2024/10 Weekly Update from the MCE SIG “City ISAC I4C+” Highlights: No user account should be called “Administrator” / Informal official requests are important / XP is “gone” – Hurrah! / Who takes responsibility for going off-grid? / Health ISAC collaborates during cyber incident

von oschwabean Veröffentlicht am

2024/10 Weekly Update from the MCE SIG “City ISAC I4C+” Highlights: No user account should be called “Administrator” / Informal official requests are important / XP is “gone” – Hurrah! / Who takes responsibility for going off-grid? / Health ISAC collaborates during cyber incident

** For Back Issues see https://isac4cities.eu/blog **

The City ISAC (I4C+) is an Information and Analysis Centre whose members are IT and cyber security decision makers exchanging knowledge to improve their cities and collective cyber resilience. I4C+ is a Special Interest Group (SIG) hosted by Major Cities Europe (MCE). Dr. Oliver Schwabe is a member of MCE and in his function Chair of the ISAC for Cities Plus (I4C+). He is the person in charge of this effort on behalf of MCE and the responsible contact person. I4C+ is recognized by the European Agency for Cybersecurity ENISA. See https://isac4cities.eu/.

Weekly [TLP:RED]

Please contact us directly for more information – these are summaries only and the “key” is in the actual stories shared privately. The stories are based on personal sensitive knowledge shared by peers in personal conversations under Chatham House Rules. This “stuff” may look obvious (?) – the magic lies between the lines and only becomes visible in a personal conversation.

  • Weekly [TLP:RED] for Publicly Elected Officials: Let your CEO/CIO decide whether to go “off-grid” in the case of a cyber incident – this makes them responsible for it.
  • Weekly [TLP:RED] for Essential Services Managers: NIS2 may declare your services as critical – make sure IT and leadership prioritise investment accordingly.
  • Weekly [TLP:RED] for IT Leaders: When you are managing a breach, many third-party individuals will visit your facilities – you should have a way of informally verifying their identities through official channels.
Summary

Hi everyone and hope you are well – three cities joining again on Friday morning and again explored a wide range of topics with some valuable insights shared. Particularly interesting I found the story of one member who installed a brand-new server only to have a supplier provide massively outdated images that then led to over a 1000 alerts on the monitoring software… the server image was from 2016 it seems and fortunately the server was installed in its own segment as quarantine as part of taking it live. Another proof that suppliers either have little knowledge of security or are trying to save money – in this case the administration covered the update costs etc (if I remember the story correctly).

We then moved on the perennial discussion between business and IT on who should determine what IT services are “business critical” (which is the first filter in many (security) investment priorisation processes). “Unfortunately” IT usually understands the individual business processes best (hey, we map them into the IT capabilities and enable the business process right?). Doesn´t help that there actually seems to be a situation where IT staff have significantly longer tenure than business managers and hence often are better qualified to make these decisions. Remember also that we have NIS2 driving the classification in any case nowadays – maybe worth mapping NIS2 business critical definitions against how IT is handling this?

This theme of business criticality then got us into discussions around the upcoming VAUBAN exercise and the fundamental question – what will happen when you disable a port / IP etc? There will of course be surprises but even if we ignore the explosion of business driven micro-services, we will definitely miss “stuff”…. Courage to disable is needed 😊

Congratulations to one member who turned off their last XP solution this week! Now moving on to Win7 and continuing to discover all types of services that are not really on the radar screen – have you though about (red) fuel payment services for vehicles at local administration stations for example? Or building heating, utility billing etc systems? Remember that every entry point into our networks needs to be secured.

We then explored various monitoring solutions being used and looked at some real-life examples. Members all using multiple tools in parallel, i.e., https://grafana.com/, https://www.nagios.org/ and https://www.elastic.co/. That then led to the observation that administrative user account are best named with common names and should definitely NOT include any words suggesting it might be an elevated account (i.e., “administrator”).

Finally, we reflected on who actually takes responsibility for going “off-grid” in the case of a cyber incident (therefore disconnecting from the internet). Different situations it seems with some CIOs picking this up, while others defer to their mayors. We are all senior enough to make that decision, however it can make a lot of sense to shift responsibility for the ramifications – make sure you plan this through in advance”. Being “off-grid” is not as peaceful as we might think – join the VAUBAN exercise on April 8th to learn more.

Cheers

Oliver

Insights from Chatbots

I was curious about the opinion of Bing Chat about whether open source software contains malicious code. The AI suggested:

 **Open source software** (OSS) is a fascinating realm where collaboration, transparency, and community-driven development intersect. Let’s delve into the security aspects of open source software:

1. **The Power of Open Source**:

   – **Definition**: Open source software refers to software that can be freely used, modified, and distributed by anyone.

   – **Ubiquity**: It plays a pivotal role in accelerating development across various fields, including critical infrastructure, federal government systems, and organizations worldwide¹.

   – **Our Role**: As one of the largest users of open source software, the government has a responsibility to contribute to its security.

2. **Secure Coding Matters**:

   – **Vulnerabilities**: Recent incidents like the **Log4shell** vulnerability underscore the importance of secure coding in open source projects.

   – **Secure by Design**: Incorporating secure coding practices during development is crucial. We advocate for this approach.

   – **CISA’s Roadmap**: Our roadmap focuses on securing the open source ecosystem. Key goals include working with the community, understanding software prevalence, reducing risks for the federal government, and strengthening the broader ecosystem.

   – **Memory Safe Coding**: We encourage the adoption of memory-safe coding practices.

   – **Resources for Developers**: We’re developing resources to help open source developers understand secure coding¹.

3. **Government Stewardship**:

   – **DHS Policy**: The Department of Homeland Security (DHS) has a default-to-open-source policy. It encourages contributions from DHS employees and contractors to open source projects we rely on.

   – **Leveraging Workforce**: By tapping into the DHS workforce, we aim to enhance the software we depend on.

4. **Individual and Corporate Contributions**:

   – **Individuals**: If you’re interested in contributing to open source, there are excellent guides available.

   – **Companies**: Consider establishing an open source program office to coordinate usage and ensure developers contribute back to project security and sustainability.

In summary, while open source methodology doesn’t guarantee security, it provides greater insight and control. Secure coding remains paramount, and collaborative efforts benefit us all²³⁴.

Source: Conversation with Bing, 15/03/2024

(1) Open Source Software Must Start with Secure Code | CISA. https://www.cisa.gov/news-events/news/open-source-software-must-start-secure-code.

(2) The impact of open source on cybersecurity | Infosec. https://resources.infosecinstitute.com/topics/industry-insights/open-source-cybersecurity/.

(3) Is Open Source More Secure Than Closed Source? – DevOps.com. https://devops.com/is-open-source-more-secure-than-closed-source/.

(4) What is Open Source Security? – Check Point Software. https://www.checkpoint.com/cyber-hub/cloud-security/what-is-open-source-security/.

In the News
City ISAC Services (Member Funded)

Annual assembly of our hosting association Major Cities Europe next week – this should give formal approval to our collaboration agreements and enable to the official launch of our services.

Project “DAVID” (Member Funded)

No update. Waiting for the final MOU from our Big 5 partner and will publish details as soon as that is formally signed. Two work packages being planned:

  • Work Package 1: NIS 2 Directive Review and Outlook: Conduct an interview-based assessment of NIS2 directive implementation with selected members (6) of I4C+. The results of the interviews will be used to identify weak spots in the directive and to provide a strategic outlook including strategy recommendations for the expected NIS3 directive. Identified gaps shall be summarized in a point of view reflecting the current security posture with respect to NIS2 requirements and potential expectations towards the NIS3. However, it is important to note that the outcome should not be used as a gap analysis of the assessor’s current security posture.
  • Work Package 2: Defence in Depth: To strengthen I4C+ members’ cyber resilience, shape the understanding of joint-cyber security as an integral approach among members. Based on the outcome of the work outlined above, deliver a best practice catalogue including suggestions for a respective toolbox. Furthermore, inputs can be utilized to enhance the overview for the Defence in Depth to close respective gaps. Collected raw data will be given to the I4C+ for further analysis .
Project “VAUBAN” – 2024 “Battle for the Golden Ticket” Monday 8 April 2024 from 2 pm to 4 pm CET.

Everyone should have received the invitation via separate email by now. Please feel free to forward in your networks. Please reach out if you are interested in actively supporting the event. See also https://isac4cities.eu/join-the-battle-for-the-golden-ticket-webinar-about-managing-it-security-april-8-2-to-4-pm-cet.

Project “Regions4Cyber”

ECSO has launched its Cyber Resilient Regions Community: As a follow-up form the “Regions contributing to cybersecurity sovereignty” webinar ECSO hosted on the 26th of June 2023, ECSO has now opened a dedicated community for Regions that wish to cooperate at the European level to increase their cybersecurity resilience – The Cyber Resilient Regions Community (CRR). This community is a closed and safe space for Local and regional Authorities (LRAs) CISO’s or similar roles, Managing Directors and other cybersecurity/security or IT specialists to engage in cooperation, best practice exchange, networking, and capacity building to address their cybersecurity resilience. This community is run together with ECSO partners Regione Toscana, Major Cities of Europe (https://majorcities.eu/) and ISAC4Cities (https://isac4cities.eu/). For more information on the community and its governance please let me know.

 

Please remember you can reach the whole group via city-isac-i4c-tlpwhite@majorcities.eu. A dedicated group for those cities signing the NDAs is available separately.

Also note our LinkedIn organisational page at https://www.linkedin.com/company/eu-city-information-sharing-and-analysis-center-isac/ and our discussion group at https://www.linkedin.com/groups/12773643/.  Do follow us / join.

Join our weekly Friday morning coffee chats from 9am-10am CET – feel free to come in your pyjamas. Let me know if you are missing an invite and I will send.

Thank you for the support, your City ISAC I4C+ Team.

Cheers and ever onwards

Oliver

Innovating our Future… Together

Chair City ISAC I4C+ / Dr. Oliver Schwabe. Email: oliver.schwabe@isac4cities.eu Mobile: +49 (0) 1709053671. Web: https://i4c.isacs.eu/ & https://www.majorcities.eu/isac-for-cities-plus/

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert