Sun Sep 05 2021
CISA rules SFA as ‘bad practise’ for critical infrastructures
CISA, the US Cybersecurity and Infrastructure Security Agency has been urging all US agencies to stop using single factor authentication for all remote access activities as it’s exposing US infrastructure to the risk of compromises systems from cyber actors.
Due to that CISA made the announcement last week that it was adding all SFA’s to its official catalogue of ‘bad practises’ that it considers to be exceptionally risky… especially for any US organisations that support critical infrastructure or national critical functions (NCFs).
As recent incidents have demonstrated, cyberattacks against critical infrastructure can have significant impacts on the critical functions of government and the private sector. Organisations must consider implementing an effective cyber security programme to protect against cyber threats.
Single Factor Authentication is an extremely low-security method of authentication that only requires one matching factor (like a password for instance) to a username to gain access to a system.
Multi Factor Authentication is a method of authentication that requires multiple factors connected to a username… for instance logging in with a username and inputting a password then responding to a text on a mobile to confirm log-in (there are obviously much more advanced methods that include facial recognition.
MFA can be broken down into…
A 2019 joint study by Google, NY University and the University of California and San Diego clearly demonstrated the risk to SFA after they proved just adding a recovery telephone number to a Google account could block 100% of automated bots, 99% of bulk phishing attacks and 66% of targeted attacks.
Other outdated cyber security practises that have made it to CISA’s ‘bad practise’ list include the continued use of end of life software and the use of default passwords (think Password1).
Sun Sep 05 2021