The Three Bad Practices That Leave People Vulnerable To Hacks, Explained U.S. Security Agency

The internet can be deceiving.

On the surface, things may look friendly and harmless. Things can be colorful and interactive. The web can certainly entertain anyone who visits it. But what lies behind the codes, can be quite the opposite.

With the world connected to the digital world, information can be accessed regardless of where the people are. But to access to information, things are needed.

For example, people need devices that can connect to the internet. That device should also have software needed to browser the web. And while browsing the web, some activities and access of information is locked behind a secure login page. Those people need to first input their credentials before accessing them.

For most people who are already familiar with the internet should find the process very straightforward.

But what those people may not know is that, there are risky practices that can make them easy targets for cybercriminals.


The Cybersecurity and Infrastructure Security Agency (CISA) is a standalone U.S. federal agency.

It operates under Department of Homeland Security (DHS), and works in continuation of the National Protection and Programs Directorate (NPPD).

The agency was first established on November 2018 when President Donald Trump signed into law the Cybersecurity and Infrastructure Security Agency Act of 2018.

And here, CISA warns that there are some things people often do that can leave networks exposed to hackers.

The "exceptionally risky" behaviors should be avoided at all cost. But CISA's advise is more concerned to those that support critical infrastructure.

"[...] cyberattacks against critical infrastructure can have significant impacts on the critical functions of government and the private sector. All organizations, and particularly those supporting designated Critical Infrastructure or National Critical Functions (NCF) should implement an effective cybersecurity program to protect against cyber threats and manage cyber risk in a manner commensurate with the criticality of those NCFs to national security, national economic security, and/or national public health and safety," wrote CISA.

CISA said that the presence of the following three bad practices in organizations “is exceptionally dangerous and increases risk to our critical infrastructure, on which we rely for national security, economic stability, and life, health, and safety of the public."

While CISA's list of dangerous bad practices is designed as advice for organizations involved in running or supporting critical infrastructure, but the list should also be useful for businesses.


1. Using Unsupported Software

Bugs and other vulnerabilities are often found in software. That's normal, as long as the software vendor is still patching the weaknesses as soon as they are found.

It's only during those time, that the software is still supported through regular or unscheduled security updates. Past that time, the software has reached its end of life (EOL).

What this means, the software will no longer be supported.

So in case that a bug is found, the vendor will not patch it. Hackers will benefit here, because users of those and that EOL software will be the most vulnerable to their attacks.

2. Using Default Usernames and Passwords

Using known/fixed/default passwords is another bad practice that only translates to disaster.

CISA describes this as "dangerous," because hackers tend to target those kinds of passwords first, before trying other method for their brute-force attack.

CISA also warns against the use of passwords that are known to have been breached previously, as that means they also provide hackers with a simple means of gaining access to networks.

3. Using Single-Factor Authentication

The third dangerous practice is using a single-factor authentication. This is because it is the simplest form of authentication, where a person only uses one credential to verify oneself online. The most common credential is the password to a username.

“The use of single-factor authentication for remote or administrative access to systems supporting the operation of Critical Infrastructure and National Critical Functions (NCF) is dangerous and significantly elevates risk to national security, national economic security, and national public health and safety,” CISA said.

“This dangerous practice is especially egregious in technologies accessible from the internet.”