Everyone makes mistakes once in a while. Maybe not all the time, but who hasn’t reused a password or ignored a software update? But any time someone ignores security best practices adds to your risk. The Cybersecurity and Infrastructure Security Agency (CISA) recognizes these risks and has released a Bad Practices page on its website. What does that mean for businesses (or those in the business of protecting digital assets)?

“All organizations, and particularly those supporting designated Critical Infrastructure or National Critical Functions (NCF) should implement an effective cybersecurity program to protect against cyber threats and manage cyber risk in a manner commensurate with the criticality of those NCFs to national security, national economic security, and/or national public health and safety,” the website states.

As of this writing, the CISA named just two bad practices. Meanwhile, CISA is still building the list. What the CISA guidelines are missing, however, are next steps. How can you avoid these bad practices? Here’s some guidance on how to take action.

CISA Advice: Avoid Older Software

First, don’t use unsupported or end-of-life software. This is extra important if your business is in critical infrastructure and NCF.

Threat actors can easily exploit these. After all, they know defenders probably won’t be able to patch any vulnerabilities they find. Running software beyond its use-by date leads to malware and ransomware attacks and puts data and other important assets at risk of compromise or theft. Other tips include:

  • When possible, use managed service providers who handle software updates and offer software upgrades when software has reached its end-of-life cycle
  • Work with vendors that offer software support, even for a fee, for a limited time until you are able to fully upgrade to the new software version
  • When purchasing software, ask about its lifecycle so you can budget for upgrades
  • Conduct regular audits of software and devices
  • Upgrade hardware that supports current software. Too often, people use older software because legacy systems can’t handle the upgrade. Better to spend money on new devices than on fines for a data breach caused by an end-of-life exploit.

Don’t Reuse Passwords

The second bad practice CISA recommends is to use known, fixed or default passwords and credentials.

More and more, attackers are turning to credential stuffing to enter networks. They do this most often through password compromise. In order to counteract this bad habit, keep up-to-date on the following suggestions from the CISA guidelines:

  • Change the default or fixed password on new devices right away. These passwords aren’t secure because they often follow a pattern set by the business that threat actors can easily figure out. IoT devices are at the greatest risk of using a default or fixed password, and more threat actors enter networks through compromised IoT.
  • Deploy an identity management platform. It is difficult to detect compromised credentials because the threat actor uses real IDs to get into the system. Identity management tools scan for strange login behaviors.
  • Closely monitor who has access to accounts and limit privileges as much as possible
  • Require employees to use unique passwords for each account
  • Use multifactor authentication everywhere
  • Don’t allow users to store passwords or credentials in browsers or on other devices, like smartphone apps
  • Consider using secure login options that don’t include passwords
  • Encourage users to log out of software where possible when they’re done working and to log off devices, or put them in sleep mode with a password to wake them
  • Avoid entering passwords in public locations, such as Wi-Fi in coffee shops and hotels
  • Never share a password, including default passwords, with anyone. In an emergency, the admin will be able to get access.

Only two bad practices may not go far, especially when they address some of the most commonly known threat vectors. However, CISA’s efforts show the need for even elementary security best practices and for everyone to take cybersecurity seriously.

More from Application Security

X-Force Identifies Vulnerability in IoT Platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

4 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

4 min read - Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

4 min read

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

17 min read - Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

17 min read