Using unsupported software, allowing the use of default usernames and passwords and using single-factor authentication for remote or administrative access to systems are all dangerous behaviours when it comes to cybersecurity and should be avoided by all organisations – but particularly those supporting critical infrastructure. 

ZDNet Recommends

The best cyber insurance

The cyber insurance industry is likely to go mainstream and is a simple cost of doing business. Here are a few options to consider.

Read More

The warning comes from the US Cybersecurity and Infrastructure Security Agency (CISA) which is developing a catalogue of “exceptionally risky” behaviours  which can put critical infrastructure at extra risk of falling victim to cyber attacks.

Use of single-factor authentication — where users only need to enter a username and password — is the latest risky behaviour to be added to the list, with CISA warning that single-factor authentication for remote or administrative access to systems supporting the operation of critical infrastructure “is dangerous and significantly elevates risk to national security”. 

SEE: A winning strategy for cybersecurity (ZDNet special report)

Using multi-factor authentication can help disrupt over 99 percent of cyber attacks. For critical infrastructure, it’s therefore particularly important to have it applied in order to help prevent cyber criminals from tampering with cyber-physical systems. 

Alongside single-factor authentication as a bad practice is the use of known, fixed or default passwords, which CISA describes as “dangerous”. Default or simple passwords are good for cyber criminals because there’s a much higher chance of them being able to simply guess passwords to compromise accounts.  

CISA also warns against the use of passwords which are known to have been breached previously, as that means they also provide cyber criminals with a simple means of gaining access to networks. 

The third bad practice listed by CISA is the use of unsupported or end-of-life software in critical infrastructure. By using software or operating systems which no longer receive security updates, there’s the risk that cyber criminals could exploit newly discovered security vulnerabilities which emerge as old software often doesn’t receive security patches. 

“The presence of these bad practices in organizations that support critical infrastructure…is exceptionally dangerous and increases risk to our critical infrastructure, on which we rely for national security, economic stability, and life, health, and safety of the public.” CISA said.

CISA’s list of dangerous bad practices is designed as advice for organisations involved in running or supporting critical infrastructure – but it’s also useful advice for businesses and avoiding the use of single-factor authentication, default passwords and unsupported software will also help protect them from falling victim to cyber attacks.