#RSAC: CISA Outlines Bad Practices Every Organization Should Avoid

There are a few bad IT practices that are dangerous for any organization and particularly for organizations in critical industries like healthcare.

At the RSA Conference 2022Donald Benack, deputy associate director at the Cybersecurity and Infrastructure Security Agency (CISA), and Joshua Corman, founder of I am the Cavalry, outlined what the US Government sees as the three most critical bad practices for IT today.

“The uncomfortable truth is that we can not just say do best practices,” Corman said.

Corman noted that in healthcare settings, in particular, there are resource shortages and a chronic lack of IT staff of any type, let alone those focused on security. He defined the healthcare environment as target-rich but resource-poor regarding IT security.

The concept of being ‘cyber-poor’ was defined by Corman as being deficient in a few areas. One area is insufficient information and awareness, which can be fixed with education. Another area is insufficient incentives to make sure an organization is doing the things that keep the public safe. But in many cases, it’s insufficient resources. The lack of staff, skills or money leads any organization to being defined as cyber-poor.

CISA’s Bad Practices

Benack explained that CISA’s goal of publicly declaring what the bad practices are for IT is about providing simple, direct guidance to any organization with no cyber expertise on staff or limited access to cyber expertise.

“The bad practices are the equivalent of your doctor telling you not to eat fried fatty foods every single day of your life because that’s bad,” Benack said.

The first list of bad practices only has three items, and Benack emphasized that the three things are activities that absolutely must stop.

The Bad Practices:

  1. Use of unsupported or end-of-life software
  2. Use of known / fixed / default credentials
  3. Use of single-factor authentication for remote or administrative access

“All of these practices are not based on theory; they’re based on analysis of all the incident reports and access to information CISA has around what’s being exploited in the wild,” Benack said.

Source

There are a few bad IT practices that are dangerous for any organization and particularly for organizations in critical industries like healthcare.

At the RSA Conference 2022Donald Benack, deputy associate director at the Cybersecurity and Infrastructure Security Agency (CISA), and Joshua Corman, founder of I am the Cavalry, outlined what the US Government sees as the three most critical bad practices for IT today.

“The uncomfortable truth is that we can not just say do best practices,” Corman said.

Corman noted that in healthcare settings, in particular, there are resource shortages and a chronic lack of IT staff of any type, let alone those focused on security. He defined the healthcare environment as target-rich but resource-poor regarding IT security.

The concept of being ‘cyber-poor’ was defined by Corman as being deficient in a few areas. One area is insufficient information and awareness, which can be fixed with education. Another area is insufficient incentives to make sure an organization is doing the things that keep the public safe. But in many cases, it’s insufficient resources. The lack of staff, skills or money leads any organization to being defined as cyber-poor.

CISA’s Bad Practices

Benack explained that CISA’s goal of publicly declaring what the bad practices are for IT is about providing simple, direct guidance to any organization with no cyber expertise on staff or limited access to cyber expertise.

“The bad practices are the equivalent of your doctor telling you not to eat fried fatty foods every single day of your life because that’s bad,” Benack said.

The first list of bad practices only has three items, and Benack emphasized that the three things are activities that absolutely must stop.

The Bad Practices:

  1. Use of unsupported or end-of-life software
  2. Use of known / fixed / default credentials
  3. Use of single-factor authentication for remote or administrative access

“All of these practices are not based on theory; they’re based on analysis of all the incident reports and access to information CISA has around what’s being exploited in the wild,” Benack said.

Source

More from author

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Related posts

Advertismentspot_img

Latest posts

Threat Intelligence Services Are Universally Valued by IT Staff

Almost all IT professionals believe that threat intelligence services and feeds will help their company get ready for and repulse malware attacks. Only...

Black Basta may be an all-star ransomware gang made up of former Conti and REvil members

The group has targeted 50 businesses from English speaking countries since April 2022. ...

APAC companies are failing to build successful digital models: Forrester

Approximately 61% of APAC organizations have failed to build robust and successful digital business business models, primarily due to unsound practices of enterprise architecture...

Want to stay up to date with the latest news?

We would love to hear from you! Please fill in your details and we will stay in touch. It's that simple!