatched when the WannaCry attacks began in May 2017. With fewer customers able to maintain a patched Windows 7 system after its end of life, cyber criminals will continue to view Windows 7 as a soft target.”
2. Use of Known/Fixed/Default Passwords and Credentials
The use of known/fixed/default passwords is another bad practice that’s disastrous in technologies accessible from the internet.
In July 2021, Microsoft Threat Intelligence Center reported that it observed new activity from the NOBELIUM threat actor using tactics such as password spray and brute-force attacks.
In the blog post "Protecting your organization against password spray attacks," Diana Kelley, Microsoft Cybersecurity Field CTO said that adversaries in password spray attacks “acquire a list of accounts and attempt to sign into all of them using a small subset of the most popular, or most likely, passwords.”
The Microsoft Cybersecurity Field CTO, meanwhile, said that brute-force attacks are targeted compared to password spray attacks, with attackers going after specific users and cycles through as many passwords as possible using dictionary words, common passwords, or conducting research to see if they can guess the user’s password, for instance, discovering family names through social media posts.
In July 2021 as well, UK’s National Cyber Security Centre reported that it observed an increase in activity as part of malicious email and password spraying campaigns against a limited number of UK organizations.
3. Use of Single-Factor Authentication
The use of single-factor authentication is another bad practice that’s disastrous in technologies accessible from the internet. Single-factor authentication is the simplest form of authentication. With single-factor authentication, a user matches one credential to verify oneself online. The most common credential is the password to a username.
“The use of single-factor authentication for remote or administrative access to systems supporting the operation of Critical Infrastructure and National Critical Functions (NCF) is dangerous and significantly elevates risk to national security, national economic security, and national public health and safety,” CISA said. “This dangerous practice is especially egregious in technologies accessible from the Internet.”
Cybersecurity Best Practices
Below are the cybersecurity practices that best counter the above-mentioned bad practices:
"There are over 300 million fraudulent sign-in attempts to our cloud services every day,” Maynes said. “By providing an extra barrier and layer of security that makes it incredibly difficult for attackers to get past, MFA can block over 99.9 percent of account compromise attacks. With MFA, knowing or cracking the password won’t be enough to gain access.”
MFA, however, shouldn’t be your organization’s only defense against malicious actors as there are a handful known ways of bypassing MFA.
. Practice network segmentation. In network segmentation, your organization’s network is sub-divided into sub-networks so that in case of a disaster in one network, the other networks won’t be affected.
Steve E. Driz, I.S.P., ITCP