CISA_Logo

CISA adds single-factor authentication to its catalog of 'Bad Practices'

Earlier this year, in June, the US Cybersecurity and Infrastructure Security Agency (CISA) launched a new project called "Bad Practices" that consisted of a catalog of non-recommended cybersecurity practices, techniques, and configurations.

The initial list only included two entries, but in an update today, CISA officials added a new "bad practice" to their list—namely, the use of single-factor authentication for remote or administrative access systems.

"Single-factor authentication is a common low-security method of authentication," the agency said in a press release today. "It only requires matching one factor—such as a password—to a username to gain access to a system."

Instead, CISA recommended that organizations check its guide for implementing strong authentication [PDF], where multi-factor authentication is the recommended method of securing not only internet-connected accounts but also accounts of any kind.

CISA Bad Practices catalog

Currently, the CISA Bad Practices catalog includes the following entries:

  1. Use of unsupported (or end-of-life) software.
  2. Use of known/fixed/default passwords and credentials.
  3. Use of single-factor authentication for remote or administrative access to systems.

Other bad practices CISA officials are currently considering adding to their catalog include the likes of:

  • Using weak cryptographic functions or key sizes.
  • Flat network topologies.
  • Mingling of IT and OT networks.
  • Everyone's an administrator (lack of least privilege).
  • Utilization of previously compromised systems without sanitization.
  • Transmission of sensitive, unencrypted/unauthenticated traffic over uncontrolled networks.
  • Poor physical controls.

Security experts can also recommend other "bad practices" via this GitHub page.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
Tags
No previous article
No new articles

Catalin Cimpanu

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.