Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

CISA: Don’t use single-factor auth on Internet-exposed systems

CISA: Don’t use single-factor auth on Internet-exposed systems

Single-factor authentication (SFA) has been added today by the US Cybersecurity and Infrastructure Security Agency (CISA) to a very short list of cybersecurity bad practices it advises against.

CISA’s Bad Practices catalog includes practices the federal agency has deemed “exceptionally risky” and not to be used by organizations in the government and the private sector as it exposes them to an unnecessary risk of having their systems compromised by threat actors.

They are exceptionally dangerous for orgs that support Critical Infrastructure or National Critical Functions (NCFs) responsible for national security and economic stability, as well as the public’s safety.

Also Read: A Review of PDPC Undertakings July 2021 Cases

Furthermore, these dangerous practices are “especially egregious” on Internet-exposed systems that threat actors could target and compromise remotely.

Orgs advised to switch to multi-factor authentication

As the federal cybersecurity agency said, SFA (a low-security authentication method that only requires users to provide a username and a password) is “exceptionally risky” when used for remote authentication or logging into an account with administrative permissions.

“The use of single-factor authentication for remote or administrative access to systems supporting the operation of Critical Infrastructure and National Critical Functions (NCF) is dangerous and significantly elevates risk to national security, national economic security, and national public health and safety,” CISA says.

Attackers can quickly gain access to systems protected using this low-security method given that passwords can be easily stolen or guessed via various techniques (e.g., phishing, keylogging, network sniffing, social engineering, malware, brute-force attacks, credential dumping).

To top it all off, admins sharing the same password and password reuse also increases the risk of attackers compromising SFA-protected systems.

Switching to multi-factor authentication (MFA) makes it a lot harder or even impossible for threat actors to pull off a successful attack.

joint study by Google, New York University, and University of California San Diego found that using MFA can block up to 100% of automated bots, 99% of bulk phishing attacks, and roughly 66% of targeted attacks.

Microsoft Director of Identity Security Alex Weinert also said that “your password doesn’t matter, but MFA does! Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA.”

The only two other entries on the Bad Practices list are the use of end-of-life (or out-of-support) software and default (or known) credentials.

Admins and IT pros asked to help 

CISA has also opened a GitHub Bad Practices discussions page to allow IT professionals and admins to provide feedback and share their expertise on defending against them.

Additional cybersecurity bad practices the agency is potentially considering to add to the list include:

  • using weak cryptographic functions or key sizes
  • flat network topologies
  • mingling of IT and OT networks
  • everyone’s an administrator (lack of least privilege)
  • utilization of previously compromised systems without sanitization
  • transmission of sensitive, unencrypted/unauthenticated traffic over uncontrolled networks
  • poor physical controls

“Although these Bad Practices should be avoided by all organizations, they are especially dangerous in organizations that support Critical Infrastructure or National Critical Functions,” CISA added.

“CISA encourages all organizations to review the Bad Practices webpage and to engage in the necessary actions and critical conversations to address Bad Practices.”

Also Read: Got A Notice of Data Breach? Don’t Panic!



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us