CISA Publishes Cyber ‘Bad Practices’

WASHINGTON: CISA, bucking the usual, has started a list of cybersecurity “bad practices” in hopes of decreasing the number of knowable and preventable cyber blunders.

Practically every profession has a set of what practitioners consider “best practices.” Cybersecurity is no different, with a dizzying array of standards, guidance, and lessons learned. But CISA, DHS’s lead agency for domestic cyber defense, has published a first set of bad practices. The agency says the initial list is incomplete and just a starting point, with more to follow.

The bad practices are aimed especially at — though not limited to — educating critical infrastructure owners and operators. This includes, of course, the defense industrial base and many who support its supply chain — from communications equipment and high-tech capabilities to electrical and mechanical components for military hardware, such as tanks, planes, and ships.

These entities often fulfill national critical functions. NCFs are organized around four areas — connections, distribution, management, and supply — that, together, are viewed as crucial to the continued functioning of the military, government, and broader national economy.

The government considers any compromise, degradation, or disruption of NCFs to pose a national security threat — including potentially to the economy and public health. So, in addition to the myriad best practices that CISA often publishes, the cybersecurity agency has started developing a list of what should be clear cybersecurity no-noes.

On the surface, the list appears to be so obvious as to obviate the need to say it. But past cyber incidents indicate these practices are still widely used.

The first of CISA’s bad practices is using outdated software, which can include versions with known vulnerabilities for which security patches are readily available or end-of-life versions, which vendors no longer support with code updates, to include patches.

Yet the use of outdated software is prevalent, most recently illustrated by the Microsoft Exchange server cyberespionage campaign earlier this year. As previously reported, there were an estimated 400,000 instances of outdated Exchange software running globally as of Mar. 2 — the day Microsoft disclosed the campaign — according to security firm RiskIQ.

Another example is the 2017 WannaCry incident, which affected an estimated 300,000 computers globally across nearly every economic sector. Of those, 67 percent had delayed updating to Windows 7, according to security ratings company BitSight.

The use — and associated risks — of outdated software and operating system versions within critical infrastructure sectors have been highlighted by security researchers for years. The issue is that software designed to run on older OSes can be timely, difficult, and/or costly to update for newer OS versions. It can also be challenging to patch such OSes and the software they run because critical infrastructure downtime is viewed as unacceptable.

But it’s not just special cases, such as critical infrastructure. One group of researchers recently published the results of an analysis of 5.6 million websites over 18 months and found 95 percent of sites rely on outdated software for which at least one known vulnerability — and an associated security patch — exists.

While these numbers — 300,000 or 400,000 or 5.6 million — may appear to be relatively small in the global IT universe, the point is less about the quantity and more about the lack of qualitatively legitimate excuses for not updating systems and software. Some critical infrastructure operators may argue they have a rationale — however specious that reasoning may appear to security professionals, lawmakers, regulators, and the general public — but the vast majority of web administrators simply do not.

The second bad practice is using weak passwords. Weak passwords include those that are too short (eight characters or more is standard guidance [e.g., by Microsoft], but with increasing compute power for brute-force cracking, no fewer than 12 characters is recommended), too easily guessable (e.g., Password123 and those that use dictionary words), and too simple (e.g., those that do not employ a mix of randomized numbers, symbols, and uppercase and lowercase letters).

The reason should be known and familiar to most: Short, guessable, and/or simple passwords can be easily cracked with free hacking tools readily available to even the lowest-skilled skid.  

What difference do password length and complexity make? Consider that every character added to a password significantly increases the time and computing power required to crack it. Adding complexity requires even more time and computing power.

It’s possible to quantify the differences. To illustrate the point, security ratings company Web of Trust provides a breakdown, including the following:

• Eight-character password with no complexity (e.g., all lowercase letters) takes about four hours and seven minutes to crack.
• Eight-character password with at least one capital letter and one number increases the time to crack to six months.
• 12-character password with no complexity takes about two centuries and one decade to crack.
• 12-character password with symbols, numbers, and uppercase and lowercase letters takes about 15,368 millennia and three centuries to crack.

A second facet to poor password hygiene is recycling passwords across accounts. The reason is that, should cyber actors crack or obtain a password for one account, then they would have ready access to all other accounts that share the same password.

Cyber actors also increasingly use an attack method called password spraying, wherein they use a common password (e.g., admin123) to gain access to as many accounts as possible.

While cracking focuses on using multiple passwords to gain access to a single account, the goal of spraying is to compromise many accounts that share the same password. Spraying is viewed as a way to circumvent account lockouts, which cracking can trigger if proper security measures are in place. Cyber actors can attempt to crack or spray any account, but the practice is particularly prevalent on web-based account logins.

As a best practice, administrators and end users should also change passwords every 90 days. Whenever possible, use multi-factor authentication.

CISA’s bad practices are not new nor groundbreaking. Yet unfortunately — based on studies, surveys, and known incidents — they bear repeating. Perhaps the takeaway is this: Even if an organization doesn’t have the time to gain knowledge of or the money to hire practitioners with expertise in the labyrinth of known cybersecurity best practices, at least avoid being imprudent, negligent, and senseless. Shun these entirely preventable bad practices.