Light Dark
October 12, 2021 By NewsCred System 4 min read
Data Protection
Risk Management
Security Services

In terms of database security, any bad practice is dangerous. Still, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently deemed some behavior as “exceptionally risky.” Are your teams engaged in these high-risk practices? What can you do to mitigate the risk of a data breach?

As per CISA, “The presence of these Bad Practices in organizations that support Critical Infrastructure… is exceptionally dangerous and increases risk to our critical infrastructure, on which we rely for national security, economic stability and life, health and safety of the public.”

Even for those outside of national cybersecurity, these behaviors should be top of mind for any vulnerability assessment. While they may seem simple, each one involves complex cyber crime that cannot be ignored.

CISA Risky Behavior 1: Single-Factor Authentication

Single-factor authentication means a username and password grant user access with nothing else required. According to CISA, this is an all-too-common high-risk practice. Microsoft revealed its cloud services see about 300 million fraudulent sign-in attempts every day. Even eight-character passwords — with a mix of numbers, upper and lowercase letters and special characters — are cracked with relative ease.

The good news is that multifactor authentication (MFA) can stop 100% of bot attacks and 99% of bulk phishing attacks.

One common MFA method is a username and password, plus a message, link or code sent by text message. The second factor may also be a pin code, personal trivia (such as mother’s maiden name), a USB key fob or biometrics.

MFA Challenges

Still, there are some problems with MFA. Let’s say text messaging is the second factor. What happens if someone loses their smartphone or has it stolen? They lose access.

With SIM swapping, attackers trick, coerce or bribe phone company employees to transfer phone numbers to their own SIM cards. They can even generate fake SIM cards that mimic existing numbers. Also, by scanning wireless provider websites, attackers can find old phone numbers that have been abandoned.

Princeton researchers noticed that phone companies offer new numbers in blocks. Recycled numbers, however, appear in non-consecutive blocks. Attackers can match recycled numbers against directories on the dark web. Then, using numbers linked to online accounts, attackers can reset the passwords.

Due to more refined authentication threats, data security teams are turning to more advanced Identity and Access Management. This includes using context-based insight (such as device IDs, behavioral biometrics and location data) which leaves less room for risky authentication.

CISA Exceptionally Risky Behavior 2: Default Passwords and Credentials

If everybody and their cousin knows your username and password, you have a big problem. Some even have credentials written on a Post-it stuck to their monitor. These can be easily leaked. Plus, known, fixed or default credentials are simple to crack, CISA warns.

One way around this is to get rid of shared accounts. Also, run your passwords through strength evaluation, which ensures all passwords are unique and complex enough for threat deterrence. In the end, this category is a subset of the single-factor authentication risk basket.

CISA Exceptionally Risky Behavior 3: Unsupported or End-of-Life (EOL) Software

Upon finding outdated software or operating systems, threat actors can exploit existing data protection vulnerabilities. Since old software doesn’t get updated, the application security becomes patchless. CISA has been warning about this for years.

End-of-life (EOL) software is well-known terrain for threat actors. Sadly, it appears the well-known WannaCry ransomware attack on Microsoft Windows in 2017 still often flew under the radar. How do we know this? What else explains the fact that WannaCry attacks increased 53% from January 2021 to March 2021?

Microsoft had already released patches to close these doors. Still, much of WannaCry’s spread was from groups that did not apply the patches. Or they were using even older end-of-life Windows systems.

Some ways to mitigate unsupported this type of risk include:

  • Buy extended support – This is not the least expensive option, but consider the cost of a data breach. Extended support may not be possible for every system.
  • Isolate the risk – Separate standalone machines from your network and/or prohibit public internet access. Or isolate on a separate network with tight inbound and outbound traffic firewalls.
  • Limit user access – Audit who needs access and remove the software from devices that do not. If possible, consider setting some devices aside for only EOL software use.
  • Stay informed – Some vendors and original software providers may offer patches for common openings. Stay on the lookout for these while you implement long-term fixes.
  • Plan to upgrade – Out-of-date software carries security, operational, regulatory and compatibility issues. In the end, you need to formulate a replacement plan.

Avoid Dangerous Behavior

The CISA list isn’t long. End-of-life software issues always lead to a software upgrade or replacement. This leaves identity and access oversight as the most dangerous practice.

Static authentication often makes things too easy for threat actors or too cumbersome for users. As a solution, adaptive access strategies use artificial intelligence (AI) to build contextual authentication insights.

AI can determine the level of trust or risk tied to each user in any given context. When paired with access policy rules, this allows security to base access on level of trust. In low-risk cases, you can grant streamlined or even passwordless access. Meanwhile, advanced MFA can challenge high-risk users and protect access to critical infrastructure.

Adaptive access represents an emerging security trend. It’s no longer enough to set it and forget it. To stay ahead of threat actors, security context evaluation is critical.

Remember, avoiding dangerous behavior is a team effort. For cybersecurity training and cyber awareness training, make sure to educate your employees. For example, remind them that phishing attacks can occur via email, Voice over Internet Protocol, text and social media. So keep spreading the word, and be safe out there.

 |  |  |  |  |  |  | 
NewsCred System

More from Data Protection
November 2, 2023

Defense in depth: Layering your security coverage

2 min read - The more valuable a possession, the more steps you take to protect it. A home, for example, is protected by the lock systems on doors and windows, but the valuable or sensitive items that a criminal might steal are stored with even more security — in a locked filing cabinet or a safe. This provides layers of protection for the things you really don’t want a thief to get their hands on. You tailor each item’s protection accordingly, depending on…

November 1, 2023

What is data security posture management?

3 min read - Do you know where all your organization’s data resides across your hybrid cloud environment? Is it appropriately protected? How sure are you? 30%? 50%? It may not be enough. The Cost of a Data Breach Report 2023 revealed that 82% of breaches involved data in the cloud, and 39% of breached data was stored across multiple types of environments. If you have any doubt, your enterprise should consider acquiring a data security posture management (DSPM) solution. With the global average…

October 25, 2023

Cost of a data breach: The evolving role of law enforcement

4 min read - If someone broke into your company’s office to steal your valuable assets, your first step would be to contact law enforcement. But would your reaction be the same if someone broke into your company’s network and accessed your most valuable assets through a data breach? A decade ago, when smartphones were still relatively new and most people were still coming to understand the value of data both corporate-wide and personally, there was little incentive to report cyber crime. It was…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature