2024/35 Weekly Update from the MCE SIG “City ISAC I4C+” Highlights: Signing up with biggest ransomware providers? / Even security providers are only human #sigh / Managing physical access controls to IT rooms is critical / Upcoming webinar: Collaborate, Share and develop your security with ISAC Baseline on Tuesday 5 November 2 pm – 3 pm CET / Join our national / regional cyber assessment project! / Project “PHALANX” – 2024 Multi-ISAC Tabletop at ENISA completed

von oschwabean Veröffentlicht am

2024/35 Weekly Update from the MCE SIG “City ISAC I4C+” Highlights: Signing up with biggest ransomware providers? / Even security providers are only human #sigh / Managing physical access controls to IT rooms is critical / Upcoming webinar: Collaborate, Share and develop your security with ISAC Baseline on Tuesday 5 November 2 pm – 3 pm CET / Join our national / regional cyber assessment project! / Project “PHALANX” – 2024 Multi-ISAC Tabletop at ENISA completed

** For Back Issues see https://isac4cities.eu/blog **

The City ISAC (I4C+) is an Information and Analysis Centre whose members are IT and cyber security decision makers exchanging knowledge to improve their cities and collective cyber resilience. I4C+ is a Special Interest Group (SIG) hosted by Major Cities Europe (MCE). Dr. Oliver Schwabe is a member of MCE and in his function Chair of the ISAC for Cities Plus (I4C+). He is the person in charge of this effort on behalf of MCE and the responsible contact person. I4C+ is recognized by the European Agency for Cybersecurity ENISA. See https://isac4cities.eu/.

Weekly [TLP:RED]

Please contact us directly for more information – these are summaries only and the “key” is in the actual stories shared privately. The stories are based on personal sensitive knowledge shared by peers in personal conversations under Chatham House Rules. This “stuff” may look obvious (?) – the magic lies between the lines and only becomes visible in a personal conversation.

This week´s thoughts are based on the scope of essential services your public administration subscribes to, operates, and manages, including what IT systems support their delivery.

  • Weekly [TLP:RED] for Publicly Elected Officials (Repeat # 4): Usually you are not permitted to pay ransomware. Others (like insurance companies) may however be able to do this unofficially for you. Ransomware is paid more often than you might imagine.
  • Weekly [TLP:RED] for Essential Services Managers (Repeat # 4): You can control the interval of password changes for staff to be shorter than any central policies – stay safe by implementing a departmental policy for changing them every three months.
  • Weekly [TLP:RED] for IT Leaders (Repeat # 4): Often we cannot prevent users from installing insecure software from the Internet. We can however ignore fixing technical issues preventing them from working…
Summary

Hi everyone, I hope you are doing well. Five cities / regions joining from Belgium, Bulgaria, Estonia, Ireland, rand Italy, on Friday morning plus one colleague from our bench-learning partner I-Trust sharing some of the 2024 Cyber Resilience study results in Denmark – 80 of 93 public administrations responding with over 2000 comments about policy and products etc. – stay tuned for a special offer for our ISAC members!

Lots of great stories shared this week and will try to share the key details – lots more juicy insights shred during the meeting of course 😊

One member shared how they are moving many services to the cloud services of the biggest ransomware actor on the market (company name starts with “M”…) … lol… no way back of course and hey, lots of good capability becomes available of course. Remember also that every Euro spent on the solution, will need 2-3 more to secure it.

Next story up was about how another colleague was using the above-mentioned provider for file storage / sharing with unfortunately lots of data being inappropriately being shared outside of the organisation – DLP Protection becomes an essential additional activity. A common situation that if you introduce new core capabilities, you will also need to add multiple new security controls to ensure appropriate use of this.

Ah yes, we also shared the picture of an IT Server Room I recently saw at a respected cyber organisation – open door with normal door keys in the locks #sigh… leadership by example? Not sure how they do key management – which is an art in and of itself. How do you manage your physical keys?

Good story then about a colleague being asked to move a network rack out of a meeting room because a high official was going to visit and the rack was too loud… of course it would have been easier to move to another meeting room, but who said logic was a daily strength in our organisations? Rack was moved (and cleaned up in the process of course). Cyber relevance? Well, not sure, but maybe racks should not be in public rooms?

Next up a recent issue at a member where the security monitoring software identified some potentially malicious user behaviour (Powershell routine to change multiple passwords) – good – but then ended up sending an info email with a relevant admin password in plaintext – #sigh… The provider apologized – manual error apparently, but hey, we need to hold ALL of our providers to account in any case. I still like the solution a colleague shared recently – in-house solution that triggers a password reset every time an external party logs in, maybe something to think about internally as well?

Cheers, 

Oliver

Insights from AI

Controlling the many physical access tools (i.e., keys) to sensitive server rooms is critical of course. I was curious about the opinion of Microsoft CoPilot about how best to this. The AI responded as per below:

“Managing physical keys to IT server rooms is crucial for maintaining security and preventing unauthorized access. Here are some best practices:

Use Key Control Systems: Implement electronic key control systems that automatically create an audit trail1. This helps track key usage and ensures accountability1.

Decentralize Administration: Avoid having a single person in charge of all keys2. Instead, distribute key management responsibilities among multiple trusted individuals2.

Reduce Key Ownership: Minimize the number of people who have access to keys2. Only essential personnel should have access to the server room keys2.

Increase Monitored Access: Use keycard systems or biometric access controls to monitor and restrict access3. These systems can log entry and exit times, providing an audit trail3.

Adopt RFID Technology: RFID tags can enhance security by allowing for real-time tracking of keys and providing instant alerts if keys are taken to unauthorized areas2.

Set Key Curfews: Establish specific times when keys can be used2. This helps prevent unauthorized access during off-hours2.

Environmental Monitoring: Use sensors to monitor environmental conditions in the server room, such as temperature and humidity, to ensure the safety of the equipment3.

By following these practices, you can significantly enhance the security of your IT server room. Do you have any specific concerns or additional questions about key management?

1 blog.keytrak.com

2 www.deister.com

3 dzone.com

In the News
City ISAC Services (Member Funded)

We have published our services at Services Offered – EU ISAC for Cities (isac4cities.eu). Please do review and consider reaching out to include such in your activities and budgets.

The ISAC Baseline now has its first fully participating administration. The ISAC Baseline offers the following questionnaires for the organization’s status assessment and benchmark against other participants:

  • EU cyber awareness survey (ISAC specific awareness survey for relevant roles)
  • CIS18 cyber essentials (IG1)
  • NIS2 questionnaire
  • CIS18 full questionnaire (IG3)
  • When accessible, the ISAC Baseline will include ENISA’s Minimum Requirements for operators of essential services

All questions are mapped to relevant requirements and best practice standards , meaning comparable requirements across standards are mapped to the same questions making it easy for compliance officers and cybersecurity managers to evaluate compliance:  “One assessment comply many”.

All questions are mapped to NIST CSF (Security Functions) making analysis of security performance and the maturity of organizations is evaluated using NIST TIER groups.

The Benchmark is available to all participants and selected  peers, change processes are supported by Benchlearning, which allows participants to share experience on best practice solutions and -processes.

We are currently working on proposals for regional / national implementation and we will work with Local Government Administration Associations to jointly identify funding opportunities – stay tuned and please contact me if you would like to pilot.

Project “PHALANX” – 2024 Multi-ISAC Tabletop

We have just concluded the 2024 EU ISACs Summit, hosted by European Union Agency for Cybersecurity (ENISA) in Athens. The event brought together representatives from 16 ISACs across Europe to exchange insights on their latest activities, key milestones, and the challenges ahead. Together, we engaged in meaningful discussions on enhancing cybersecurity collaboration and improving the sharing of threat intelligence to strengthen Europe’s cybersecurity ecosystem. See https://www.linkedin.com/posts/adamczykmonika_enisa-isacs-euisacssummit2024-activity-7252989569300594690-C9Uu?utm_source=share&utm_medium=member_desktop

We held our multi-ISAC tabletop, although unfortunately only 1 hour or so was available due to other overruns. The tabletop was well received, and I will be discussing with ENISA how we can perhaps elevate that to a joint-product since they are working on an online tabletop format / solution at the moment (Responsible: Fanouris Fanourakis). ENISA can then help market the solution through the Community of Regions (https://cor.europa.eu/en) which reaches about 100k public administrations. I will be making a suggestion to them for funding a few of these as pilots in the next year. Note that we might run this tabletop in the next MCE Annual conference as well. Many good discussions on how ISACs can help each other, but it was also clear that we need to practice this to understand the specific best ways of doing this.

We also spent some extra time with a policy officer there and they offered to help understand how we can shape a successful proposal for existing calls and / or help the ECCC define new calls that are focused on the needs of public administrations. This is all critical information to understand how we can successfully apply for ECCC funding programs.

Overall, we had the opportunity to personally get to know and spend time with key officials at ENISA who are responsible for a variety of activities related to public administrations. They are open to more intensive collaboration and are extremely interested in our ISAC as the only representative of public administrations at the time.

Below an image of the Multi-ISAC / ENISA team participating.

 

Please remember you can reach the whole group via city-isac-i4c-tlpwhite@majorcities.eu. A dedicated group for those cities signing the NDAs is available separately.

Also note our LinkedIn organisational page at https://www.linkedin.com/company/eu-city-information-sharing-and-analysis-center-isac/ and our discussion group at https://www.linkedin.com/groups/12773643/.  Do follow us / join.

Join our weekly Friday morning coffee chats from 9am-10am CET – feel free to come in your pyjamas. Let me know if you are missing an invite and I will send.

Thank you for the support, your City ISAC I4C+ Team.

Cheers and ever onwards

Oliver

Innovating our Future… Together

Chair City ISAC I4C+ / Dr. Oliver Schwabe.

Email: oliver.schwabe@isac4cities.eu Mobile: +49 (0) 1709053671. Web: https://i4c.isacs.eu/ & https://www.majorcities.eu/isac-for-cities-plus/  

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert