According to CISA, as recent events have demonstrated, cyberattacks against critical infrastructure can have a significant impact on critical government and private sector functions. All organizations, especially those supporting designated critical infrastructure or national critical functions (NCFs), should implement an effective cybersecurity program to protect against cyber threats and manage cyber risks in a manner consistent with these critical infrastructure or national critical functions (NCFs). NCF) to national security, national economic security and/or national public health security? commensurate with the importance.

CISA is developing such an unusually dangerous catalog of “bad practices,” especially in organizations that support critical infrastructure or NCF. The existence of these “bad practices” in organizations supporting critical infrastructure or NCF is very dangerous and increases the risk of critical infrastructure upon which national security, economic stability, and the life, health and safety of the public depend infrastructure. Entries in the directory will be listed one by one as they are added.

Virtually every industry has a set of what practitioners consider “best practices.” Cybersecurity is no exception, with a dizzying array of standards, guidance, and lessons learned. But CISA, DHS’s main agency for domestic cyber defense, released the first version of “bad practice.” This simple list is not complete and is just a starting point, with more to follow.

The purpose of these “bad practices” is—though not limited to—to educate critical infrastructure owners and operators. Of course, this includes the defense industrial base and the many businesses that support its supply chain—from communications equipment and high-tech capabilities to electrical and mechanical components for military hardware such as tanks, planes, and ships.

These entities often perform key functions of the state. National NGOs are organized around four domains – connecting, distributing, managing and supplying – which are considered critical to the continued functioning of the military, government and the wider national economy.

The government believes that any attack, de-escalation or disruption of critical national functions (NCFs) constitutes a threat, including potential threats to the economy and public health. So, in addition to the myriad best practices that CISA regularly publishes, the cybersecurity agency has begun to develop a list of cybersecurity no-nos that should be made clear.

On the surface, the list is so obvious that it doesn’t need to be said. But past cyber incidents have shown that these practices are still widely used.

The first “bad practice” listed by CISA is the use of outdated software, which may include versions with known vulnerabilities for which security patches are available, or end-of-life versions where the vendor no longer supports code updates, Include patches.

However, the use of outdated software is widespread, a recent example being the cyber espionage of Microsoft’s Exchange servers early in 2021. As of March 2, the day Microsoft disclosed the attack, an estimated 400,000 outdated versions of the Exchange software were running globally, according to security firm Riskkiq.

Another example is the “WannaCry” incident in 2017, which affected about 300,000 computers in nearly every sector of the economy worldwide. 67% of those users put off upgrading to Windows 7, according to security ratings firm BitSight.

For years, security researchers have emphasized the use of outdated software and operating system versions and their associated risks in critical infrastructure areas. The problem is that application software is designed to run on older operating systems, and updating the operating system to a newer version can be time-consuming, difficult, and/or expensive. Patching such operating systems and the software they run is also difficult, as critical infrastructure downtime is considered unacceptable.

But it’s not just special cases, like critical infrastructure. A team of researchers recently released the results of an 18-month analysis of 5.6 million websites and found that 95 percent of them rely on outdated software that has at least one known vulnerability — and an associated security patch.

While these numbers—400,000, 300,000, or 5.6 million—may seem relatively small to the global IT community, the problem is not the quantity but the lack of a sound excuse for not updating the quality of systems and software. Some key infrastructure operators may say they have a reason — however plausible that reason may seem to security professionals, lawmakers, regulators and the general public — but the vast majority of network administrators simply don’t.

The second “bad practice” listed by CISA is the use of weak passwords. Weak passwords include: too short (standard guideline is more than 8 characters, but with increasing computing power for brute force cracking, 12 characters is recommended), too easy to guess (eg Password123 and those using dictionary words) , are too simple (eg: those that do not use random numbers, symbols, combinations of upper and lower case letters).

The reason should be known and familiar to most people: short, guessable and/or simple passwords can be easily cracked with hacking tools for free, even without too advanced skills.

The second aspect of poor password hygiene is the reuse of passwords between different accounts. The reason is that if a cyber threat actor cracks or obtains the password for one account, they can access all other accounts sharing the same password at any time.

There are countless typical cases of account login credentials being stolen and maliciously used. For the two poisoning incidents at water plants in the United States at the beginning of this year, both of which were caused by an employee’s TEAMVIEW account was stolen. Fortunately, the attempted poisoning was discovered in time. Another global concern was the extortion of the Colonial oil and gas pipeline company, which led to tight oil and gas supplies, causing a high degree of panic in the US government and the White House. The investigation of the incident showed that the initial intrusion into the network was a forgotten VPN account whose password has been cracked. .

Cyber ​​threat actors are also increasingly using an attack method called “password spraying”, in which they use a common password (such as admin123) to gain access to as many accounts as possible.

While the point of cracking is to use multiple passwords to access an account, the goal of spraying is to compromise multiple accounts that share the same password. Spraying is seen as a way to circumvent account lockouts, which may trigger account lockouts if proper security measures are in place. Cyber ​​threat actors can attempt to hack or spray any account, but this practice is especially common with web-based account logins.

As a best practice, administrators should also change passwords every 90 days. However, periodically changing the password will make the user fall into another dilemma. He needs to strike a balance between modification and easy memory, and it is very likely to choose a regular password format. At this point, choosing a password manager like Keepass is a viable option. But a new problem came again, and the new trouble of “eggs in one basket” was born again!

CISA’s “bad practice” is neither new nor groundbreaking. Unfortunately, however, based on research, investigations, and known events, they have to be repeated. Perhaps the conclusion is this: Even if an organization doesn’t have the time to acquire knowledge, or enough money to hire practitioners with expertise in the labyrinth of known cybersecurity best practices, at least avoid recklessness, negligence, and stupidity. Avoid these “bad practices” that are completely preventable.