Do Not Use Single-Factor Authentication on Internet-Exposed Systems, CISA Warns – E Hacking News
The US Cybersecurity and Infrastructure Security Agency (CISA) this week added single-factor authentication (SFA) to a very short list of “exceptionally risky” cybersecurity practices that could lead threat actors to target government organizations and the private sector entities.
As per CISA, SFA (a low-security authentication method that only requires users to provide a username and a password) is “dangerous and significantly elevates risk to national security” when used for remote or administrative access to systems supporting the operation of critical infrastructure.
“The use of single-factor authentication for remote or administrative access to systems supporting the operation of Critical Infrastructure and National Critical Functions (NCF) is dangerous and significantly elevates risk to national security, national economic security, and national public health and safety,” CISA explained.
Cybercriminals can easily secure access to the systems that are shielded by single-factor authentication, as it is a well-known fact that passwords can be easily stolen or guessed via multiple techniques like phishing, keylogging, network sniffing, social engineering, malware, brute-force attacks, or credential dumping.
CISA advised to switch to multi-factor authentication (MFA) as this method makes it a lot harder or even impossible for threat actors to pull off a successful attack. Alongside single-factor authentication as a bad practice is the use of end-of-life (or out-of-support) software and default (or known) credentials, which CISA describes as “dangerous”.
According to the joint research conducted by Google, New York University, and University of California San Diego, MFA can prevent 100% of automated bots, 99% of bulk phishing attacks, and roughly 66% of targeted attacks.
“Your password doesn’t matter, but MFA does! Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA,” Alex Weinert, Microsoft Director of Identity Security said.
CISA has also opened a GitHub Bad Practices discussions page in an attempt to allow IT, professionals and admins, to provide feedback and share their expertise on mitigating the risks of cyber-attacks.
Furthermore, CISA is considering adding a number of other practices to the catalog, including —
• using weak cryptographic functions or key sizes
• flat network topologies
• mingling of IT and OT networks
• everyone’s an administrator (lack of least privilege)
• utilization of previously compromised systems without sanitization
• transmission of sensitive, unencrypted/unauthenticated traffic over uncontrolled networks
• poor physical controls
“Although these Bad Practices should be avoided by all organizations, they are especially dangerous in organizations that support Critical Infrastructure or National Critical Functions. CISA encourages all organizations to review the Bad Practices webpage and to engage in the necessary actions and critical conversations to address Bad Practices,” CISA added.