2023/45 Weekly Update from the “City ISAC I4C+” Highlights: [TLP:RED] Guidance – Ask for the Mouse / Let us disable our own DNS / Logs are critical – Get them! / IT Asset Management is like Washing your Hands… / Hire Service Managers not IT Professionals
[TLP:WHITE]
** For Back Issues see https://isac4cities.eu/blog **
Weekly [TLP:RED] – Please contact us directly for more information – these are summaries only and the “key” is in the actual stories shared privately. The stories are based on personal sensitive knowledge shared by peers in personal conversations under Chatham House Rules. This “stuff” may look obvious (?) – the magic lies between the lines and only becomes visible in a personal conversation.
- Weekly [TLP:RED] for Publicly Elected Officials: Test new solutions yourself (with the assistance of an expert) – never let others do that for you.
- Weekly [TLP:RED] for Essential Services Managers: Reduce your costs by making sure only IT buys IT services – an informal conversation with Finance can help identify whether non-IT staff are buying third-party IT services at your cost.
- Weekly [TLP:RED] for IT Leaders: It usually pays off to hire good service / supplier managers without IT skills than asking IT professionals to do that for us.
Summary
Hi everyone and hope you are well – two cities and one region joining this morning with the conversation starting around how one member lost their DNS as a consequence of updating their own IP blacklist… You might think that having third-parties do this for us solves this threat, however experiences show that they are prone to making the same errors. The best solution is of course to review that list carefully before making the updates, yet that is time-consuming and requires a very knowledgeable reviewer that is deeply familiar with the actual local administration infrastructure.
The above then sort of got us to the whole resourcing challenges we all face and that over the decades we have developed to service / supplier managers while actually still recruiting based on IT skills. I am slowly coming to the conclusion that it is better to hire a good service / supplier manager without IT skills than to hire an IT professional and ask them to do the job. Make sure they are working in the IT department though.
Logging was the next topic up and we agreed that the suppliers seem to neglect this significantly (and then offer it at significant additional cost). Give it a try – ask your supplier to provide a log of all activities they have performed on the systems enabling your essential business services – the answer will be sobering. A good way to shape this conversation is to base it on compliance to data retention requirements and / or EU GDPR regulation.
AI of course also popped up as a theme and we reflected that from a cyber security point of view it will lead / is leading to a massive growth in the scale of attacks against known vulnerabilities. Even more emphasis must be placed on resolving at least the critical vulnerabilities. The basis for this is obviously knowing what IT assets you have on your estate in the first place.
Really – if we do not fully know what IT assets we have, then we will never be able to secure all of our assets and known vulnerabilities will rapidly spread. This is a really basic expectation and yes, we all agreed it is excruciatingly difficult to do this – but without it we will always have doors and windows open welcoming the threat actors. Yes, it is boring, painful etc…. but maybe it is like getting used to saying “Please” / “Thank you” / “Hello” / “Goodbye” and / or washing your hands after going to the bathroom? JFDI…
Finally, we agreed that the IT world is definitely way the behind the curve when it comes to delivering to specifications (unless we micro-manage – if we had the resources). We need to take the mindset of good civil engineers (build to last) in the hope that we can slowly get to solutions that are built properly and which then, by default, can be secured properly…
Ah yes, finally finally…. Whenever you receive a demonstration of a solution by a vendor, ask to take control of the mouse and play around yourself – it is possible to build a simulation of a solution in PowerPoint for example….
Cheers
Oliver
UPDATES
In the News:
- Massive Ransomware Attack in DE on municipalities: https://therecord.media/massive-cyberattack-hinders-services-in-germany
- Hackers use Citrix Bleed flaw in attacks on govt networks worldwide: https://www.bleepingcomputer.com/news/security/hackers-use-citrix-bleed-flaw-in-attacks-on-govt-networks-worldwide/
- Okta Hack Blamed on Employee Using Personal Google Account on Company Laptop: https://www.securityweek.com/okta-hack-blamed-on-employee-using-personal-google-account-on-company-laptop/
City ISAC Services (Member Funded): We are finalising our list of services and pricing model for 2024. Primary commercial services are listed below and please contact us if you are interested:
- Risk (Opportunities & Threats) Register and Management
- Benchmarking Cyber Solutions for Defence in Depth
- Vulnerability Analysis (i.e., Penetration Testing and Dark Web Monitoring)
- Cyber Awareness Building I – Shared Holistic View
- Joint Cyber Awareness Building II – Tabletop Exercise
- Benchmarking Compliance (CIS18 & GDPR)
- Joint Defence Exercises (VAUBAN) – Technical Tabletop
- Shared Resources
- Distributed Security Operations Centre
- Cyber Tender Preparation
- General Advisory Services
Project “DAVID” (Member Funded): No updates.
Project “MEET” (EU Funded / Beneficiary): No updates.
Project “VAUBAN”: No updates.
Project “Regions4Cyber”: No updates.
Please remember you can reach the whole group via city-isac-i4c-tlpwhite@majorcities.eu. A dedicated group for those cities signing the NDAs is available separately.
Also note our LinkedIn organisational page at https://www.linkedin.com/company/eu-city-information-sharing-and-analysis-center-isac/ and our discussion group at https://www.linkedin.com/groups/12773643/. Do follow us / join.
Join our weekly Friday morning coffee chats from 9am-10am CET – feel free to come in your pyjamas. Let me know if you are missing an invite and I will send.
Thank you for the support, your City ISAC I4C+ Team.
Cheers and ever onwards
Oliver
Innovating our Future… Together
Chair City ISAC I4C+ / Dr. Oliver Schwabe.
Email: oliver.schwabe@isac4cities.eu Mobile: +49 (0) 1709053671. Web: https://i4c.isacs.eu/ & https://www.majorcities.eu/isac-for-cities-plus/