CISA Advises Users to Not Use Single-factor Authentication on Internet-exposed Systems
Single-factor Authentication Was Added by CISA to a List of Cybersecurity Bad Practices.
The Bad Practices catalog is a collection of practices that are considered to be “exceptionally risky” by the US Cybersecurity and Infrastructure Security Agency (CISA).
The practices mentioned in the document are not to be used by organizations in the government and the private sector as they are able to expose them to unnecessary risks.
Aside from single-factor authentication in the catalog are listed only two other entries: use of end-of-life (or out-of-support) software and default (or known) credentials.
CISA is developing a catalog of Bad Practices that are exceptionally risky, especially in organizations supporting Critical Infrastructure or NCFs. The presence of these Bad Practices in organizations that support Critical Infrastructure or NCFs is exceptionally dangerous and increases risk to our critical infrastructure, on which we rely for national security, economic stability, and life, health, and safety of the public. Entries in the catalog will be listed here as they are added.
Use of unsupported (or end-of-life) software in service of Critical Infrastructure and National Critical Functions is dangerous and significantly elevates risk to national security, national economic security, and national public health and safety. This dangerous practice is especially egregious in technologies accessible from the Internet.
Use of known/fixed/default passwords and credentials in service of Critical Infrastructure and National Critical Functions is dangerous and significantly elevates risk to national security, national economic security, and national public health and safety. This dangerous practice is especially egregious in technologies accessible from the Internet.
The use of single-factor authentication for remote or administrative access to systems supporting the operation of Critical Infrastructure and National Critical Functions (NCF) is dangerous and significantly elevates risk to national security, national economic security, and national public health and safety. This dangerous practice is especially egregious in technologies accessible from the Internet.
These practices are considered to be exceptionally dangerous for organizations that support Critical Infrastructure or National Critical Functions (NCFs) responsible for national security and economic stability, as well as the public’s safety, and they could be “especially egregious” when discussing Internet-exposed systems that can be targeted and compromised by malicious actors.
CISA Advises Organizations to Switch to Multi-factor Authentication
SFA, the authentication method that only requires users to provide a username and a password is considered to be “exceptionally risky” when used for remote authentication or logging into an account with administrative permissions.
Attackers are able to easily gain access to the systems that are protected using only this security method, as it is a well-known fact that passwords can be easily stolen or guessed through multiple techniques like phishing, keylogging, network sniffing, social engineering, malware, brute-force attacks, or credential dumping.
What to Do?
CISA advises companies to switch to multi-factor authentication (MFA). This method makes it a lot harder for the threat actors to succeed in their malicious attacks.
CISA opened a GitHub Bad Practices discussions page in an attempt to allow IT, professionals and admins, to provide feedback and share their expertise on defending against them.
According to the journalists at BleepingComputer some additional cybersecurity bad practices that CISA might be adding to the list include:
- using weak cryptographic functions or key sizes
- flat network topologies
- mingling of IT and OT networks
- everyone’s an administrator (lack of least privilege)
- utilization of previously compromised systems without sanitization
- transmission of sensitive, unencrypted/unauthenticated traffic over uncontrolled networks
- poor physical controls
Although these Bad Practices should be avoided by all organizations, they are especially dangerous in organizations that support Critical Infrastructure or National Critical Functions. CISA encourages all organizations to review the Bad Practices webpage and to engage in the necessary actions and critical conversations to address Bad Practices.