The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) is creating a catalog of poor security practices that increase risk for organizations, especially those supporting designated critical infrastructure or what it calls National Critical Functions (NCFs).
Security professionals, including the team at CISA, often focus on promoting best practices they should take, wrote CISA Executive Assistant Director Eric Goldstein in a blog post on the news. It's equally important, he continued, that they focus on stopping poor security practices as well.
These risky and dangerous technology practices are "too often accepted because of competing priorities, lack of incentives, or resource limitations that preclude sound risk management decisions but result in untenable risks to our national security, economy, critical infrastructure, and public safety," Goldstein explained.
Putting an end to enterprises' most threatening security risks requires organizations make an effort to stop bad practices. While it's not a substitute for implementing strong security practices, he said, it provides a framework to prioritize the security steps they should be taking.
CISA has created a page where it will list these bad practices as they are added to the catalog.
The first practice on its list is the use of unsupported or end-of-life software in service of critical infrastructure and NCFs, which it says is both dangerous and "significantly elevates risk" to national security, national economic security, and national public health and safety. This practice is particularly egregious in Internet-accessible technologies, officials wrote.
Second is the use of known, fixed, and default passwords and credentials in service of critical infrastructure and NCFs, which it says is also dangerous and increases the risk to national security, national economic security, and national public health and safety. Like the first practice, it's also especially dangerous in Internet-accessible technologies, they report.
CISA notes while these practices are risky for critical infrastructure and NCFs, it advises all organizations to pursue the steps and conversations needed to address and remove bad practices. It also acknowledges its list is focused — while this doesn't include every possible bad practice, lack of inclusion of particular practices doesn't mean that CISA endorses it or believes it has an acceptable level of risk.
"The principle of 'focus on the critical few' is a fundamental element of risk management," Goldstein wrote in his blog post. "Based on the understanding that organizations have limited resources to identify and mitigate all risks it should also be an essential element of every organization's strategic approach to security.
This is the latest in a series of steps CISA has taken in recent months to aid defenders with information and tools. Earlier this year, the agency expanded its portfolio of open source security tools and administration scripts in its open source library. This month, CISA shared intel regarding the rise in the ransomware threats targeting critical infrastructure and increasing the threats to operational technology assets and control systems. Officials have also been consistent in warning security pros of ongoing threats and publishing vulnerability advisories.