2024/11 Weekly Update from the MCE SIG “City ISAC I4C+” Highlights: No call next (Good) Friday / Sneaker Interfaces are Important in Emergencies / Beacons of Gondor are also Important / Security by Obscurity is Integral / Reaching 26 cities and 11 regions in 18 EU countries now
** Note no call next Friday 29 March due to Public Holidays (Good Friday) **
** For Back Issues see https://isac4cities.eu/blog **
The City ISAC (I4C+) is an Information and Analysis Centre whose members are IT and cyber security decision makers exchanging knowledge to improve their cities and collective cyber resilience. I4C+ is a Special Interest Group (SIG) hosted by Major Cities Europe (MCE). Dr. Oliver Schwabe is a member of MCE and in his function Chair of the ISAC for Cities Plus (I4C+). He is the person in charge of this effort on behalf of MCE and the responsible contact person. I4C+ is recognized by the European Agency for Cybersecurity ENISA. See https://isac4cities.eu/.
| Weekly [TLP:RED] |
Please contact us directly for more information – these are summaries only and the “key” is in the actual stories shared privately. The stories are based on personal sensitive knowledge shared by peers in personal conversations under Chatham House Rules. This “stuff” may look obvious (?) – the magic lies between the lines and only becomes visible in a personal conversation.
- Weekly [TLP:RED] for Publicly Elected Officials: Good relationships with the leaders of your police and fire services departments are crucial for making a crisis centre work.
- Weekly [TLP:RED] for Essential Services Managers: Make sure you can operate key processes without an Internet connection, save key transactional data on USB drives and are able to transfer that via USB to another PC/laptop at your regional administration. “Sneaker Interfaces” must work.
- Weekly [TLP:RED] for IT Leaders: Expect that securing a solution will cost up to 3x the cost of the solution itself.
| Summary |
Hi everyone and hope you are well – two cities and two regions joining on Friday morning and again explored a wide range of topics from generative AI to why we should not drink car battery fluid…
One colleague a little tired after getting home at 2 am after supporting an emergency civil exercise as paramedic – deep appreciations to him and all others that are socially engaged to help our world be a bit of a better place. Voluntary associations are a fascinating space and our ISAC an attempt to re-create such of course – unfortunately the great behaviours in such associations are a truly emergent phenomenon and excruciatingly difficult to recreate due to their emergent nature (especially virtually). That then got us to a story on how Cisco once set up its global user support community based on volunteer “nerds” that just wanted to help others – the effort was a great success and it take significant funding by Cisco to get that up and running / maintain it though.
From volunteer support communities we moved to the embedded “Co-Pilot AI” in Microsoft Edge and how that might be stepping in to support such communities. Thinking about it, I see the biggest challenge of moving AI from a reactive behaviour to the proactive creative behaviour we see in volunteer communities. I have not yet been contacted by an AI saying “I have an idea…” We should get used to using services like Co-Pilot of course, at least to inform ourselves about subjects and get a “second opinion” but do remember not to enter any sensitive information.
After the call I was also thinking about the various partners we work with (i.e., for security benchmarking and deep web monitoring) and that the challenge is less the intelligence we gather, and more the implementation of the needed actions. It is sort of like the alert notification “overload” we suffer from continuously – what is really important and what should be prioritised?
In any case, as our preparations continue for the VAUBAN exercise, I stumbled across the below picture that shows the “Warning Beacons of Gondor” from the movie “Lord of Rings”. For those of you who have seen this, it is about the chain of communication that is needed to solicit support in a disaster situation and mirrors our thinking of cities/regions spreading warnings about incidents to trigger supportive collaboration.
Cheers
Oliver
Insights from Chatbots
I was curious about the opinion of Bing Chat about cyber security by obscurity. The AI responded:
**Cybersecurity by obscurity** involves concealing information or system details intentionally to enhance security. In this approach, critical data or system components are not openly disclosed, and only those who know where to look can find them. It’s akin to hiding a needle in a haystack, making it challenging for potential attackers to locate vulnerabilities.
Here are some key points about **security by obscurity**:
1. **Definition**:
– **Security by obscurity** refers to processes and methods that intentionally hide data or system details.
– Examples include using non-indexed links to share data on the internet or obscuring specific aspects of a system’s design.
2. **Contextualization**:
– In the digital realm, we encounter various security layers, such as network security, application security, and data security.
– **Cryptography** plays a crucial role in digital security, protecting sensitive data and creating secure passwords or signatures.
– While **security by obscurity** is often seen as a bad practice in cryptography (where security should rely on the strength of algorithms and keys), it can be useful in other contexts.
3. **Benefits and Risks**:
– **Benefits**: When used alongside other security methods, obscurity can add an extra layer of protection. For instance, hidden system details can deter casual attackers.
– **Risks**: Relying solely on obscurity is discouraged. It should complement robust security practices rather than serve as the sole defense.
Remember, while obscurity can be a useful tool, a comprehensive security strategy should incorporate transparent methods and strong cryptographic principles¹²³.
Source: Conversation with Bing, 20/03/2024
(1) Understanding Security by Obscurity | Baeldung on Computer Science. https://www.baeldung.com/cs/security-by-obscurity.
(2) Security Through Obscurity (STO): History, Criticism & Risks. https://www.okta.com/identity-101/security-through-obscurity/.
(3) Security Through Obscurity – Techopedia. https://www.techopedia.com/definition/21985/security-through-obscurity-sto.
| In the News |
- China-nexus Earth Krahang exploits intergovernmental trust to launch cross-government attacks. See https://www.trendmicro.com/en_us/research/24/c/earth-krahang.html.
| City ISAC Services (Member Funded) |
The annual assembly of our hosting association Major Cities Europe has confirmed that we can proceed to formalise collaboration agreements and thus enable the official launch of our services. More news coming shortly.
| Project “DAVID” (Member Funded) |
No update. #Sigh… still waiting for the final MOU from our Big 5 partner and will publish details as soon as that is formally signed. Two work packages being planned:
- Work Package 1: NIS 2 Directive Review and Outlook: Conduct an interview-based assessment of NIS2 directive implementation with selected members (6) of I4C+. The results of the interviews will be used to identify weak spots in the directive and to provide a strategic outlook including strategy recommendations for the expected NIS3 directive. Identified gaps shall be summarized in a point of view reflecting the current security posture with respect to NIS2 requirements and potential expectations towards the NIS3. However, it is important to note that the outcome should not be used as a gap analysis of the assessor’s current security posture.
- Work Package 2: Defence in Depth: To strengthen I4C+ members’ cyber resilience, shape the understanding of joint-cyber security as an integral approach among members. Based on the outcome of the work outlined above, deliver a best practice catalogue including suggestions for a respective toolbox. Furthermore, inputs can be utilized to enhance the overview for the Defence in Depth to close respective gaps. Collected raw data will be given to the I4C+ for further analysis .
| Project “VAUBAN” – 2024 “Battle for the Golden Ticket” Monday 8 April 2024 from 2 pm to 4 pm CET. |
Final preparations of the playbook are underway and also fielding a lot of registration requests. Everyone should have received the invitation via separate email by now. In addition, the link to connect is https://giorgioprister.my.webex.com/giorgioprister.my/j.php?MTID=mbca8b515933715492e1ffef143d855d8. Please feel free to forward in your networks. Please reach out if you are interested in actively supporting the event. See also https://isac4cities.eu/join-the-battle-for-the-golden-ticket-webinar-about-managing-it-security-april-8-2-to-4-pm-cet.
| Project “Regions4Cyber” |
No updates – currently working to gain survey feedback and organise the follow-up webinar workshop. Remember that ECSO has launched its Cyber Resilient Regions Community on the 26th of June 2023, ECSO has now opened a dedicated community for Regions that wish to cooperate at the European level to increase their cybersecurity resilience – The Cyber Resilient Regions Community (CRR). This community is a closed and safe space for Local and regional Authorities (LRAs) CISO’s or similar roles, Managing Directors and other cybersecurity/security or IT specialists to engage in cooperation, best practice exchange, networking, and capacity building to address their cybersecurity resilience. This community is run together with ECSO partners Regione Toscana, Major Cities of Europe (https://majorcities.eu/) and ISAC4Cities (https://isac4cities.eu/). For more information on the community and its governance please let me know.
Please remember you can reach the whole group via city-isac-i4c-tlpwhite@majorcities.eu. A dedicated group for those cities signing the NDAs is available separately.
Also note our LinkedIn organisational page at https://www.linkedin.com/company/eu-city-information-sharing-and-analysis-center-isac/ and our discussion group at https://www.linkedin.com/groups/12773643/. Do follow us / join.
Join our weekly Friday morning coffee chats from 9am-10am CET – feel free to come in your pyjamas. Let me know if you are missing an invite and I will send.
Thank you for the support, your City ISAC I4C+ Team.
Cheers and ever onwards
Oliver
Innovating our Future… Together
Chair City ISAC I4C+ / Dr. Oliver Schwabe.
Email: oliver.schwabe@isac4cities.eu Mobile: +49 (0) 1709053671. Web: https://i4c.isacs.eu/ & https://www.majorcities.eu/isac-for-cities-plus/