Photo by sebastiaan stam on Unsplash. When food producers change the food labels from to , it changes the meanings for consumers. use-by-date the best-before-date Not only did I find that confusing, but the concept of “Best Before” is only indicating the food quality instead of food safety. : The product is no longer at its optimal quality . Best Before Date (quality) : The Product is no longer safe for consumption . Use By Date (safety) Best Practices are like the best-before date — if you do not follow them, your security posture will not be in its optimal state. However, if you exercise bad practices — your environment will no longer be cyber-safe. Cybersecurity is about the quality of work, yes. But, — that’s why we should adopt the concept of “use-by” date instead of “best-before” in cybersecurity. safety should be our top priority recognizes these risks and has released a . The Cybersecurity and Infrastructure Security Agency (CISA) Bad Practices page But, what does that mean for businesses (or those in the business of protecting digital assets)? As of this writing, . the CISA listed just three bad practices Here’s some guidance on how to take action. How can you avoid these bad practices? Bad Practice #1: Using Older Software First, don’t use unsupported or end-of-life software. This is extra important if your business is in critical infrastructure and NCF. Threat actors can easily exploit these. After all, they know defenders probably won’t be able to patch any vulnerabilities they find. Running software beyond its use-by date leads to malware and ransomware attacks and puts data and other critical assets at risk of compromise or theft. Other tips include: When possible, use managed service providers who handle software updates and offer software upgrades when software has reached its end-of-life cycle. Work with vendors that offer software support, even for a fee, for a limited time until you can fully upgrade to the new software version. When purchasing software, ask about its lifecycle so you can budget for upgrades. Conduct regular audits of software and devices. Upgrade hardware that supports current software. Too often, people use older software because legacy systems can’t handle the upgrade. Better to spend money on new devices than on penalties for a data breach caused by an end-of-life exploit. Bad Practice #2: Reusing Passwords The second bad practice CISA discusses is using known, fixed, or default passwords and credentials. As a result, attackers are turning to credential stuffing to enter the network. Unfortunately, they do this most often through password hacking. To counteract this harmful habit, keep up-to-date on the following suggestions from the CISA guidelines: Change the default or fixed password on new devices. Unfortunately, these passwords aren’t secure because they often follow a pattern set by the business that threat actors can quickly figure out. As a result, IoT devices are at the most significant risk of using a default or fixed password, and more threat actors enter networks through compromised IoT. Consider using secure login options that don’t include passwords (password-less authentication). Deploy an identity management platform. It is challenging to detect compromised credentials because the threat actor uses real IDs to get into the system. Identity management tools scan for strange login behaviors. Require employees to use unique passwords for each account. Don’t allow users to store passwords or credentials in browsers or other devices, like smartphone apps. Encourage users to log out of software where possible when they’re done working and to log off devices, or put them in sleep mode with a password to wake them. Avoid entering passwords in public locations, such as Wi-Fi in coffee shops and hotels. Never share a password, including default passwords, with anyone. Then, in an emergency, the admin will be able to get access. Bad Practice #3: Using Single-Factor Authentication for Remote or Administrative Access CISA’s focuses on implementing strong authentication and highlights the risks of using traditional single authentication methods such as a username combined with a password, especially when accessing critical systems, like pipeline applications or companies’ databases. Capacity Enhancement Guide Single-factor authentication is a common low-security method of authentication. It only requires matching one factor — such as a password — to a username to access a system. However, when combining this bad practice with the second one (weak/ default password), gaining access to a critical system would be too easy. Below are the general recommendations: Monitor closely who has access to accounts, particularly for privileged accounts. 2-factors/ multi-factor authentication should be in place. That includes login for OS, SaaS application, and in-house application. Implement separation of duty or split knowledge on NCF. Review privileged accounts permission regularly. Final Words: Still Missing the “How” Only two bad practices may not go far, primarily when addressing the most commonly known threat vectors. However, CISA’s efforts show the need for even elementary security best practices and everyone to take cybersecurity seriously. Unfortunately, simply listing all the bad practices publicly do nothing but a checklist. Companies and organizations who find the bad practices were sadly working in their environment would need some guidance on getting rid of them. Adding the “How” in the bad practices — by advising on not doing such behavior or replacing it with better alternatives would be a perfect match for this guide. Reference: https://www.cisa.gov/BadPractices Also published here. Thank you for reading. May InfoSec is with you🖖.

Keep

Understanding Pegasus: How to Trace the Untraceable

How to Keep Yourself from Becoming a Victim of Flytrap Malware

2021 - HackerNoon Contributor of the Year - CULTURE

Support Me on Coil

2021 - HackerNoon Contributor of the Year - PERSONAL-DATA

Nominated for 2022 - HackerNoon Contributor of the Year - Cybersecurity

Nominated for 2022 - HackerNoon Contributor of the Year - Security

Nominated for 2022 - HackerNoon Contributor of the Year - Privacy

Nominated for 2022 - HackerNoon Contributor of the Year - Beginners Guide

Nominated for 2022 - HackerNoon Contributor of the Year - Containers

Nominated for 2022 - HackerNoon Contributor of the Year - Data Privacy

Too Long; Didn't Read

Boost your HackerNoon story @ $159.99! 🚀

Avoid Stranger Danger: 
Review the new CISA Cybersecurity Guides

Avoid Stranger Danger: Review the new CISA Cybersecurity Guides

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

Untitled Story

Time Bombs Inside Software: 0-Day Log4Shell is Just the Tip of The Iceberg

10 Reasons Why Less Is More in Your init/deinit Methods

10 Best Practices for Every React Developer

10 Best Practices for Using Kubernetes Network Policies

12 Essential Coding Standards for Quality Web Development

Time Bombs Inside Software: 0-Day Log4Shell is Just the Tip of The Iceberg

10 Reasons Why Less Is More in Your init/deinit Methods

10 Best Practices for Every React Developer

10 Best Practices for Using Kubernetes Network Policies

12 Essential Coding Standards for Quality Web Development

Light-Mode

Classic

Newspaper

Dark-Mode

Neon Noir

Minty

HN StartUps