Photo by sebastiaan stam on Unsplash.
When food producers change the food labels from use-by-date to the best-before-date, it changes the meanings for consumers.
Not only did I find that confusing, but the concept of “Best Before” is only indicating the food quality instead of food safety.
Best Before Date: The product is no longer at its optimal quality (quality).
Use By Date: The Product is no longer safe for consumption (safety).
Best Practices are like the best-before date — if you do not follow them, your security posture will not be in its optimal state.
However, if you exercise bad practices — your environment will no longer be cyber-safe. Cybersecurity is about the quality of work, yes. But, safety should be our top priority — that’s why we should adopt the concept of “use-by” date instead of “best-before” in cybersecurity.
The Cybersecurity and Infrastructure Security Agency (CISA) recognizes these risks and has released a Bad Practices page.
But, what does that mean for businesses (or those in the business of protecting digital assets)?
As of this writing, the CISA listed just three bad practices.
How can you avoid these bad practices? Here’s some guidance on how to take action.
First, don’t use unsupported or end-of-life software. This is extra important if your business is in critical infrastructure and NCF.
Threat actors can easily exploit these. After all, they know defenders probably won’t be able to patch any vulnerabilities they find.
Running software beyond its use-by date leads to malware and ransomware attacks and puts data and other critical assets at risk of compromise or theft. Other tips include:
The second bad practice CISA discusses is using known, fixed, or default passwords and credentials. As a result, attackers are turning to credential stuffing to enter the network.
Unfortunately, they do this most often through password hacking. To counteract this harmful habit, keep up-to-date on the following suggestions from the CISA guidelines:
CISA’s Capacity Enhancement Guide focuses on implementing strong authentication and highlights the risks of using traditional single authentication methods such as a username combined with a password, especially when accessing critical systems, like pipeline applications or companies’ databases.
Single-factor authentication is a common low-security method of authentication. It only requires matching one factor — such as a password — to a username to access a system.
However, when combining this bad practice with the second one (weak/ default password), gaining access to a critical system would be too easy.
Below are the general recommendations:
Only two bad practices may not go far, primarily when addressing the most commonly known threat vectors.
However, CISA’s efforts show the need for even elementary security best practices and everyone to take cybersecurity seriously.
Unfortunately, simply listing all the bad practices publicly do nothing but a checklist. Companies and organizations who find the bad practices were sadly working in their environment would need some guidance on getting rid of them.
Adding the “How” in the bad practices — by advising on not doing such behavior or replacing it with better alternatives would be a perfect match for this guide.
Reference: https://www.cisa.gov/BadPractices
Also published here.
Thank you for reading. May InfoSec is with you🖖.