The bad practices highlighted by CISA include the use of unsupported or end-of-life software, the use of known/fixed/default credentials, and the use of single-factor authentication for remote or administrative access.