CISA Names 3 ‘Exceptionally Dangerous’ Behaviors to Avoid

October 12, 2021
| |
4 min read

In terms of database security, any bad practice is dangerous. Still, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently deemed some behavior as “exceptionally risky.” Are your teams engaged in these high-risk practices? What can you do to mitigate the risk of a data breach?

As per CISA, “The presence of these Bad Practices in organizations that support Critical Infrastructure… is exceptionally dangerous and increases risk to our critical infrastructure, on which we rely for national security, economic stability and life, health and safety of the public.”

Even for those outside of national cybersecurity, these behaviors should be top of mind for any vulnerability assessment. While they may seem simple, each one involves complex cyber crime that cannot be ignored.

CISA Risky Behavior 1: Single-Factor Authentication

Single-factor authentication means a username and password grant user access with nothing else required. According to CISA, this is an all-too-common high-risk practice. Microsoft revealed its cloud services see about 300 million fraudulent sign-in attempts every day. Even eight-character passwords — with a mix of numbers, upper and lowercase letters and special characters — are cracked with relative ease.

The good news is that multifactor authentication (MFA) can stop 100% of bot attacks and 99% of bulk phishing attacks.

One common MFA method is a username and password, plus a message, link or code sent by text message. The second factor may also be a pin code, personal trivia (such as mother’s maiden name), a USB key fob or biometrics.

MFA Challenges

Still, there are some problems with MFA. Let’s say text messaging is the second factor. What happens if someone loses their smartphone or has it stolen? They lose access.

With SIM swapping, attackers trick, coerce or bribe phone company employees to transfer phone numbers to their own SIM cards. They can even generate fake SIM cards that mimic existing numbers. Also, by scanning wireless provider websites, attackers can find old phone numbers that have been abandoned.

Princeton researchers noticed that phone companies offer new numbers in blocks. Recycled numbers, however, appear in non-consecutive blocks. Attackers can match recycled numbers against directories on the dark web. Then, using numbers linked to online accounts, attackers can reset the passwords.

Due to more refined authentication threats, data security teams are turning to more advanced Identity and Access Management. This includes using context-based insight (such as device IDs, behavioral biometrics and location data) which leaves less room for risky authentication.

CISA Exceptionally Risky Behavior 2: Default Passwords and Credentials

If everybody and their cousin knows your username and password, you have a big problem. Some even have credentials written on a Post-it stuck to their monitor. These can be easily leaked. Plus, known, fixed or default credentials are simple to crack, CISA warns.

One way around this is to get rid of shared accounts. Also, run your passwords through strength evaluation, which ensures all passwords are unique and complex enough for threat deterrence. In the end, this category is a subset of the single-factor authentication risk basket.

CISA Exceptionally Risky Behavior 3: Unsupported or End-of-Life (EOL) Software

Upon finding outdated software or operating systems, threat actors can exploit existing data protection vulnerabilities. Since old software doesn’t get updated, the application security becomes patchless. CISA has been warning about this for years.

End-of-life (EOL) software is well-known terrain for threat actors. Sadly, it appears the well-known WannaCry ransomware attack on Microsoft Windows in 2017 still often flew under the radar. How do we know this? What else explains the fact that WannaCry attacks increased 53% from January 2021 to March 2021?

Microsoft had already released patches to close these doors. Still, much of WannaCry’s spread was from groups that did not apply the patches. Or they were using even older end-of-life Windows systems.

Some ways to mitigate unsupported this type of risk include:

  • Buy extended support – This is not the least expensive option, but consider the cost of a data breach. Extended support may not be possible for every system.
  • Isolate the risk – Separate standalone machines from your network and/or prohibit public internet access. Or isolate on a separate network with tight inbound and outbound traffic firewalls.
  • Limit user access – Audit who needs access and remove the software from devices that do not. If possible, consider setting some devices aside for only EOL software use.
  • Stay informed – Some vendors and original software providers may offer patches for common openings. Stay on the lookout for these while you implement long-term fixes.
  • Plan to upgrade – Out-of-date software carries security, operational, regulatory and compatibility issues. In the end, you need to formulate a replacement plan.

Avoid Dangerous Behavior

The CISA list isn’t long. End-of-life software issues always lead to a software upgrade or replacement. This leaves identity and access oversight as the most dangerous practice.

Static authentication often makes things too easy for threat actors or too cumbersome for users. As a solution, adaptive access strategies use artificial intelligence (AI) to build contextual authentication insights.

AI can determine the level of trust or risk tied to each user in any given context. When paired with access policy rules, this allows security to base access on level of trust. In low-risk cases, you can grant streamlined or even passwordless access. Meanwhile, advanced MFA can challenge high-risk users and protect access to critical infrastructure.

Adaptive access represents an emerging security trend. It’s no longer enough to set it and forget it. To stay ahead of threat actors, security context evaluation is critical.

Remember, avoiding dangerous behavior is a team effort. For cybersecurity training and cyber awareness training, make sure to educate your employees. For example, remind them that phishing attacks can occur via email, Voice over Internet Protocol, text and social media. So keep spreading the word, and be safe out there.

NewsCred System
NewsCred System is a contributor for SecurityIntelligence.