The Cybersecurity and Infrastructure Security Agency is working on a catalog of bad cyber practices that pose risks to organizations supporting critical infrastructure and national critical functions.
CISA said the use of end-of-life or unsupported software and default, fixed or known passwords and credentials in support of NCFs and critical infrastructure increases risks to national security, public health and safety and economic security.
The agency described the first two listed practices as “egregious in internet-accessible technologies.”
“While these practices are dangerous for Critical Infrastructure and NCFs, CISA encourages all organizations to engage in the necessary actions and critical conversations to address Bad Practices,” according to the CISA notice.
The agency’s move comes in response to recent cyberattacks on critical infrastructure.
Eric Goldstein, executive assistant director for cybersecurity at CISA, said in a recent interview that a new executive order provides the agency with new authorities to counter cyberattacks, including the development of a common playbook for cyber incident response.