2024/14 Weekly Update from the MCE SIG “City ISAC I4C+” Highlights: Cyber Security Skills Webinar held with over 60 participants / Benchmarking at least avoids being the worst / User Training and Penetration Testing is overrated / AI becoming best in class to identify & exploit vulnerabilities / Multi-ISAC Tabletop with ENISA on the way / Upcoming webinar of “Accelerating NIS2 Compliance with Benchmarking and AI Support” Monday, 27th May 2024
** For Back Issues see https://isac4cities.eu/blog **
The City ISAC (I4C+) is an Information and Analysis Centre whose members are IT and cyber security decision makers exchanging knowledge to improve their cities and collective cyber resilience. I4C+ is a Special Interest Group (SIG) hosted by Major Cities Europe (MCE). Dr. Oliver Schwabe is a member of MCE and in his function Chair of the ISAC for Cities Plus (I4C+). He is the person in charge of this effort on behalf of MCE and the responsible contact person. I4C+ is recognized by the European Agency for Cybersecurity ENISA. See https://isac4cities.eu/.
| Weekly [TLP:RED] |
Please contact us directly for more information – these are summaries only and the “key” is in the actual stories shared privately. The stories are based on personal sensitive knowledge shared by peers in personal conversations under Chatham House Rules. This “stuff” may look obvious (?) – the magic lies between the lines and only becomes visible in a personal conversation.
- Weekly [TLP:RED] for Publicly Elected Officials: Use benchmarking to demonstrate you are not the worst administration in your region.
- Weekly [TLP:RED] for Essential Services Managers: Ensure all staff with admin rights on your applications receive regular cyber awareness training and use unique complex passwords on each application.
- Weekly [TLP:RED] for IT Leaders: Buy software towards the end of the supplier financial year to get the best rebates.
| Summary |
Hi everyone and hope you are well – three cities joining on Friday morning and realised we have a month with many public holidays ahead of us – nicely timed this year as well to allow for taking a few bridge days and taking a bit of a break as spring approaches.
We started off getting an update from emerging national ISAC of one of the colleagues is helping to build and it was interesting to learn that it is being driven as a “special interest group” of national association of municipalities. First service they are offering to municipalities is penetration testings with the obvious miserable outcome – which led us into the question whether these tests have any value in the first place since threat actors are not legally / ethically restrained like the testers we engage with? A real threat actor is willing to “break stuff” as they breach an organisation, which gives them very different attack vectors.
The potential low value of penetration testing then got us to asking ourselves whether user security / awareness training really makes a difference anyway. Remember it only takes one user to click a malicious link leading to a payload deployment… Yes, of course we should inform users of the threat, but we cannot delegate our own responsibility to put the defence in depth in place to protect the users from themselves since there will always be a weak point. AI generated a small image for me:
Considering that the users truly are the “Davids” in this conflict, we then learned more about a remote browser isolation project on colleague administration is putting in place. Cost restraints keeping it to a pilot now and one of the biggest headaches being the reliance on DNS reputation and manually controlled categories. On the costing side again confirmation that for every €1 spent on user software capability you will spend at least €3 for securing it. Worth exploring thought and if you have Microsoft Enterprise licenses do look at Windows Guard.
On the cost side, pricing for security licenses continues to grow massively and we feel that this is driven not only by the availability of national funding / recovery plans but also by vendors being more and more bought out by investment groups that are then simply raising prices to “milk the cow”. One important approach here is to put first tier suppliers in place that then manage the provision of any additional services we might need – let them identify and integrate the right vendors.
Note that we have also been asked to help organise a German regional IT conference (the one we ran the tabletop at last year) and there also seems to be an opportunity to run a multi-ISAC tabletop at ENISA in October – this may be a huge step forward to our own LockedShields aspiration. Will keep everyone updated.
Cheers
Oliver
Insights from Chatbots
I was curious about the opinion of Bing Chat about how AI can help identify software vulnerabilities? The AI responded as per below:
“ AI can significantly aid in identifying software vulnerabilities through various methods:
1. **Automated Vulnerability Discovery**: AI can analyze complex software programs to identify mistakes that could lead to vulnerabilities. This process is well-suited for automation because it involves repetitive, large-scale tasks¹.
2. **Machine Learning Models**: GitHub, for instance, uses machine learning in their code scanning feature to identify security vulnerabilities in code. While this can sometimes result in false positives, it can greatly accelerate the vulnerability identification process when paired with manual analysis².
3. **Pattern Recognition**: AI can recognize patterns in code that resemble known vulnerabilities. This helps developers spot potential weaknesses before deployment³.
4. **Static Analysis with AI**: AI-driven static code analysis tools scan source code files to identify security vulnerabilities, such as SQL injection, cross-site scripting (XSS), or buffer overflows³.
5. **Proactive Vulnerability Management**: AI-driven solutions can automate the process of continuous monitoring and rapid identification of flaws, which may go unnoticed by human analysts⁴.
AI’s role in cybersecurity is expanding, and its ability to assist in vulnerability identification is becoming increasingly sophisticated and integral to maintaining secure software systems.
Source: Conversation with Bing, 19/04/2024
(1) theNET | Can AI find vulnerabilities? | Cloudflare. https://www.cloudflare.com/the-net/ai-vulnerabilities/.
(2) Leveraging machine learning to find security vulnerabilities. https://github.blog/2022-02-17-leveraging-machine-learning-find-security-vulnerabilities/.
(3) Enhancing Cybersecurity with AI: Simulation and Vulnerability Analysis. https://www.signitysolutions.com/tech-insights/enhancing-cybersecurity-with-ai.
(4) AI-Driven Solutions for Proactive Vulnerability Management. https://itsecuritywire.com/featured/ai-driven-solutions-for-proactive-vulnerability-management/.
| In the News |
- GPT-4 Can Exploit Most Vulns Just by Reading Threat Advisories. See https://www.darkreading.com/threat-intelligence/gpt-4-can-exploit-most-vulns-just-by-reading-threat-advisories?utm_campaign=DAM&utm_medium=email&_hsenc=p2ANqtz–4-hsbBRg4P3C8fAgU12nHEDeU6J4l1NSqWfIThZHbHfaHB3Z27XFaibbfFq3bmXdsHhbROBoRmurqU90fqm1Wo1EigtOebHJIh9gY-EXbQ5t0kW8&_hsmi=303376211&utm_content=303376211&utm_source=hs_email.
- Village of Gravelines impacted by cyber attack. See https://www.bfmtv.com/grand-lille/la-ville-de-gravelines-victime-d-une-cyberattaque-l-acces-a-internet-restreint-pour-les-services-communaux_AN-202404250886.html.
- City of Alibi impacted by cyber attack. See https://www.mairie-albi.fr/fr/la-ville-dalbi-victime-dune-attaque-informatique.
| City ISAC Services (Member Funded) |
We have published our services at https://isac4cities.eu/services-offered and are now proceeding to establish collaboration agreements with third parties we have been working with for a while. These will include joint marketing and enablement plans. Please do review and consider reaching out to include such in your activities and budgets.
We continue planning our next webinar in collaboration with I-Trust with a draft title of “Accelerating NIS2 Compliance with Benchmarking and AI Support” and this is potentially scheduled 15:00-16:30 CET – Monday, 27th May 2024 – once confirmed we will let you know. The webinar focuses on helping local and regional public administrations to accelerate their journey to NIS2 compliance with the help of generally available AI solutions such as Microsoft Co-Pilot in combination with expert assessment questions that also allow for benchmarking across local and regional public administrations across the European Union. The webinar will be an open debate building on a presentation of the Enablor benchmarking platform from I-Trust and how it is used in practice by a public administration on its path to NIS2 compliance, a demonstration of how Microsoft Co-Pilot can be used to effectively explore the assessment questions and an open panel discussion with the presenters and the audience. The webinar will help public administrations master the growing challenge of achieving NIS2 compliance through benchmarking, simple AI and peer-to-peer knowledge sharing.
I-Trust is an official CIS Controls Supporter and provides a wide range of best practice recommendations for Cyber Security. See https://i-trust.dk/en/. Enablor is a community solution based on experiences from more than 1,500 local administrations where the platform is used to strengthen (cyber) security along with the increasing digitalisation of organisations. Community in this context means that content is targeted to the sector, that benchmarking and sharing experiences helps organisations to work with security requirements in a targeted way. Perhaps most importantly, the system solves a lot of the resource-intensive tasks so that organisations can work purposefully – convenience is a key word.
| Project “VAUBAN” – 2024 Multi-ISAC Tabletop |
You might remember that our City ISAC is a founding member of the EU Council of ISACs where we have many EU ISAC members from sectors like health, energy, finance, water, energy etc. As part of the work with the EU Council of ISACs we are also building out our relationship with ENISA. ENISA is planning a face-to-face Multi-ISAC event in October and we, the City ISAC, may have an opportunity to run a 90 minute tabletop with many ISACs in the room plus a wide range of ENISA representatives. Stay tuned for updates as we perhaps move towards a wide-ranging hybrid face-to-face / virtual tabletop with a similar setup (but different scenario) to the recent purely virtual one.
| Project “Regions4Cyber” |
We held the webinar “Skills for cybersecurity: from basic cyber hygiene to advanced capabilities. A challenge for citizens, businesses and Public Administrations” on 22nd April, 14:30-16:00. This webinar was organised in the framework of the European Year of Skills and had over 40 participants. The session focused on cybersecurity skills looked at challenges and opportunities and the involvement of a broad EU audience. The webinar was an open debate with presentations from ECSO on its Road2Cyber Platform followed by regional initiatives from the Tuscany and Brittany regions focusing on how the territories are advancing at different levels from basic cyber hygiene to advanced skills. Then, we proceeded to an open panel discussion with the presenters and the audience. The Cyber Resilient Regions Community (CRR) initiative aims to build a European community of Local and Regional Authority’s (LRAs) that have a desire to increase their digital resilience. It engages LRA’s Chief Information Security Officers (CISOs) and related roles, and IT or security specialists that have cybersecurity responsibilities into a community that aims to increase LRAs cybersecurity resilience. Surveys, events, chats with experts and peers are among the activities promoted within the CRR initiative. Contact us for further information.
Please remember you can reach the whole group via city-isac-i4c-tlpwhite@majorcities.eu. A dedicated group for those cities signing the NDAs is available separately.
Also note our LinkedIn organisational page at https://www.linkedin.com/company/eu-city-information-sharing-and-analysis-center-isac/ and our discussion group at https://www.linkedin.com/groups/12773643/. Do follow us / join.
Join our weekly Friday morning coffee chats from 9am-10am CET – feel free to come in your pyjamas. Let me know if you are missing an invite and I will send.
Thank you for the support, your City ISAC I4C+ Team.
Cheers and ever onwards
Oliver
Innovating our Future… Together
Chair City ISAC I4C+ / Dr. Oliver Schwabe.
Email: oliver.schwabe@isac4cities.eu Mobile: +49 (0) 1709053671. Web: https://i4c.isacs.eu/ & https://www.majorcities.eu/isac-for-cities-plus/