Using unsupported software, allowing the use of default usernames and passwords and using single-factor authentication for remote or administrative access to systems are all dangerous behaviours when it comes to cybersecurity and should be avoided by all organisations – but particularly those supporting critical infrastructure.
The warning comes from the US Cybersecurity and Infrastructure Security Agency (CISA), which is developing a catalogue of "exceptionally risky" behaviours that can put critical infrastructure at extra risk of falling victim to cyberattacks.
Use of single-factor authentication – where users only need to enter a username and password – is the latest risky behaviour to be added to the list, with CISA warning that single-factor authentication for remote or administrative access to systems supporting the operation of critical infrastructure "is dangerous and significantly elevates risk to national security".
SEE: A winning strategy for cybersecurity (ZDNet special report)
Using multi-factor authentication can help disrupt over 99% of cyberattacks. For critical infrastructure, it's therefore particularly important to have it applied in order to help prevent cyber criminals from tampering with cyber-physical systems.
Alongside single-factor authentication as a bad practice is the use of known, fixed or default passwords, which CISA describes as "dangerous". Default or simple passwords are good for cyber criminals because there's a much higher chance of them being able to simply guess passwords to compromise accounts.
CISA also warns against the use of passwords that are known to have been breached previously, as that means they also provide cyber criminals with a simple means of gaining access to networks.
The third bad practice listed by CISA is the use of unsupported or end-of-life software in critical infrastructure. By using software or operating systems that no longer receive security updates, there's the risk that cyber criminals could exploit newly discovered security vulnerabilities that emerge because old software often doesn't receive security patches.
"The presence of these bad practices in organizations that support critical infrastructure...is exceptionally dangerous and increases risk to our critical infrastructure, on which we rely for national security, economic stability, and life, health, and safety of the public," CISA said.
CISA's list of dangerous bad practices is designed as advice for organisations involved in running or supporting critical infrastructure – but it's also useful advice for businesses because avoiding the use of single-factor authentication, default passwords and unsupported software will also help protect them from falling victim to cyberattacks.
MORE ON CYBERSECURITY
- Ransomware: It's only a matter of time before a smart city falls victim, and we need to take action now
- Have we reached peak ransomware? How the internet's biggest security problem has grown and what happens next
- Google, Amazon, Microsoft unveil massive cybersecurity initiatives after White House meeting
- Attacks against industrial networks will become a bigger problem. We need to fix security now
- Ransomware gangs now have industrial targets in their sights. That raises the stakes for everyone