In cybersecurity, we all tend to focus on those covetable “best practices.” But what’s on the other side? The U.S. Cybersecurity and Infrastructure Security Agency (CISA) got the ball rolling by publishing some cybersecurity “bad practices,” especially those that relate to protecting critical infrastructure or national critical functions. Provided below are the three practices listed by CISA as of October 5, 2021, plus our take.
- Use of unsupported (also known as “end-of-life”) software: The risk inherent in this practice is that unsupported software no longer receives updates, at least not on a regular basis. Without a consistent update mechanism, users will have no means of patching a growing list of software vulnerabilities uncovered by researchers or exploited by attackers. They’ll therefore be in a position where they’re exposed to multiple known attack vectors that might not ever receive a fix.
- Use of known or default passwords and credentials: Most devices ship out with default passwords, but users don’t always change those credentials once they’ve deployed them on their networks. That’s an issue, as many devices’ default passwords are published online either in publicly available documentation or on dark web marketplaces. Attackers can use those resources to compromise a device for the purpose of stealing a user’s data, gaining access to the user’s network, or performing other malicious activity.
- Use of single-factor authentication: Data breaches of users’ account credentials are a common occurrence these days. Such events make plenty of credentials available to attackers, empowering them to launch credential stuffing attack campaigns. In the absence of an additional factor of authentication, those malicious actors can successfully authenticate themselves on one or more of a victim’s accounts and abuse that access to conduct identity theft or credit card fraud.
CISA stated that it will continue to add entries into its catalog of bad practices over time.
Expanding on CISA’s Cybersecurity Bad Practices List
Despite CISA’s assurance, we still thought the list looked a little short as it currently stands. So, we caught up with Joe Partlow, CTO of ReliaQuest, to get his take on what we see among our customer base and in the industry as “worst practices.” We also asked him about the impact those “worst practices” can have on organizations who follow them as well as how organizations can optimize their security operations so that they can avoid them.
Our conversation with Joe is replicated below.
What is our take on the CISA list?
Unfortunately, most of the time, these critical infrastructure organizations are at the mercy of their vendors to support newer security controls like multifactor authentication. The lack of budget, maintenance windows, or other resources to upgrade these legacy systems is a factor in using old software/hardware or rotating passwords.
Why do you think CISA focused in on these bad practices in particular?
This list of bad practices encapsulates some of the most common ones we see in environments such as these due to the above reasons. They are also some of the most effective controls against malware or ransomware spreading in an environment.
What would we add?
Some of the other effective controls I would add are advanced endpoint detection, ensuring offline backups are kept up to date, and effective monitoring and alerting of potentially malicious events or misconfigurations. All these controls also have challenges getting implemented in critical infrastructure environments, however.
What kinds of bad practices do we see in our customer base (or the industry) here at ReliaQuest?
Most of the bad practices we see are related to over-privileged users or accounts as well as incomplete monitoring or alerting on events. Poor patching, asset control, vulnerability management, or backup strategies are also a common contributor.
What kinds of risks are associated with these bad practices?
All these bad practices could lead to increased downtime, loss of sensitive data or intellectual property, or in the case of critical infrastructure loss of life-saving support services and utilities.
What’s behind these bad practices? Why are they the problem that they are?
Most of the reasons for these bad practices are a lack of budget or available time to upgrade the systems or make them redundant. There’s also the reality that some vendors are not always supporting the necessary modern security controls in their devices or applications (mostly due to cost and/or recertification time).
What security controls can organizations use to address those bad practices?
Best practice items that can help reduce risks such as ransomware spread include:
- Enabling advanced logging for all systems (including cloud assets)
- Creating a watchlist for high-value accounts and hosts
- Removing administrative access for accounts that don’t need it
- Enabling MFA and strong passwords on all accounts
- Enabling and testing offsite backups
- Verifying with legal & leadership necessary cyber insurance policy coverage
- Implementing effective network segmentation
- Installing advanced endpoint protection on all hosts
What challenges might they face along the way?
Budget to add redundant systems or pay for necessary upgrades is one of the most common reasons along with the inability to take systems down for the necessary maintenance to be performed. Also, executive buy-in is important to prioritize implementing secure devices and applications throughout the organization
How does ReliaQuest GreyMatter help companies overcome those challenges and implement those controls?
GreyMatter helps overcome these challenges by providing a holistic platform to not only provide incident response and detection for any potential incidents but also to proactively threat hunt and automate any remediation actions.