2023/47 Weekly Update from the “City ISAC I4C+” Highlights: [TLP:RED] Guidance – Some projects are intended as sacrifices… / Fax is the new digital threat! / Don´t bother reporting breaches, threat actors do it for you now / Big5 NISx project coming back online.
[TLP:WHITE]
** For Back Issues see https://isac4cities.eu/blog **
| Weekly [TLP:RED] |
Please contact us directly for more information – these are summaries only and the “key” is in the actual stories shared privately. The stories are based on personal sensitive knowledge shared by peers in personal conversations under Chatham House Rules. This “stuff” may look obvious (?) – the magic lies between the lines and only becomes visible in a personal conversation.
- Weekly [TLP:RED] for Publicly Elected Officials: When you lose a service due to cyber issues – communicate only the service outage and any temporary measures to citizens. There is no need to explain reasons which are “under investigation”.
- Weekly [TLP:RED] for Essential Services Managers: We can design for project slippage to free up funds to make the most of the year-end rush.
- Weekly [TLP:RED] for IT Leaders: Front-load as much of your project costs as possible – the longer you wait to spend, the less likely the money will still be there when you need it.
| Summary |
Hi everyone and hope you are well – three cities and two regions joined on Friday morning to begin reflecting on how having few assets (i.e., in small cities) does not necessarily make life easier compares to having many assets (i.e., whole regions) – we all face similar challenges regarding budgets and funding for example. The main difference may be in the services we provide to our citizens in that a city may not support health services for example, while a region may not support city level waste management, while at a national level, citizen records may be maintained, while stepping back from energy services. While this is a colourful mix, we did agree that the challenges are very similar, and we can learn from each other.
One colleague then sharing a small budget nightmare that has arisen, due to an EU funded project ending, while a data centre to be funded from it was being faced by incessant delays so that now the city needs to fund all costs after ending of the EU project – difficult to say the least and just another example that when you launch projects “run like hell” from the beginning and aspire to finish early – of course you will not, but the earlier you can spend the money, the easier in the longer term. Front-load projects massively.
Interesting story then about a significant increase in FAX phishing one member has been seeing. Yes, “fax”… the digital connection is that the faxes contain QR codes to malicious sites… I find this a pretty clever approach since our cyber awareness activities are usually focused directly on the digital media. One colleague nicely appending the following text to their email signature: “In our rapidly digitalizing world, QR codes have become ubiquitous, from restaurant menus to quick links to websites. But behind this apparent simplicity lies a potential danger. Cybercriminals can manipulate QR codes to hide malicious websites or malware. When an unsuspecting user scans the code, they could unintentionally reveal personal information or infect their device. It is therefore essential to remain vigilant. Trust only QR codes from reliable sources. Be alert, your digital security depends on it.” Nice AI generated logo to go along with that (no clue what the copyright is on this):
The above story then got us to sharing notes on our cyber awareness campaigns and how to deal with “serial clickers” who fail every phishing campaign. Yes, they can of course be identified, and remedial activities launched – what if they do not prevent this behaviour in future though? One member suggested putting such colleagues in increasingly restrictive policy groups, i.e., one fail and you get 1 month no Netflix, two fails you get 2 months no Netflix and no YouTube… you get the picture – applications exemplary only of course – I am probably the only one who works for organisations where you can access these, plus Insta, TikTok, etc….
Ah yes, we then somehow got back to the perennial funding challenge and the current year-end behaviours of quickly spending what is left since there is probably no budget carry-over. One member sharing an insight that if projects are delayed, then often the unused funds may be up for re-allocation, and it can be quite helpful to have a list of “quick spends” prepared for immediate action. At the same time, remember that we can influence which projects get budgeted for AND, among us, which projects are able to spend their budget… yes, we can design for project slippage to free up funds to make the most of the year-end rush…
Currently traveling to a regional administration IT conference in easter Germany and will be facilitating a Larissa format Tabletop exercise tomorrow (recording of such an event can be reviewed HERE) – amazed that the German rail company is operating without significant delays – media coverage always seems to paint the negative picture. Yes, connected to the WLAN here without second thoughts – silly me, since free WLAN is a huge cyber threat… Hope that next week I do not need to rescind the praise! Happy to facilitate for you locally next year as well if you like?
Finally, a nice phishing URL example share by a member – look at the small example derivative below – difference between the URLs? Absolutely obvious right?
https://www.examplebank.com versus https://www.examplebаnk.com
Cheers
Oliver
| In the News |
- 12 Bavarian administrations brought down by successful cyber attack on their common provider (https://www.bild.de/regional/muenchen/stuttgart-aktuell/neu-ulm-cyberangriff-legt-gemeinden-in-schwaben-lahm-86205002.bild.html). Especially services for registries, passports, local financial accounts, and graveyards will probably be impacted for a longer period of time. Citizens are being asked to call the administration before going there to check whether the desired services are available. No comment though about how the administrations are planning to handle the increase in calls?
- Hackers weaponize SEC disclosure rules against corporate targets: The ransomware group ALPHV (aka “BlackCat”) has filed a formal complaint with the US Securities and Exchange Commission (SEC), alleging that a recent victim failed to comply with new disclosure regulations. An ALPHV insider told databreaches.net that, on Nov. 7, the group successfully attacked the digital lending service provider MeridianLink, exfiltrating without encrypting its files. Thereafter, aside from one interaction, the prolific threat actor failed to engage the company in negotiations over the stolen data. ALPHV posted that data to its leak site on Wednesday. It also tried out an unprecedented extra extortion tactic, filing a report about its own crime to the SEC, claiming that its victim failed to follow new SEC guidelines for how soon companies have to publicly disclose their breaches. “This is yet another warning to security leaders, who must recognize that disclosure decisions and plans are no longer solely guided by security best practices; federal legal liabilities also play an important role,” says Patrick Tiquet, vice president of security and architecture at Keeper Security. On July 26, the SEC announced new cyber rules for public companies. One standout was a requirement that companies disclose “any cybersecurity incident they determine to be material,” along with a description of “the material aspects of the incident’s nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant.” Such a submission “will generally be due four business days after a registrant determines that a cybersecurity incident is material.” When four days passed with no word from MeridianLink, ALPHV submitted information about the breach through the SEC’s official website. More info at Hackers Weaponize SEC Disclosure Rules Against Corporate Targets (darkreading.com)
| City ISAC Services (Member Funded) |
In 2024, we can deliver a handful of tabletop exercise for interested members. This is a three-hour cyber awareness building event at your location for stakeholders across your organisation. The event is conducted in the “Larissa” format and a recording of such an event can be reviewed HERE. The scenario is based on a volunteer from the audience assuming the role of the mayor; it is 7 am on a beautiful summer Saturday morning, there is a major council meeting on Monday at 10 am (public and press will be there), they are at home and log in to their laptop to prepare their presentation and after logging in the laptop screen displays a ransomware notice. Step-by-step the scenario is expanded by experienced tabletop facilitators, more volunteers from the audience are recruited to fill the various roles needed (i.e., Head of IT, Personal Assistants, Lawyers, Chief of Police….). The exercise is suited for a wide variety of roles and results in a greater common awareness of what the cyber threat means and how best to protect ourselves against it. Please contact us as quickly as possible if you are interested – at least two face-to-face events are already in planning for 2024. Tuesday November 28th we are at a German regional conference of local public administrations for example.
| Project “DAVID” (Member Funded) |
Conversations to relaunch the project support by one of the Big 5 have restarted and now negotiating possible timeframes. Very exciting to have this coming back to life. As a reminder, there are two workpackages planned:
- Work Package 1: NIS 2 Directive Review and Outlook: Conduct an interview-based assessment of NIS2 directive implementation with selected members (6) of I4C+. The results of the interviews will be used to identify weak spots in the directive and to provide a strategic outlook including strategy recommendations for the expected NIS3 directive. Identified gaps shall be summarized in a point of view reflecting the current security posture with respect to NIS2 requirements and potential expectations towards the NIS3.
- Work Package 2: Defence in Depth: To strengthen I4C+ members’ cyber resilience, support in shaping the understanding of joint-cyber security as an integral approach among members. Based on the outcome of the work outlined above, deliver a best practice catalogue including suggestions for a respective toolbox. Furthermore, inputs can be utilized to enhance the overview for the Defence in Depth to close respective gaps.
| Project “MEET” (EU Funded / Beneficiary) |
#sigh… we continue in the “bowels” of EU financial administration processes so nothing specific, other than developing the capability to set-up and manage this side of EU funded projects is a critical enabler for running them later. At first sight therefore no specific “impact”, but significant “capability building”.
| Project “VAUBAN” |
Longer discussions this week with a partner on how simulation support us with achieving our aspired objectives (see https://isac4cities.eu/our-aspiration-draft), especially when coupled with benchmarking. We agreed that every audience is different and needs a unique approach (i.e., Larissa format versus Bank Robbery) – “tailoring is key” and the apparent fact that (a) joint-defence only rises in priority the more we personally experience the impact of a major incident, and that (b) we tend to isolate ourselves when an incident occurs. We need to bring in a stronger cognitive psychology angle to figure out why this is proving so hard to “formalise” – informally it is absolutely in place – maybe good enough?
| Project “Regions4Cyber” |
This is an effort our ISAC is supporting and more focused on regions. Very relevant for cities though since cities are more and more needing to move to subscribing to regional (and of course national services). The survey is now available for piloting – please contact us if you are interested in supporting. We will be reaching out specifically to our regional members for piloting in the next few days.
Please remember you can reach the whole group via city-isac-i4c-tlpwhite@majorcities.eu. A dedicated group for those cities signing the NDAs is available separately.
Also note our LinkedIn organisational page at https://www.linkedin.com/company/eu-city-information-sharing-and-analysis-center-isac/ and our discussion group at https://www.linkedin.com/groups/12773643/. Do follow us / join.
Join our weekly Friday morning coffee chats from 9am-10am CET – feel free to come in your pyjamas. Let me know if you are missing an invite and I will send.
Thank you for the support, your City ISAC I4C+ Team.
Cheers and ever onwards
Oliver
Innovating our Future… Together
Chair City ISAC I4C+ / Dr. Oliver Schwabe.
Email: oliver.schwabe@isac4cities.eu Mobile: +49 (0) 1709053671. Web: https://i4c.isacs.eu/ & https://www.majorcities.eu/isac-for-cities-plus/