Ep 10: CISA Outlines Bad Practices Every Organization Should Avoid
The RSA Convention 2022 wrapped up in early June. At the convention, the US-CISA outlined 3 bad practices businesses (and people) should avoid to prevent data breaches. The truth is these bad practices continue to be a problem for everyone despite the warnings and ease of protection against them.
In no particular order, they are
- Use of unsupported or end-of-life software/hardware
- Use of known/fixed/default credentials
- Use of single-factor authentication for remote or admin access.
People are the weakest link in any cybersecurity plan. We’re distracted, exhausted and often unmotivated. It’s time to change the approach used to protect our businesses, technology, identity and data. The human element has to be front and center in a war against data breaches and ransomware attacks, it’s time to educate.
Welcome to the human element podcast, visit our website at the human element dotnet for more content to help you strengthen your awareness of the people problem in cybersecurity. I am Scott Gombar. Owner and Washtech a client focused, security minded proactive IT service provider. Welcome to Episode 11 of the human element podcast. I’m Scott Gombar, your host, and today we’re going to talk about an article that came out on June 10, or a couple of weeks. Well, yeah, about two weeks past the article date. But the information an article is not really new. I just thought I’d take a moment to highlight how important it is. And this article is on info security dash magazine.com. The name of the website is just info security, but it’s info security dash magazine.com. And this is Sissa, which is the cybersecurity infrastructure and security agency in the United States. Outlines outlines bad practices Every organization should avoid. So I always talk about the Big Four in it. And that is not patching, or having a patch program, weak passwords, exposed remote desktop protocol. And then my favorite is phishing. And we talk about all these things, because these are the most common ways for attackers to get into an organization or even into a personal computer. This particular article and apparently, you know, the cysa is listing these as the three things that the three bad practices that are causing a lot of breaches, data breaches and ransomware attacks are usually go hand in hand data breaches and ransomware attack. So there are a few bad it practices that are dangerous for any organization, and particularly for organizations and critical industries like health care. So healthcare is a big target education, legal financial. Those are those are some of the bigger target and critical infrastructure. Those are usually the big targets. Now critical infrastructure is sort of a separate topic, because they have different systems than all the other ones health care, legal financial education usually have very similar technology in their environment. Whereas critical infrastructure, has some other things involved. A lot of IoT devices, not that the other not healthcare, definitely as IoT. But more so in the critical infrastructure, things that are sometimes vulnerable that they may not realize. But again, this article are the CISOs list of bad practices, and there’s three of them would prevent a lot of the issues that that are faced by critical infrastructure. At the RCA conference, 2022. I said RCA it’s RSA Conference 2022 Donald venac, Deputy Associate Director at the cybersecurity and infrastructure security agency, Sissa. And Joshua Korman, founder of I am the Calvary outlined what the US government sees as the three most critical bad practices for it today. Again, so my four are exposed Remote Desktop Protocol, weak passwords, fishing in not having a patching program. So let’s let’s talk about the three that the system is saying are the bad practices, first use of unsupported or end of life software. This kind of ties in with patching, where there is a tendency for businesses to sometimes not move off of older software. So for example, they may have I’m dealing with a client now that has Microsoft Office, in different forms in different stages. So they have Microsoft Office 2010, Microsoft Office 2007 And so we’re cleaning it out. We’re getting rid of all these things. old Microsoft Office isn’t a problem is not only that, does that mean that they’d have an updated, which means there’s there are vulnerabilities that haven’t been addressed, they’re exposed. But also, that means that they’re not getting security updates anymore, because those are no longer supported. I did not come across any versions of Windows other than Windows 10. Nothing older than that. So they’re okay there.
But I have seen windows seven and other environments. And if I had to take it out and either update that machine to Windows 10, or replaced the machine, and I have seen other cases of software. So now, QuickBooks is another example. I see a lot of people with older versions of QuickBooks just worked on somebody’s system that had QuickBooks 2014 on it. And, again, I get it, you don’t want to spend the $350 to update QuickBooks Desktop. There, there are alternatives, you could go to QuickBooks Online, I know they’re not the same. And I know that it’s a big learning curve from one to the other. And I know $300 could be a lot to spend on software. But the risks that you’re taking by not updating because Intuit is no longer providing updates for that software is far worse than then the $350. And it’s not they support, they typically support QuickBooks for a few years. So it’s not like you have to do it every year. Although some I do know some that do update it every year. Older versions of Windows 10. So Windows 10, I don’t know which ones are no longer supported. But I know that 1806 I believe it is is no longer supported. And I have run into that in the wild. So I’ve had seen laptops and desktops that were running older versions of Windows 10, for various reasons, never updated. Some were issues with the operating system itself but others were just the end user just never pushed to allow the updates to go through typically to happen semi automatically, depending on settings but they don’t always work. And you know, that’s what ends up happening. Now you’re unsupported in unprotected because security software security updates to Microsoft Windows have not been put in and the same applies to to Apple Macintosh devices to your cell phones, iOS and Android to Linux devices. All of these systems become vulnerable when security updates are not pushed in when end of life has been reached. So CentOS seven is no longer supported. I don’t think it’s supported. Which I didn’t like because I like CentOS seven. So now you’re if you’re if you’re not using their newest version of CentOS, which is a rolling version, meaning it updates, they’re no longer going to create news. This is based on what I know they’re no longer going to create new versions. And it’ll just you just have to push the updates when they’re available. So that’s the first one use of unsupported or end of life software that kind of ties in with patching. If you’re if you know, essentially, if you haven’t patched you’re you’re using software that’s outdated. And speaking of which, as I’m recording this, the new Windows updates come out tomorrow, I’m recording this on June 13, you will not be released for about a week and a half, but June 13. So tomorrow, the new Windows 10 updates. And usually other vendors fall in line with that. Use of known fixed or default credentials. So this is a big one. And I said passwords was one of my top four. And so this is kind of part of it. First of all, if you’ve been involved in a breach, your account has been compromised. Your information is on the dark web, that means your credentials on the dark web. That means usernames, email accounts and passwords are on the dark web. And if that information is on the dark web, then it will be used not can be used, but it will be used to test it against other accounts. So if you’re, you know, let’s say the parking app, I forget the name of it. But there was a parking app that was compromised last year. And I think it was parked mobile and they had their the credentials were stolen usernames and passwords. So if you use that same username and password now on your Chase bank account, you’re now at risk because they’re going to test it eventually will happen if it hasn’t already. You know that could be getting into your social media accounts, email accounts, work accounts, bank accounts, financial accounts, health care accounts, all of these accounts are at risk now because you left that out there and didn’t change the password anywhere else.
The article also says not to reuse, known fixed or default credential. So reusing account, passwords should be included in the net. So you should not have the same password across multiple accounts shouldn’t should never happen that way. Using a password manager will help you with that issue. So I know it’s difficult, we have probably most of us probably have dozens of logins. And you’re not going to remember all of the passwords for all of those accounts unless you use some type of pattern, which is also frowned upon, or you use the same password across all of those counts. So then, what do you do use a password manager, that’s the simple solution, don’t create a spreadsheet and store it on your computer or keep it in a Word document or I’ve I’ve had it people say use a notepad and carry that notepad around with you well, what happens if you drop it, then all those passwords are gone, and somebody else is going to pick it up and and use them in whatever application they’re being used in. Fixed passwords. This is more of a programming thing. If you’re using fixed passwords. In other words, you write code, you put username and password within that code as a fixed password. So it’s there, sort of in plain text. That’s very dangerous, extremely dangerous. And it’s in its it’s occurred in the past and has been used in attacks in the past do not fix a password in an application, the code, and I’m not by any stretch a coder, but the code should be dynamic, and it should pull from a database when it’s when it’s needed, should not be any fixed passwords in any code anywhere. And then the default passwords you this happens a lot with printers, but also happens with routers and other things. But I cannot tell you 99% of the time, if I go into a new client, and they say, well, they have printer issues. You know, sometimes they have a Managed Print provider, sometimes they don’t. The printer almost always has the default username and password on it. This is dangerous. This is a way into your network. This is a way to expose your business to potential breach. Remove default credentials from any device on your network, or any device period, routers, printers. All of those things, networking gear, all of them need the default username and password removed immediately. Do not use the default username, whatever device you have, whatever you you’ve purchased and placed in your network should not have a default username or password. And then the third bad practice is use of single factor authentication for remote or administrative access, this should be for everything, do not just use single factor and single factor means username and password. That’s what it is. So when you log into something, you’re just putting in your username and your password, this is very bad practice. Eventually passwords will go away, there’s some sites are starting to move away from it. Now Microsoft is moving away from it, other companies are moving away from it, you know, enterprise type businesses, eventually that will become the norm that will be no more passwords. But not including multi factor authentication. And I would say at bare minimum text, but even not is not secure, would go as far as an application on your phone that generates codes, two factor authentication app like Google, Microsoft, or Authy. Or even further, you can use something like a UB key. A lot of applications don’t use those yet. Although I would imagine as we continue to move forward, more and more applications will. And so I use a UB key for the applications that do work, for example LastPass. And what happens is when I try to log into LastPass, now, instead of asking me to verify a code or send a text message, I have a thumb key a USB key that I plug into my computer and in touch, touch it with my finger. And that logs in. That’s how the that’s the second factor authentication. The benefit to that is there’s no way to intercept it, you’d have to physically have access to it in order to intercept it. And so I know where my YubiKey is, because it’s always with me. And you’re not going to get access to it without physically taking it from me. So that’s the the two factor authentication piece. So now you have so the three again that Cisco has said are bad practices use of unsupported or end of life software.
We talked about that though. This doesn’t really happen a lot with Microsoft Windows or Apple Mac anymore. Although it still does happen. It’s not as common. So Windows 10 End of Life is October of 2025. So we have a little more than three years, almost three and a half years before that happened. There are certain versions of Windows 10 that are no longer supported earlier versions 18, I don’t know 1806 or 1809, something like that is no longer supported and maybe 1909, I’m not sure if that’s reached end of life off the top of my head, where this is really becoming a problem is with VPN software, and firewalls and things like that. And we see it all the time, we see, you know, you get a list of the top 10 most used vulnerabilities in attacks, and like half of them are three, four or five years old. And they usually something like a VPN or a firewall or something like that, that’s the Microsoft Office, there are a few Microsoft Office ones that are still out there in the wild. And people are using the known vulnerability to attack it. Right now we have the Felina vulnerability, which is really quickly Microsoft of vulnerability in Microsoft Word, where if you get a Rich Text Format, RTF dot RTF format a document, you could potentially be at risk because there is still no patch for it. As of right now, as of this recording, I think it’ll be released this week, the week of this recording, and it’s already been exploited. So it’s being exploited by Russia and Ukraine is being exploited all around the world to to attack people that have not taken mitigation steps. And it does work through fishing, you have to be fished for it to work properly for the vulnerability to work. So not having that level of, I know what a phishing email looks like. And I know how to recognize it or having zero trust installed and all those things. That’s that’s making it a risky endeavor. But this is a newly discovered Zero Day. And therefore you don’t, it’s reasonable that nobody has a patch yet there is no patch. However, when you have something that’s 3456 years old, that hasn’t been patched yet, or using, you know, Microsoft Office version that’s been unsupported for many years. So in one case, 10 years, then that’s a problem. You know, you’re exposing your everything, all your data, all your business, everything. So use of unsupported or end of life software, use of known fixed default credentials, we’ve talked about that quite a bit, but use unique strong passwords, meaning 20, I usually do 20 characters, or more uppercase, lowercase numbers, and letters. I’m sorry, yeah, numbers, letters, alphanumeric, special characters, as well. At least 20 characters. And just just random passwords, I don’t, there’s no pattern to my passwords at all other than the random. And I never reuse a password. And I always remove default credentials, no matter what it is, no matter what that device is get rid of the default credentials. I’ve had deskphone. Here, I removed the default credentials. And then using only single factor authentication, you don’t have a second factor of authentication setup. You’re a walking risk factor right now. And I would tell you, that is probably the quickest fix in the one that gets ignored, still gets ignored quite a bit in the wild. And again, all of these things, all three of these things. So how does this tie into the human element use of unsupported or end of life software, trying to save money, or we’re comfortable with it, because it’s, we’re familiar with it, there is a big significance between office 2010 and office 2022 22, or 21. I don’t remember which one it is, but the newest version. So there is a big difference. Our use of non fixed or default credentials, this is just human human nature, we want it to be easy. We don’t want to have to have different passwords for everything. Or we want it to be easy to remember. So if I have, you know, my password is password dot Facebook password dot LinkedIn, password dot twitter, password dot bank account. That’s easy for me to remember. We don’t want to do that. That’s bad news. We don’t want to we don’t want things to be complex. In reality, though, using a password manager is easier using LastPass is so much easier. And then using single factor authentication, I have talked to people in the financial world in the legal world that don’t want to use multifactor authentication, two factor authentication, because it’s extra work for them to have to sign in. It’s too much work. Yeah. And sometimes I get frustrated because I got to look for the the token, the YubiKey, or I have to look for my phone and unlock my phone and go to the app. Sometimes it’s annoying, but you know what’s more annoying, being compromised, having my account taken over by someone? So, human nature human element,
we want things to be easy. We don’t want to have to be disrupted from our normal activities. But I could promise you one thing a ransomware attack or a data breach will disrupt you from your normal activity is far more damaging than any two factor authentication or complex password policy or removing unsupported device. CES from your from your environment. So until next time, stay secure
Transcribed by https://otter.ai