The Cybersecurity and Infrastructure Security Agency (CISA) has started a “Bad Practices” list and they’re beginning the list with two things that you need to stop doing right now. Stop using unsupported software and stop using weak passwords on accounts.
Why should you listen to the CISA if your organization isn’t involved with the nation’s critical infrastructure? Because your organization (no matter the size) is a target for cyber criminals and they’re using these vulnerabilities to break into IT networks every day. Avoiding these two practices would allow you to shut off these cyber entry points for bad guys and reduce the chance that you’ll have unwanted intruders in your network.
CISA List Helps to Determine Priorities
In publishing their list, the CISA wants everyone to know that while the “Bad Practice” list will grow, you shouldn’t rely on it to inform your entire cybersecurity strategy. What the list can do, however, is to help determine priorities when it comes to strengthening your security stance, especially if you haven’t been giving cyber risks the attention they require.
There’s a lot that goes into creating a security strategy and a long list of tactics that you can include. Here’s why these two practices are leading the “Bad Practice” list:
#1 on the Bad Practice List: Don’t Use Unsupported Software
Why is Unsupported Software a Vulnerability?
If you’re using a software application that is no longer receiving security patches from the manufacturer, then you can be certain that there are vulnerabilities that a cyber criminal can exploit. This includes the operating systems of your computers, servers, and other devices.
The way that cyber criminals find these vulnerabilities is by using scanning software that knows what to look for. They troll the internet and when they find a hole, they sneak into that device to unload malware, or use it as an entrance to a network.
If the computer or network doesn’t have Threat Detection and Response (TDR) tools that can spot and stop an intruder before they get too far, the intruder can lurk around for months without being discovered, reading your emails, looking at your files, and gathering info that can be used to get to a bigger target.
What You Need to Do
Stop thinking that just because it still works that it’s okay to use old software. Stop using old hardware that can’t support modern software.
The road to cost savings doesn’t come from running everything until it breaks. On the contrary, you’ll save money in the long run by creating an IT environment that locks the doors to a cyber attack, and allows your people can be more productive at the same time.
ACTION ITEM: Audit all of your software including operating systems. If you find anything that is out-of-support, replace it immediately. For software that’s in support, keep up with updates and apply patches when they’re available. Whenever possible, put updates on automatic.
#2 on the Bad Practice List: Don’t Use Weak Password Management
Why is Weak Password Management a Vulnerability?
The CISA considers a weak password to be one that’s known, fixed or default. “Known” ultimately means that the password is known to someone other than you. It could be known due to a previous compromise or it could be a credential that’s shared across an organization. For passwords to work, you need to have the power to change them, so if you have a password that can’t be changed or that you’ve left at default then it creates a vulnerability.
Cyber criminals have many ways to find passwords. They may try sending you a phishing email that tempts you to click on a link or download an attachment that puts malware on your device that will collect your usernames and passwords. The phish might even take you to a lookalike site and you put in your username and password yourself.
Another way to steal passwords is with brute force attacks that shoot out multiple attempts to try possible passwords that are aggregated from stolen password data bases, or guesses that replicate often used letter, number and character combinations.
Whether through the power of Artificial Intelligence, or Social Engineering, cyber criminals know that it’s a lot easier for them to get the keys to your network through your accounts than to try to take down your technical security layers.
What You Need to Do
Stop thinking that passwords don’t matter. Realize that some people are going to complain that improving identity management is going to be inconvenient for them.
Educate employees on the risks inherent in weak password management and how to create strong passwords. Provide ongoing cybersecurity awareness training to teach employees how to recognize and respond to potential cyber attacks.
ACTION ITEM: Find out what your organization is doing now for identity management. Ask if there are any devices connected to your network that have default, shared or fixed passwords and take action to secure the devices or replace with something that can be secured.
Whenever possible, automate password changes and enforce rules that require the creation of strong passwords. Better yet, implement Multi-Factor Authentication (MFA) across the board to add another layer of security to identity management practices.
Stop Bad Practices to Create Good Practices
The CISA Bad Practice List doesn’t contain any new game changing security tactics but if you follow their advice and STOP these practices, it can be a game changer by allowing you to avoid becoming the victim of a cyber attack.
Ready to Up Your Security Game?
At XPERTECHS, we provide consulting and services that enable strong cyber risk management. That means that we’re bringing clients best practices, tools and tactics that create a sound security strategy. If that’s not what you’re getting from your internal IT department or outsourced IT support provider, we invite you to get in touch, and explore what technical strength and strategy can bring to your organization.