Light Dark
October 12, 2021 By NewsCred System 4 min read
Data Protection
Risk Management
Security Services

In terms of database security, any bad practice is dangerous. Still, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently deemed some behavior as “exceptionally risky.” Are your teams engaged in these high-risk practices? What can you do to mitigate the risk of a data breach?

As per CISA, “The presence of these Bad Practices in organizations that support Critical Infrastructure… is exceptionally dangerous and increases risk to our critical infrastructure, on which we rely for national security, economic stability and life, health and safety of the public.”

Even for those outside of national cybersecurity, these behaviors should be top of mind for any vulnerability assessment. While they may seem simple, each one involves complex cyber crime that cannot be ignored.

CISA Risky Behavior 1: Single-Factor Authentication

Single-factor authentication means a username and password grant user access with nothing else required. According to CISA, this is an all-too-common high-risk practice. Microsoft revealed its cloud services see about 300 million fraudulent sign-in attempts every day. Even eight-character passwords — with a mix of numbers, upper and lowercase letters and special characters — are cracked with relative ease.

The good news is that multifactor authentication (MFA) can stop 100% of bot attacks and 99% of bulk phishing attacks.

One common MFA method is a username and password, plus a message, link or code sent by text message. The second factor may also be a pin code, personal trivia (such as mother’s maiden name), a USB key fob or biometrics.

MFA Challenges

Still, there are some problems with MFA. Let’s say text messaging is the second factor. What happens if someone loses their smartphone or has it stolen? They lose access.

With SIM swapping, attackers trick, coerce or bribe phone company employees to transfer phone numbers to their own SIM cards. They can even generate fake SIM cards that mimic existing numbers. Also, by scanning wireless provider websites, attackers can find old phone numbers that have been abandoned.

Princeton researchers noticed that phone companies offer new numbers in blocks. Recycled numbers, however, appear in non-consecutive blocks. Attackers can match recycled numbers against directories on the dark web. Then, using numbers linked to online accounts, attackers can reset the passwords.

Due to more refined authentication threats, data security teams are turning to more advanced Identity and Access Management. This includes using context-based insight (such as device IDs, behavioral biometrics and location data) which leaves less room for risky authentication.

CISA Exceptionally Risky Behavior 2: Default Passwords and Credentials

If everybody and their cousin knows your username and password, you have a big problem. Some even have credentials written on a Post-it stuck to their monitor. These can be easily leaked. Plus, known, fixed or default credentials are simple to crack, CISA warns.

One way around this is to get rid of shared accounts. Also, run your passwords through strength evaluation, which ensures all passwords are unique and complex enough for threat deterrence. In the end, this category is a subset of the single-factor authentication risk basket.

CISA Exceptionally Risky Behavior 3: Unsupported or End-of-Life (EOL) Software

Upon finding outdated software or operating systems, threat actors can exploit existing data protection vulnerabilities. Since old software doesn’t get updated, the application security becomes patchless. CISA has been warning about this for years.

End-of-life (EOL) software is well-known terrain for threat actors. Sadly, it appears the well-known WannaCry ransomware attack on Microsoft Windows in 2017 still often flew under the radar. How do we know this? What else explains the fact that WannaCry attacks increased 53% from January 2021 to March 2021?

Microsoft had already released patches to close these doors. Still, much of WannaCry’s spread was from groups that did not apply the patches. Or they were using even older end-of-life Windows systems.

Some ways to mitigate unsupported this type of risk include:

  • Buy extended support – This is not the least expensive option, but consider the cost of a data breach. Extended support may not be possible for every system.
  • Isolate the risk – Separate standalone machines from your network and/or prohibit public internet access. Or isolate on a separate network with tight inbound and outbound traffic firewalls.
  • Limit user access – Audit who needs access and remove the software from devices that do not. If possible, consider setting some devices aside for only EOL software use.
  • Stay informed – Some vendors and original software providers may offer patches for common openings. Stay on the lookout for these while you implement long-term fixes.
  • Plan to upgrade – Out-of-date software carries security, operational, regulatory and compatibility issues. In the end, you need to formulate a replacement plan.

Avoid Dangerous Behavior

The CISA list isn’t long. End-of-life software issues always lead to a software upgrade or replacement. This leaves identity and access oversight as the most dangerous practice.

Static authentication often makes things too easy for threat actors or too cumbersome for users. As a solution, adaptive access strategies use artificial intelligence (AI) to build contextual authentication insights.

AI can determine the level of trust or risk tied to each user in any given context. When paired with access policy rules, this allows security to base access on level of trust. In low-risk cases, you can grant streamlined or even passwordless access. Meanwhile, advanced MFA can challenge high-risk users and protect access to critical infrastructure.

Adaptive access represents an emerging security trend. It’s no longer enough to set it and forget it. To stay ahead of threat actors, security context evaluation is critical.

Remember, avoiding dangerous behavior is a team effort. For cybersecurity training and cyber awareness training, make sure to educate your employees. For example, remind them that phishing attacks can occur via email, Voice over Internet Protocol, text and social media. So keep spreading the word, and be safe out there.

 |  |  |  |  |  |  | 
NewsCred System

More from Data Protection
January 27, 2025

How secure are green data centers? Consider these 5 trends

4 min read - As organizations increasingly measure environmental impact towards their sustainability goals, many are focusing on their data centers.KPMG found that the majority of the top 100 companies measure and report on their sustainability efforts. Because data centers consume a large amount of energy, Gartner predicts that by 2027, three in four organizations will have implemented a data center sustainability program, which often includes implementing a green data center.“Responsibilities for sustainability are increasingly being passed down from CIOs to infrastructure and operations…

January 21, 2025

Why maintaining data cleanliness is essential to cybersecurity

3 min read - Data, in all its shapes and forms, is one of the most critical assets a business possesses. Not only does it provide organizations with critical information regarding their systems and processes, but it also fuels growth and enables better decision-making on all levels.However, like any other piece of company equipment, data can degrade over time and become less valuable if organizations aren’t careful. What’s even more dangerous is that neglecting data hygiene can expose organizations to a number of security…

January 3, 2025

Router reality check: 86% of default passwords have never been changed

4 min read - Misconfigurations remain a popular compromise point — and routers are leading the way.According to recent survey data, 86% of respondents have never changed their router admin password, and 52% have never adjusted any factory settings. This puts attackers in the perfect position to compromise enterprise networks. Why put the time and effort into creating phishing emails and stealing staff data when supposedly secure devices can be accessed using "admin" and "password" as credentials?It's time for a router reality check.Rising router risksRouters…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature