It has been widely reported that the Colonial Pipeline network was infiltrated using a single stolen password for a VPN service that did not support two-factor authentication. The impact? Fuel shortages and disruption across the US and a $4million+ ransom paid out.
CISA, the Cybersecurity & Infrastructure Security Agency at the US Department of Homeland Security pulled together a list of bad practices to highlight to organizations, particularly those supporting critical infrastructure. Some of these ‘classic’ but essential cyber hygiene failings can be addressed before criminals take advantage and launch a cyberattack using them.
While critical infrastructure providers may be more specifically targeted, the majority of attacks are automated, disproportionately impacting small businesses around the globe, particularly those who have not yet adopted good cyber hygiene practices.
So let’s take a look at the CISA list:
- Use of unsupported (or end of life) software: The 2017 WannaCry ransomware attack was able to propagate due to a known vulnerability in the Microsoft Operating System which affected end of life (XP) machines and those that had not applied a previously released patch (or update). The impact: Over 230,000 computers affected and $4 billion in losses across the globe.
GOOD PRACTICE: SET YOUR SYSTEMS TO AUTO-UPDATE. Refer to the Update Your Defenses toolbox in the GCA cybersecurity Toolkit for help.
- Use of known/fixed/default passwords: As highlighted earlier, Colonial Pipeline is a case in point. Default passwords are readily available – often in manufacturer literature, and check out this list of the 200 most common passwords of 2020.
GOOD PRACTICE: USE UNIQUE LONG COMPLEX PASSWORDS ON EVERY ACCOUNT. Watch the video in our Beyond Simple Passwords toolbox for suggestions on how to create strong passwords.
- Use of single-factor authentication: Relying solely on a password to gain access to a system or account is extremely risky. Once an attacker gets hold of this password (it may be weak, stolen in a data breach, or reused from a compromised account) they will straight away be able to log in as you.
GOOD PRACTICE: USE TWO-FACTOR (2FA) / MULTI-FACTOR AUTHENTICATION (MFA) WHERE EVER IT IS AVAILABLE, that way they simply cannot get in with your password alone (but do change it anyway if you know it has been compromised – you can use this tool to check). Refer to Tools for 2FA for help implementing 2FA or MFA.
There are more cyber hygiene good practices covered in the GCA Cybersecurity Toolkit, which includes free tools, additional resources, and training material. The toolkit guides small businesses through six essential cyber hygiene practices from taking an inventory, applying security updates, utilising strong passwords, implementing two-factor authentication, protecting against phishing and malware, and backing up data to protecting email and brand reputation. Research from CIS has shown that implementing basic (essential) cyber hygiene controls provides high levels of protection against the top five types of cyber attack.
Bad habits stop right here: By implementing good cyber hygiene practices today, they will become your good habits of tomorrow! Your business will be more secure AND your customers will thank you for it.