#RSAC: CISA outlines bad practices that every organization should avoid

There are a few bad IT practices that are dangerous for any organization and especially for organizations in critical sectors like healthcare.

At RSA Conference 2022Donald Benack, Deputy Associate Director at the Cybersecurity and Infrastructure Security Agency (CISA), and Joshua Corman, Founder of I am the Cavalry, outlined what the US government considers the three most critical IT malpractices today.

“The uncomfortable truth is that we can’t just say to do best practices,” Corman said.

Corman noted that in healthcare facilities, in particular, there are resource shortages and a chronic lack of IT staff of any type, let alone those focused on security. He defined the healthcare environment as rich in targets but poor in IT security resources.

The concept of being “cyber-poor” has been defined by Corman as being deficient in a few areas. One area is lack of information and awareness, which can be corrected through education. Another area is the lack of incentives to ensure that an organization does the things that keep the public safe. But in many cases, these are insufficient resources. Lack of staff, skills or money leads any organization to be defined as cyber-poor.

Bad CISA practices

Benack explained that CISA’s goal of publicly declaring bad practices for IT is to provide simple, straightforward advice to any organization without cyber expertise on staff or limited access to cyber expertise.

“Bad practices are the equivalent of your doctor telling you not to eat fatty fried foods every day of your life because it’s bad,” Benack said.

The first list of bad practices only has three items, and Benack pointed out that all three things are activities that absolutely must stop.

Bad practices:

  1. Use of unsupported or end-of-life software
  2. Using Known/Fixed/Default Credentials
  3. Using single-factor authentication for remote or administrative access

“All of these practices are not based on theory; they are based on analysis of all incident reports and access to information that CISA has on what is being exploited in the wild,” Benack said. .

Aubrey L. Morgan