By: Eric Goldstein, Executive Assistant Director, Cybersecurity and Infrastructure Security Agency
Cybersecurity professionals, including our expert team at CISA, often focus on promoting best practices: the necessary steps that organizations must take to secure their enterprises. It is equally important for organizations to focus on stopping bad practices:
risky, dangerous technology practices that are too often accepted because of competing priorities, lack of incentives, or resource limitations that preclude sound risk management decisions but result in untenable risks to our national security, economy, critical infrastructure, and public safety. Leaders at all organizations, and particularly those that support National Critical Functions, should engage in urgent conversations to address technology bad practices.
There is certainly no lack of standards, practices, control catalogs, and guidelines available to improve an organization’s cybersecurity. While this body of guidance is invaluable, the sheer breadth of recommendations can often be daunting for leaders and risk managers. Given the risk facing our nation’s critical infrastructure, as reflected by recent incidents, additional perspective is needed. Putting an end to the most egregious risks requires organizations to make a concerted effort to stop bad practices.
The principle of “focus on the critical few” is a fundamental element of risk management. Based on the understanding that organizations have limited resources to identify and mitigate all risks it should also be an essential element of every organization’s strategic approach to security. Addressing bad practices is not a substitute for implementing best practices, but it provides a rubric for prioritization and a helpful answer to the question of “what to do first.”
Check out CISA’s current catalog of Bad Practices, which will be updated over time based on feedback from risk managers and cybersecurity professionals.
CISA’s current catalog of Bad Practices
As recent incidents have demonstrated, cyberattacks against critical infrastructure can have significant impacts on the critical functions of government and the private sector. All organizations, and particularly those supporting designated Critical Infrastructure or National Critical Functions (NCF) should implement an effective cybersecurity program to protect against cyber threats and manage cyber risk in a manner commensurate with the criticality of those NCFs to national security, national economic security, and/or national public health and safety.
CISA is developing a catalog of Bad Practices that are exceptionally risky, especially in organizations supporting Critical Infrastructure or NCFs. The presence of these Bad Practices in organizations that support Critical Infrastructure or NCFs is exceptionally dangerous and increases risk to our critical infrastructure, on which we rely for national security, economic stability, and life, health, and safety of the public. Entries in the catalog will be listed here as they are added.
- Use of unsupported (or end-of-life) software in service of Critical Infrastructure and National Critical Functions is dangerous and significantly elevates risk to national security, national economic security, and national public health and safety. This dangerous practice is especially egregious in internet-accessible technologies.
- Use of known/fixed/default passwords and credentials in service of Critical Infrastructure and National Critical Functions is dangerous and significantly elevates risk to national security, national economic security, and national public health and safety. This dangerous practice is especially egregious in internet-accessible technologies.
While these practices are dangerous for Critical Infrastructure and NCFs, CISA encourages all organizations to engage in the necessary actions and critical conversations to address Bad Practices.*
*This list is focused and does not include every possible inadvisable cybersecurity practice. The lack of inclusion of any particular cybersecurity practice does not indicate that CISA endorses such a practice or deems such a practice to present acceptable levels of risk.