The Cybersecurity and Infrastructure Security Agency (CISA) is developing a catalog of bad practices in cybersecurity to help critical infrastructure providers prioritize their cybersecurity responsibilities. The agency plans to keep updating the narrow list based on feedback from cybersecurity professionals.
Recent incidents have demonstrated that cyberattacks against critical infrastructure significantly impact the vital functions of government and the private sector. Organizations, particularly those designated as national critical functions (NCF), need to implement effective cybersecurity programs to protect against cyber threats and manage cyber risks. The presence of bad practices in an organization that supports NCFs is hazardous, CISA said, because any disruption, corruption, or dysfunction to its systems would cause a debilitating effect on security, national economic security, national public health, and national public safety.
Currently, the bad practices catalog only includes two such practices, but CISA plans to expand the list based on further feedback.
In the first bad practice, CISA illustrates that the use of unsupported software in service of NCFs is dangerous and significantly elevates risks. In the second bad practice, CISA emphasizes that using fixed default passwords and credentials in service of NCFs is hazardous and significantly boosts possible threats to the organization and its operations. Both practices are especially glaring in internet-accessible technologies.
CISA also encourages all organizations beyond NCFs to engage in the necessary actions and critical conversations to address these harmful practices. There is no lack of standards, procedures, control catalogs, and guidelines available to improve an organization’s cybersecurity, the agency said. But putting an end to the most outrageous risks requires organizations to make a concerted effort.
However, CISA emphasized in the catalog that addressing bad practices is not a substitute for implementing best practices. Still, the bad practice guide provides a rubric for prioritization and a helpful answer to the question of “what to do first.”