2023/40 Weekly Update from the “City ISAC I4C+” Highlights: [TLP:RED] Guidance – Ransomware if often paid / MFA – JFDI! / You control how often passwords are changed / Have colleagues call your partner during incidents / Top 10 cybersecurity misconfigurations / No call next week
[TLP:WHITE]
** For Back Issues see https://isac4cities.eu/blog **
** IMPORTANT – No Call Next Week on Friday 13 October **
Weekly [TLP:RED] – Please contact us directly for more information – these are summaries only and the “key” is in the actual stories. They are based on honest comments by peers in private conversations and they would probably never acknowledge the statement officially:
- Weekly [TLP:RED] for Publicly Elected Officials: Usually you are not permitted to pay ransomware. Others (like insurance companies) may however be able to do this unofficially for you. Ransomware is paid more often than you might imagine.
- Weekly [TLP:RED] for Essential Services Managers: You can control the interval of password changes for staff to be shorter than any central policies – stay safe by implementing a departmental policy for changing them every three months.
- Weekly [TLP:RED] for IT Leaders: Often we cannot prevent users from installing insecure software from the Internet. We can however ignore fixing technical issues preventing them from working…
Summary
Hi everyone and hope you are well – three cities and three regions stopped by on Friday morning, starting by sharing weekend plans which ranged from aggression reduction on the tennis field, through small tourist trips and beach walking, to horse riding and moderating a child´s birthday party. Yes, IT/security “people” do have private lives as well – ok, we do seem to spend strange hours in data centres etc as well, which prompted one colleague to mention that it can sometimes help to have their colleagues call their partners to confirm that they are on the job (i.e., at 11 pm on a Saturday night when battling a security breach).
One region close to the city of a member was recently impacted by ransomware in the water supply space – water supply was not impacted, however the complete administrative space seemed to be down, and rumours are that the ransom was paid – something that happens a lot more than we admit.
One member then shared experiences of piloting a dark web monitoring tool and besides seeing the actual results we reflected that pricing for such services is not insignificant and does not avoid the need for internal expert resources to interpret the results within the context of the organisation. This is something our emerging dark web monitoring offer is specifically intended to address – stay tuned. By the way, the primary product sold on the dark web is usernames and passwords – the shorter the interval of password changes, the less chance that when they are bought on the dark web, they will still be valid.
Finally, we agreed on the growing importance of MFA (hardware or software tokens) and that we really need to review the relevant coverage. One member shared the story of a breach that could have been easily prevented with MFA – it really is a “no-brainer” and although MFA is not invincible, it is a major hurdle. If you are interested in the MFA policy for the Azure admin and CLI access of one member – they were kind enough to share – just let me know and I will connect you. MFA – JFDI!
Cheers
Oliver
PS Check out this “Free Cyber Action Plan: Answer a few simple questions to get a free personalised action plan that lists what you or your organisation can do right now to protect against cyber-attack. See https://www.ncsc.gov.uk/cyberaware/actionplan.”
UPDATES
In the News: NSA and CISA reveal top 10 cybersecurity misconfigurations: From Dark Reading (10.05.2023) The National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) have issued a plea to network defenders to fix easy misconfiguration errors that allow threat actors to launch successful cyberattacks against their organizations. Red and blue teams, as well as incident response teams from both agencies, identified these as the top 10 most common network configurations: Default configurations of software and applications; Improper separation of user/administrator privilege; Insufficient internal network monitoring; Lack of network segmentation; Poor patch management; Bypass of system access controls; Weak or misconfigured multifactor authentication (MFA) methods; Insufficient access control lists (ACLs) on network shares and services; Poor credential hygiene; Unrestricted code execution. The agencies added that software providers need to immediately adopt principles of secure-by-design to prevent these and other misconfigurations. See https://www.darkreading.com/vulnerabilities-threats/10-routine-security-gaffes-the-feds-are-begging-you-to-fix?utm_campaign=DAM&utm_medium=email&_hsmi=277302115&_hsenc=p2ANqtz-8AmWdKZwejQSOmDVYCnhheJ49gCgP31r83zhPvAFsU0WF1QrdxDtzID0VizgatkXHQvicUzZR7mQadGtPajf3FI6wGSki_Xt1PDi7zmdKH72JQlGQ&utm_content=277302115&utm_source=hs_email.
City ISAC Services (Member Funded): Our secure collaboration space at https://cloud.isacs.eu/ and the MISP platform at https://misp.isacs.eu/ have been reactivated in preparation for Project “MEET”. If you would like to use these platforms please let me know and we can discuss access.
Project “DAVID” (Member Funded): As we finish the launch of our Dark Web Monitoring service, we begin to shape the EDR aligned Distributed SOC service with our friends at https://naorisprotocol.com/. Our friends at https://cs-aware.com/ will help map the critical IT assets supporting essential services, and then the Naoris solution can be deployed via SCCM for rapid, robust and cost-effective protection. More soon.
Project “MEET” (EU Funded / Beneficiary): No updates from the coordinator on signing of the financial grant with the commission.
Project “VAUBAN”: No updates. Remember if you would like us to run a tabletop exercise in your administration, we are happy to support.
Project “Regions4Cyber”: No updates.
Please remember you can reach the whole group via city-isac-i4c-tlpwhite@majorcities.eu. A dedicated group for those cities signing the NDAs is available separately.
Also note our LinkedIn organisational page at https://www.linkedin.com/company/eu-city-information-sharing-and-analysis-center-isac/ and our discussion group at https://www.linkedin.com/groups/12773643/. Do follow us / join.
Join our weekly Friday morning coffee chats from 9am-10am CET – feel free to come in your pyjamas. Let me know if you are missing an invite and I will send.
Thank you for the support, your City ISAC I4C+ Team.
Cheers and ever onwards
Oliver
Innovating our Future… Together
Chair City ISAC I4C+ / Dr. Oliver Schwabe.
Email: oliver.schwabe@isac4cities.eu Mobile: +49 (0) 1709053671. Web: https://i4c.isacs.eu/ & https://www.majorcities.eu/isac-for-cities-plus/
This email and any attachments are confidential to the intended recipient(s) and may also be privileged. If you are not the intended recipient, please delete it from your system and notify the sender. You should not copy it or use it for any purpose nor disclose or distribute its contents to any other person. The data contained in, or attached to, this email, may contain confidential information. If you have received it in error you should notify the sender immediately by reply e-mail, delete the message from your system and contact +49 (0) 1709053671 if you need assistance.
To unsubscribe please send an email to info@isac4cities.eu