CISA Publishes Catalog of Poor Security Practices

  /     /     /  
Publicated : 23/11/2024   Category : security


CISA Publishes Catalog of Poor Security Practices


Organizations often focus on promoting best practices, CISA says, but stopping poor security practices is equally important.



The Department of Homeland Securitys Cybersecurity and Infrastructure Security Agency (CISA) is creating a catalog of poor security practices that increase risk for organizations, especially those supporting designated critical infrastructure or what it calls National Critical Functions (NCFs).
Security professionals, including the team at CISA, often focus on promoting best practices they should take, wrote CISA Executive Assistant Director Eric Goldstein in a blog post on the news. Its equally important, he continued, that they focus on stopping poor security practices as well.
These risky and dangerous technology practices are too often accepted because of competing priorities, lack of incentives, or resource limitations that preclude sound risk management decisions but result in untenable risks to our national security, economy, critical infrastructure, and public safety, Goldstein explained.
Putting an end to enterprises most threatening security risks requires organizations make an effort to stop bad practices. While its not a substitute for implementing strong security practices, he said, it provides a framework to prioritize the security steps they should be taking.
CISA has
created a page
where it will list these bad practices as they are added to the catalog.
The first practice on its list is the use of unsupported or end-of-life software in service of critical infrastructure and NCFs, which it says is both dangerous and significantly elevates risk to national security, national economic security, and national public health and safety. This practice is particularly egregious in Internet-accessible technologies, officials wrote.
Second is the use of known, fixed, and default passwords and credentials in service of critical infrastructure and NCFs, which it says is also dangerous and increases the risk to national security, national economic security, and national public health and safety. Like the first practice, its also especially dangerous in Internet-accessible technologies, they report.
CISA notes while these practices are risky for critical infrastructure and NCFs, it advises all organizations to pursue the steps and conversations needed to address and remove bad practices. It also acknowledges its list is focused — while this doesnt include every possible bad practice, lack of inclusion of particular practices doesnt mean that CISA endorses it or believes it has an acceptable level of risk.
The principle of focus on the critical few is a fundamental element of risk management,
Goldstein wrote
in his blog post. Based on the understanding that organizations have limited resources to identify and mitigate all risks it should also be an essential element of every organizations strategic approach to security.
This is the latest in a series of steps CISA has taken in recent months to aid defenders with information and tools. Earlier this year, the agency
expanded
its portfolio of open source security tools and administration scripts in its open source library. This month, CISA
shared intel
regarding the rise in the ransomware threats targeting critical infrastructure and increasing the threats to operational technology assets and control systems. Officials have also been consistent
in warning
security pros of ongoing threats and publishing vulnerability
advisories
.

Last News

▸ Security Problem Growing for Dairy Queen, UPS & Retailers, Back off ◂
Discovered: 23/12/2024
Category: security

▸ Veritabile Defecte de Proiectare a Securitatii in Software -> Top 10 Software Security Design Flaws ◂
Discovered: 23/12/2024
Category: security

▸ Sony, XBox Targeted by DDoS Attacks, Hacktivist Threats ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
CISA Publishes Catalog of Poor Security Practices