The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added single-factor authentication to the short list of "exceptionally risky" cybersecurity practices that could expose critical infrastructure as well as government and the private sector entities to devastating cyberattacks.
Single-factor authentication is a method of signing in users to websites and remote systems by using only one way of verifying their identity, typically a combination of username and password. It's considered to be of low-security, since it heavily relies on "matching one factor — such as a password — to a username to gain access to a system."
Discover how application detection, response, and automated behavior modeling can revolutionize your defense against insider threats.Join Now
But with weak, reused, and common passwords posing a grave threat and emerging a lucrative attack vector, the use of single-factor authentication can lead to unnecessary risk of compromise and increase the possibility of account takeover by cybercriminals.
With the latest development, the list of bad practices now encompasses —
- Use of unsupported (or end-of-life) software
- Use of known/fixed/default passwords and credentials, and
- Use of single-factor authentication for remote or administrative access to systems
"Although these Bad Practices should be avoided by all organizations, they are especially dangerous in organizations that support Critical Infrastructure or National Critical Functions," CISA said.
"The presence of these Bad Practices in organizations that support Critical Infrastructure or NCFs is exceptionally dangerous and increases risk to our critical infrastructure, on which we rely for national security, economic stability, and life, health, and safety of the public," the agency noted.
Furthermore, CISA is considering adding a number of other practices to the catalog, including —
- Using weak cryptographic functions or key sizes
- Flat network topologies
- Mingling of IT and OT networks
- Everyone's an administrator (lack of least privilege)
- Utilization of previously compromised systems without sanitization
- Transmission of sensitive, unencrypted / unauthenticated traffic over uncontrolled networks, and
- Poor physical controls