2024/29 Weekly Update from the MCE SIG “City ISAC I4C+” Highlights: Use In-House training to configure solutions / Is your outsourced SOC secure? “Go Look See” / Collaboration platforms can provide unauthorized network access / Upgrading inside the perimeter the hidden cost of new security solutions / Four cities piloting CIS18 benchmarking platform
** For Back Issues see https://isac4cities.eu/blog **
The City ISAC (I4C+) is an Information and Analysis Centre whose members are IT and cyber security decision makers exchanging knowledge to improve their cities and collective cyber resilience. I4C+ is a Special Interest Group (SIG) hosted by Major Cities Europe (MCE). Dr. Oliver Schwabe is a member of MCE and in his function Chair of the ISAC for Cities Plus (I4C+). He is the person in charge of this effort on behalf of MCE and the responsible contact person. I4C+ is recognized by the European Agency for Cybersecurity ENISA. See https://isac4cities.eu/.
| Weekly [TLP:RED] |
Please contact us directly for more information – these are summaries only and the “key” is in the actual stories shared privately. The stories are based on personal sensitive knowledge shared by peers in personal conversations under Chatham House Rules. This “stuff” may look obvious (?) – the magic lies between the lines and only becomes visible in a personal conversation.
This week´s thoughts are based on the scope of essential services your public administration subscribes to, operates, and manages, including what IT systems support their delivery.
- Weekly [TLP:RED] for Publicly Elected Officials: Budgets for cyber should be a fixed percentage of all department budgets.
- Weekly [TLP:RED] for Essential Services Managers: Citizen development / business purchase can be a good solution. The best argument for it is no resources and no funding…
- Weekly [TLP:RED] for IT Leaders: To optimize config of security software, use training budget to get in-house training on installed solution by the solution provider (not the solution vendor).
| Summary |
Hi everyone, I hope you are doing well. Eight cities and two regions joining from Bulgaria, Croatia, Estonia, Germany, Ireland, Italy, and Spain, on Friday morning (seems summer is over and colleagues are back at work) to first reflect on the impact of climate change on cyber security? Not sure how we got there, but there is a link in respect to how physical security seems to lighten up when it gets hot (i.e., server room doors propped open to support air circulation) or the question of rising electricity costs to keep server rooms cool.
Physical security questions then had a member share that they are changing their SIEM/SOC provider and that provider has their SOC in Rumania – is this the new “hot” location for SOCs at lowest cost? Another member moved their SOC to Poland a few years ago and another has theirs in the Czech Republic – what is the future “migration route” of SOCs? Assuming you are staying in the EU (which is highly recommended for GDPR reasons).
The above SOC discussion then reminded us to also “go look see” any SOC to make sure that at least the physical security implemented meets some minimum standards. Remember that you probably are giving the SOC administrative access on a variety of your systems and that they should be as physically secure as possible (their IT environment itself as well of course). You may be quite surprised about the difference in standards across different countries!
Another subject of discussion was security product vendors not configuring their solutions as agreed and even then, how many misconfigurations actually occur when it comes to embedding such solutions into your environment (i.e., due to the presence of legacy systems). Once member implementing Darktrace at the moment and recognizing that a lot of on-prem assets need to be patched to enable the solution to reach through the whole network for example. Another nice example of “hidden costs” that only become visible when actually implementing something – a good contingency is usually about 30% of cost, although that then needs to be set aside separately from the actual purchase order.
Ah yes, another interesting story about how clever users are in circumventing security is how some collaboration platforms allow us to not only share screens, but also share control of those screens. Not unusual in some organisations for staff to use this to give third parties access to internal software solutions they are logged into with their own credentials. Seems whatever loop-holes we close, there is another clever user finding a way around 😊
Finally, we shared a few thoughts about the “bouquet” of security solutions needed for Defence in Depth when we decide to go “best of breed” versus focusing on a single platform solution. We have had this discussion multiple times before, and, if you remember, ran a survey last year where a handful of cities and regions shared the solutions they use. Overall “best of breed” (within affordability constraints) dominates as an approach, with the common missing piece being a defined security architecture to align with. In the end, if you are looking at specific solutions, do reach out to the community to find colleagues who have actual experience with the tools and can give you the “real story”.
I liked the Australian Aboriginal dot art image of cyber security that CoPilot created for us last week, so I thought I would ask for a similar image of a SCO. AI came up with a further pretty cool, idea…
By the way, check out https://support.microsoft.com/en-us/topic/learn-about-copilot-prompts-f6c3b467-f07c-4db1-ae54-ffac96184dd5 to learn about how to best prompt CoPilot for a good answer.
Cheers,
Oliver
Insights from Chatbots
I was curious about the opinion of Bing Chat about why access security to SOCs is important. The AI responded as per below:
“Access security is crucial for Security Operations Centers (SOCs) for several reasons:
1. **Protection of Sensitive Information**: SOCs handle highly sensitive data, including threat intelligence, incident reports, and security logs. Ensuring that only authorized personnel can access this information helps prevent data breaches and unauthorized disclosures³.
2. **Regulatory Compliance**: Many industries are subject to strict data protection regulations. Proper access control helps organizations comply with these regulations, avoiding legal penalties and maintaining trust with customers and stakeholders³.
3. **Mitigation of Insider Threats**: By implementing robust access controls, SOCs can reduce the risk of insider threats. This includes both malicious insiders and accidental breaches caused by employees who may not have the necessary security training³.
4. **Operational Efficiency**: Effective access management ensures that SOC personnel can quickly access the tools and information they need to respond to incidents. This improves the overall efficiency and effectiveness of the SOC¹.
5. **Incident Response**: In the event of a security incident, having strict access controls in place ensures that only authorized individuals can handle and investigate the incident, reducing the risk of further compromise².
Source: Conversation with Copilot, 06/09/2024
(1) Role of Authentication & Access Management in SOC | CND – EC-Council. https://www.eccouncil.org/cybersecurity-exchange/security-operation-center/role-of-authentication-access-management-in-soc/.
(2) What is a Security Operations Center (SOC)? Its Role and Impact. https://nordlayer.com/learn/soc/what-is-soc/.
(3) 9 Key Benefits of Security Operations Center (SOC) in 2024. https://radiantsecurity.ai/learn/soc-benefits/.”
| In the News |
- Nothing special this week.
| City ISAC Services (Member Funded) |
We have published our services at https://isac4cities.eu/services-offered.Please do review and consider reaching out to include such in your activities and budgets.
Quick update that four cities from Bulgaria, Estonia, Ireland and Italy are now trialling the Enablor benchmarking platform and in a next step we will work to compare results in a conversation. It is in this conversation that the greatest value of the effort can be found, and we will seek to include other administrations that are already using the approach in their daily work. Please reach out if you are interested in joining this pilot.
Continuing to shape a way to augment city / region resources to perform supplier NIS2 cyber security evaluations and remediations. The aim to identify liabilities triggered by NIS2 and robustly mitigate such. The ENISA Excel control sheet for “Minimum Security Measures for Operators of Essentials Services” at https://www.enisa.europa.eu/topics/cybersecurity-policy/nis-directive-new/minimum-security-measures-for-operators-of-essentials-services will be the basis (the updated version for NIS2 is expected end of October) and augmented for rating and remediation measures – one region and one city currently interested – will of course need to be local language and the identity will need to be the administration. One region and one city are currently exploring this in more detail.
| Project |
You might remember that our City ISAC is a founding member of the EU Council of ISACs where we have many EU ISAC members from sectors like health, energy, finance, water, energy etc. As part of the work with the EU Council of ISACs we are also building out our relationship with ENISA. ENISA is planning a face-to-face Multi-ISAC event in October and we, the City ISAC, have an opportunity to run a 120 minute tabletop with many ISACs in the room plus a wide range of ENISA representatives in the morning of the second day. The tabletop will address all ISACs in the room and be based on a public administration being breached and asking for the support of the community to help tackle the challenge. The exercise will address all NIS2 domains and offer the ISACs a chance to jointly help. The context will be “The City of Fantasia operates, subscribes to and manages services for its 600k citizens in the sectors of: Public Administration (Operate), Energy (Manage), Transport (Manage), Healthcare (Manage), Drinking Water (Manage), Wastewater (Manage), Emergency Services (Manage), Digital Infrastructure (Subscribe), and ICT Service Management (Subscribe). The City has a regional airport, an industrial harbour and three major industrial production sites (chemicals, automotive, and battery).” -> then a professional actor appears with a thunder run strategy to make citizen life very uncomfortable! We´ve decided to change our exercise name for this as well 😊
We have now debriefed ENISA on our planned storyboard (see template below) and received some very positive response. We are also discussing how to perhaps fund a “roadshow” of this simulation across multiple public administrations in the EU. Below the current storyboard template that will be populated during the simulation.
Please remember you can reach the whole group via city-isac-i4c-tlpwhite@majorcities.eu. A dedicated group for those cities signing the NDAs is available separately.
Also note our LinkedIn organisational page at https://www.linkedin.com/company/eu-city-information-sharing-and-analysis-center-isac/ and our discussion group at https://www.linkedin.com/groups/12773643/. Do follow us / join.
Join our weekly Friday morning coffee chats from 9am-10am CET – feel free to come in your pyjamas. Let me know if you are missing an invite and I will send.
Thank you for the support, your City ISAC I4C+ Team.
Cheers and ever onwards
Oliver
Innovating our Future… Together
Chair City ISAC I4C+ / Dr. Oliver Schwabe.
Email: oliver.schwabe@isac4cities.eu Mobile: +49 (0) 1709053671. Web: https://i4c.isacs.eu/ & https://www.majorcities.eu/isac-for-cities-plus/