HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

CISA Updates List of Cybersecurity Bad Practices to Eradicate

The Cybersecurity and Infrastructure Security Agency (CISA) has updated its list of cybersecurity bad practices that must be eradicated.

Cyber threat actors often conduct highly sophisticated attacks to gain access to internal networks and sensitive data, but oftentimes sophisticated tactics, techniques and procedures are not required. The Bad Practices Catalog was created in July 2021 to raise awareness of some of the most egregious errors that are made in cybersecurity that leave the door wide open to hackers.

There have been many lists published on cybersecurity best practices to follow, and while it is vital that those practices are followed, it is critical that these bad practices are eradicated, especially at organizations that support critical infrastructure or national critical functions (NCFs). These bad practices significantly increase risk to the critical infrastructure relied upon for national security, economic stability, and life, health, and safety of the public.

When the Bad Practices Catalog was first published, two entries were added. First on the list is the continued use of software that has reached end-of-life and is no longer supported by the software developer. Without support, patches are no longer issued to correct vulnerabilities, which can be easily exploited by cyber actors to gain access to internal networks.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Second, and equally egregious, is the failure to change default credentials and passwords that are known to have been compromised in data breaches or have otherwise been disclosed.

The latest addition is the use of single factor authentication for remote or administrative access to systems. Single factor authentication is the use of a username and password to secure an account. While this provides a degree of security, it is not sufficient to resist the brute force tactics of hackers. Any Internet-facing system must be protected with multi-factor authentication, which requires an additional authentication factor to be provided in addition to a password before access to the account or system is granted.

One study conducted by Google, in conjunction with the University of California San Diego and New York University, showed multi-factor authentication is effective at blocking 100% of automated bot attacks, 99% of bulk phishing attacks, and 66% of targeted attacks, while Microsoft Director of Identity Security Alex Weinert explained in a July 2019 blog post that multi-factor authentication will block 99.9% of attacks on accounts.

CISA considers these practices to be exceptionally risky, especially when they apply to software and technologies that are accessible over the Internet. While it is common knowledge that these practices are dangerous, they are still highly prevalent and commonly allow hackers to gain access to internal networks to steal sensitive data and conduct ransomware attacks.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.