The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Monday added single-factor authentication to the quick checklist of “exceptionally dangerous” cybersecurity practices that would expose vital infrastructure in addition to authorities and the non-public sector entities to devastating cyberattacks.
Single-factor authentication is a method of signing in customers to web sites and distant techniques through the use of just one method of verifying their id, sometimes a mixture of username and password. It is thought of to be of low-security, because it closely depends on “matching one issue — resembling a password — to a username to achieve entry to a system.”
However with weak, reused, and customary passwords posing a grave menace and rising a profitable assault vector, the usage of single-factor authentication can result in pointless threat of compromise and enhance the potential of account takeover by cybercriminals.
With the newest growth, the list of bad practices now encompasses —
- Use of unsupported (or end-of-life) software program
- Use of recognized/mounted/default passwords and credentials, and
- Use of single-factor authentication for distant or administrative entry to techniques
“Though these Unhealthy Practices ought to be averted by all organizations, they’re particularly harmful in organizations that assist Essential Infrastructure or Nationwide Essential Features,” CISA mentioned.
“The presence of those Unhealthy Practices in organizations that assist Essential Infrastructure or NCFs is exceptionally harmful and will increase threat to our vital infrastructure, on which we rely for nationwide safety, financial stability, and life, well being, and security of the general public,” the company famous.
Moreover, CISA is considering adding quite a few different practices to the catalog, together with —
- Utilizing weak cryptographic capabilities or key sizes
- Flat community topologies
- Mingling of IT and OT networks
- Everybody’s an administrator (lack of least privilege)
- Utilization of beforehand compromised techniques with out sanitization
- Transmission of delicate, unencrypted / unauthenticated visitors over uncontrolled networks, and
- Poor bodily controls