Are you on the DHS CISA cybersecurity naughty list?

By: Matthew Karnas, Director of Cybersecurity Practices, VMD Corp

Process is the crucial DevSecOps enabler

Published on Sep 13, 2021

CISA has introduced a website where they list its top cybersecurity bad practices, https://www.cisa.gov/BadPractices. With these bad practices, CISA targets organizations that support Critical Infrastructure or National Critical Functions (NCF), but why wouldn’t all organizations follow these guidelines? At the moment, there are only three items listed as bad practices:

• Use of unsupported (or end-of-life) software
• Use of known/fixed/default passwords and credentials
• Use of single-factor authentication for remote or administrative access to systems

CISA has also opened up the discussion to interested parties on their GitHub, so feel free to comment and vote for what should be the 4th item on their list.

How do you know if your organization is following these bad practices? If you are unable to answer these questions with confidence, you might be on the naughty list.

• What is the number of end-of-life software, OS, or hardware in your infrastructure that supports your Agency’s critical mission? Same question but for software, OS, or hardware that will be end-of-life in the next six months.
• How many systems and devices are using privileged non-human and human accounts that have not been rotated in over 90 days?
• What percentage of critical systems do not have multi-factor enabled for administrative access, both from system front-end and infrastructure back-end? What percentage of that is for internet-facing systems?