CISA Starts Cataloging Bad Practices in Cybersecurity


The agency plans to keep updating the narrow list based on feedback from cybersecurity professionals.

The Cybersecurity and Infrastructure Security Agency released a list of two bad practices Tuesday in an effort to help critical infrastructure providers prioritize their cybersecurity responsibilities.

The bad practices are using unsupported or “end-of-life” software, and using known/fixed/default passwords and credentials, according to a blog post published by CISA Executive Assistant Director Eric Goldstein. He said the list is deliberately focused and that the dangerous practices listed are exceptionally egregious in internet-accessible technologies.

“There is certainly no lack of standards, practices, control catalogs, and guidelines available to improve an organization’s cybersecurity. While this body of guidance is invaluable, the sheer breadth of recommendations can often be daunting for leaders and risk managers,” Goldstein wrote. “The principle of ‘focus on the critical few’ is a fundamental element of risk management. Based on the understanding that organizations have limited resources to identify and mitigate all risks it should also be an essential element of every organization's strategic approach to security. Addressing bad practices is not a substitute for implementing best practices, but it provides a rubric for prioritization and a helpful answer to the question of ‘what to do first.’”

CISA created a web page for cataloging the bad practices which Goldstein said the agency will keep updating based on feedback from risk managers and cybersecurity professionals.

Reactions to the short catalog were mixed. Victoria Mosby, federal sales engineer at the firm Lookout, highlighted bad practices specific to mobile device management and Sean Frazier, federal chief security officer at the identity and access management company Okta, said it would be more helpful to address security teams directly and with more detail.

“It’s easy to say, ‘don’t use the same passwords’ or ‘use strong passwords,’ but that puts all the onus on the users and none of the responsibility on the security teams,” Frazier said. “What we should say is, ‘Users need to be part of the security solution and if they must use passwords (almost everybody does), we should provide them with the best practices and the tools to do so, things like multi-factor authentication, password managers and best practice training and phishing exercises. Or better yet, provide them with anti-phishing technologies like secure hardware tokens that are easy to use.’”

But Jim Richberg, public sector field chief information security officer at Fortinet and a former national intelligence manager for cyber at the Office of the Director of National Intelligence, suggested the list being short is a good thing.

“As long as the catalog remains focused, it could be a tool that can arm CISOs to have a helpful discussion about making changes in their organization,” he said.