The Cybersecurity Infrastructure Security Agency (CISA) published a plea to the organizations designated “Critical Infrastructure or National Critical Function (NCF).” CISA called for organizations and government to up their cybersecurity game. Now.
Looking into the three Bad Practices one-by-one:
While the plea was pointed at government and private sector NCF entities, the message is applicable to the nation, especially applicable to Facility Security Officers (FSO) supporting NISPOM and DCID classified engagements. CISA didn’t put too fine an edge on their messaging regarding the Bad Practices:
“The presence of these Bad Practices in organizations that support Critical Infrastructure or NCFs is exceptionally dangerous and increases risk to our critical infrastructure, on which we rely for national security, economic stability, and life, health, and safety of the public”
1. End of Life
“Use of unsupported (or end-of-life) software in service of Critical Infrastructure and National Critical Functions is dangerous and significantly elevates risk to national security, national economic security, and national public health and safety. This dangerous practice is especially egregious in technologies accessible from the Internet.”
When software and hardware are declared end-of-life, the provider is clearly stating that going forward there will be no support and therefore any vulnerabilities found will remain unresolved. You are on your own when it comes to mitigating any security issues, no entity wants to be in that position.
2. Use of default/fixed passwords
“Use of known/fixed/default passwords and credentials in service of Critical Infrastructure and National Critical Functions is dangerous and significantly elevates risk to national security, national economic security, and national public health and safety. This dangerous practice is especially egregious in technologies accessible from the Internet.”
There are two obvious instances where this practices is prevalent. When new software/equipment is introduced into a system and the vendor’s configuration is maintained – for example the router comes with userid of ADMIN and password of PASSWORD and the expectation is that you will adjust upon install. The second is less obvious, and that is robotic process automation (RPA), which is finding its way into more and more entities. The RPA is a business process which has been automated, using hard-coded credentials. Rajan Koo, chief customer officer, DTEX Systems, was quoted recently in a CSO Online piece, “Device identity: The overlooked insider threat” how a CFO fell victim to a phishing scam and the criminal adversary had access and control over a variety of RPAs, all of which were hard coded.
3. Single use authentication
“The use of single-factor authentication for remote or administrative access to systems supporting the operation of Critical Infrastructure and National Critical Functions (NCF) is dangerous and significantly elevates risk to national security, national economic security, and national public health and safety. This dangerous practice is especially egregious in technologies accessible from the Internet.”
There should be 100% adoption to move to multi-factor authentication. It is a no-brainer and takes only moments to setup. There are multiple services available which are software based; or utilize numeric authenticators; or a token based system. No processes, even RPAs should be able to operate off single use authentication.
FSO/CISO get resourceD
“2021 has become a game changer. Ransomware and supply chain attacks have forced enterprises to up their game. The difference between enterprises who recover gracefully with minimal damage and duration and those who truly have a business-down situation are because of basic, hygiene issues,” says Dave Klein, Director. Cyber Evangelist at Cymulate. He continued how, these Bad Practices identified by CISA are “low hanging fruit as far as resolvability: simple/default passwords, lack of multi-factor authentication, lack of patch discipline, outdated remote access policies, poor least privilege control etc.”
For those who say, I can’t afford to update, the reality is you can’t afford not to update. Yes, budget constraints impact the ability to upgrade software /hardware in a timely manner, and choices on where to spend OPEX is a reality. Klein noted, “What I directly relate these failures to are when the business/boardroom side of the enterprise and the cybersecurity side have not operationalized the value of cybersecurity in a business/risk sense. This is a two way issue. It is a business/boardroom level that doesn’t see the value and it is cybersecurity professionals not appropriately visualizing and explaining risk to those non-security types in a manner they can understand and thus assign additional resources to it.”
Klein is spot-on, the CISA admonishment should be used by FSOs and CISOs to free up resources from the C-suite to ensure no End-of-Life hardware/software, appropriate oversight of RPAs and software is possible and that universal implementation of multifactor authentication is the norm.
More Bad Practices to follow
The above list of “bad practices” appears to be only the beginning as CISA noted they are now building a “catalog of Bad Practices that are exceptionally risky.”
FSOs, in conjunction with their CISOs should get ahead of the game and engage in their own cataloging of poor cyber hygiene within their instance, and highlight the above admonishment from CISA to their employee base. It is not hyperbole when one says, the weakest link is the individual or entity that doesn’t engage in basic cyber hygiene given the onslaught of both criminal and nation state targeting of both government employees and contractors within the U.S. defense and intelligence sectors.