Organizations often focus on promoting best practices, CISA says, but stopping poor security practices is equally important.
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) is creating a catalog of poor security practices that increase risk for organizations, especially those supporting designated critical infrastructure or what it calls National Critical Functions (NCFs).
Security professionals, including the team at CISA, often focus on promoting best practices they should take, wrote CISA Executive Assistant Director Eric Goldstein in a blog post on the news. It’s equally important, he continued, that they focus on stopping poor security practices as well.
These risky and dangerous technology practices are “too often accepted because of competing priorities, lack of incentives, or resource limitations that preclude sound risk management decisions but result in untenable risks to our national security, economy, critical infrastructure, and public safety,” Goldstein explained.
Putting an end to enterprises’ most threatening security risks requires organizations make an effort to stop bad practices. While it’s not a substitute for implementing strong security practices, he said, it provides a framework to prioritize the security steps they should be taking.
CISA has created a page where it will list these bad practices as they are added to the catalog.
The first practice on its list is the use of unsupported or end-of-life software in service of critical infrastructure and NCFs, which it says is both dangerous and “significantly elevates risk” to national security, national economic security, and national public health and safety. This practice is particularly egregious in Internet-accessible technologies, officials wrote.