2024/41 Weekly Update from the MCE SIG NEW: NO CALLS 27 Dec & 3 Jan / Weekly Quick Survey – I4C+ CIS 18 Unauthorised Assets / Survey Results HIRING4CYBER – We have a problem… / Benchlearning – good to know who is using what / 100% Outsourcing and allowing 100% vendor control?
** For Back Issues see https://isac4cities.eu/blog **
No calls on 27 December and 3 January – Christmas Break!
The City ISAC (I4C+) is an Information and Analysis Centre whose members are IT and cyber security decision makers exchanging knowledge to improve their cities and collective cyber resilience. I4C+ is a Special Interest Group (SIG) hosted by Major Cities Europe (MCE). Dr. Oliver Schwabe is a member of MCE and in his function Chair of the ISAC for Cities Plus (I4C+). He is the person in charge of this effort on behalf of MCE and the responsible contact person. I4C+ is recognized by the European Agency for Cybersecurity ENISA. See https://isac4cities.eu/.
| Weekly [TLP:RED] |
Please contact us directly for more information – these are summaries only and the “key” is in the actual stories shared privately. The stories are based on personal sensitive knowledge shared by peers in personal conversations under Chatham House Rules. This “stuff” may look obvious (?) – the magic lies between the lines and only becomes visible in a personal conversation.
This week´s thoughts are based on the scope of essential services your public administration subscribes to, operates, and manages, including what IT systems support their delivery.
- Weekly [TLP:RED] for Publicly Elected Officials (Repeat # 10): When you lose a service due to cyber issues – communicate only the service outage and any temporary measures to citizens. There is no need to explain reasons which are “under investigation”.
- Weekly [TLP:RED] for Essential Services Managers (Repeat # 10): We can design for project slippage to free up funds to make the most of the year-end rush.
- Weekly [TLP:RED] for IT Leaders (Repeat # 10): Front-load as much of your project costs as possible – the longer you wait to spend, the less likely the money will still be there when you need it.
| Summary |
Hi everyone, I hope you are doing well. Belgium, Croatia, and Italy joining this Friday morning and overall, it has been a busy week.
Main conversation topic was how the continued pressure to move to cloud solutions, especially in SAAS form, is increasingly disrupting our own security mechanisms (i.e., email throttling) as key security mechanisms are being picked up by the third parties. Third parties of course serving many customers on the cloud platforms and we are getting “vanilla flavour” solutions that, in comparison to what we have built over the decades, are less secure, less controllable and less customized. Unfortunately, we cannot prevent most of this happening and we guess need to live with the new conditions unfolding ever faster. There was an interesting point made on (Total) Cost (of Ownership) in that long term service contracts with these third parties can offer a lot of opportunities as well (i.e., easier resourcing for activities) so that maybe in the end the situation is not getting “worse”, but just “different”. I learned many years ago that no-one minds changing, it is BEING CHANGED that we object to…
Another theme was reflecting on how we go about solution purchasing and how we consult with peers on their experiences with such solutions. Very much a conversation between colleagues facilitated by the various networks and events we are involved in. We are then usually also guided by national marketplaces of course, however in the end it is an event triggered process (i.e., a subscription coming up from renewal that requires tendering). The big players always developing to close the loopholes we find (i.e., refurbed licenses from outside the EU) and there seems to be a general move to SAAS annual named user structures – boding ill for the future as licensing costs continue to rise exponentially. This got us to the context of one colleague whose regional administration has IT 100% outsourced and only has a small team of vendor managers – no more internal experts -> instead of whining about this direction of travel, let us think about the opportunities it might offer?
Quick summary of what else went on during the week:
WEEKLY SURVEY: We are beginning a weekly series of simple surveys based on the CIS 18 18 CIS Critical Security Controls (see https://www.cisecurity.org/controls/cis-controls-list) – these are always open until the following Friday and the results will be shared in a manner similar to the HIRING4CYBER results below. The aim is to understand where we jointly see priorities for acting and then perhaps to organise conversations for knowledge sharing. We´ll work through the questions in a simple step-by-step manner and start with the unauthorised assets questions. The first threat to assess is therefore “Unauthorised assets (i.e., mobile devices) access our networks and inject malware”. The survey is at https://ec.europa.eu/eusurvey/runner/1a7cf074-9d56-ac77-e807-35d849666ae2 and the password is “I4CAssets”. The survey closes early morning Friday 13 December. As a reminder CIS 18 (Version 8.1.) describes the following things we should be doing:
- Establish and Maintain Detailed Enterprise Asset Inventory: Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, enterprise asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise’s network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently.
- Address Unauthorized Assets: Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise may choose to remove the asset from the network, deny the asset from connecting remotely to the network, or quarantine the asset.
HIRING4CYBER: We held the webinar “HIRING4CYBER in a European Public Administration” with ECSO and Region Toscana 3rd December 2024 – 10:00-11:30 CET. The webinar was part of the Cyber Resilient Regions Community (CRR) initiative run by ECSO with Tuscany Region, Major Cities of Europe and EU City ISAC I4C+. Through expert input and regional examples, this session boosted the understanding on how European Public Administrations can attract and retain the cyber security professionals who are essential for modern-day and future-orientated public authorities at all governance levels. There were 38 participants, and we had an engaging discussion exploring, among others the challenges / solutions around attracting and retaining talent. The simple survey to support the HIRING4CYBER workshop this week was looking at was “IF we do not recruit enough skilled cyber resources in our administration, THEN we will not be able to protect our citizens from cyber threats”. The survey is now closed. We had 23 responses to the survey question “IF we do not recruit enough skilled cyber resources in our administration, THEN we will not be able to protect our citizens from cyber threats.” Judging from the number of participants shown during the event (up to 38), we therefore have a participation rate of about 61% – which is good. 23 responses are typically “good enough” for a parametric estimate, but not good enough for statistical analysis (correlation / regression) – we would need at least 41 responses for that. Using “averages” is fine in a case like this, therefore. The average probability was slightly higher than 50/50, therefore we feel it may happen but are not that sure. The average impact was “Between Problem and Disaster”, so definitely significant. The average confidence of everyone was 7/10 therefore we feel quite good about this being correct. The uncertainty of our “guess” for 23 participants with an average confidence score of 70% (based on separate research is +/-10%) which means we have a robust estimate. In the end, the respondents are quite sure that this might happen and have a significant impact on the security of our citizens. A score like this means we should act now to address the risk threat. This confirms that the topic of the web conference was important, and we should now, as a community, work to identify relevant and effective treatments. On a local / regional level this is a strong endorsement that we must act. The image below shows the results summary:
BENCHLEARNING: The Webinar on Benchlearning on 5 December 2024 2pm – 3 pm CET was focused on “Learn how ISAC Baseline can help your city enhance its cybersecurity and collaborate in a community of peers across Europe”. See how compliance work with NIS2 requirements is effectively supported by Benchmarking and a Solution Library with shared security practices using the Benchlearning principle. Very interesting presentation of current activities in two EU member states and a good discussion on how to extract value from seeing detailed peer cyber security information both in our own countries and in others. There is also a special offer open now if you are interested – very good commercials. Excellent comment from a US colleague that in the end this is getting close to the US offering https://marketplace.city/ where you can access real-time market intelligence, detailed vendor comparisons, and a rich repository of vendor contracts, references, pricing and much more. In the end though, while such information is very helpful, talking to peers who are in the depths of purchasing, implementing and maintaining such solutions is perhaps the most valuable information – the “real story” is something you only access in such conversations. THIS is what our own community is about – building that space where these personal and private exchanges of sensitive knowledge can happen.
Cheers,
Oliver
Insights from AI
To support our weekly survey, I asked CoPilot “why is it important to know what devices are accessing our networks?” The AI responded:
“Knowing what devices are accessing your network is crucial for several reasons:
Security: Unauthorized or unknown devices can be potential entry points for cyber attacks. By identifying every device, you can ensure that only trusted devices have access, reducing the risk of breaches.
Visibility and Monitoring: Understanding what devices are connected allows for better monitoring of network activity. This helps in quickly detecting any suspicious behavior or anomalies.
Network Performance: Knowing the devices on your network helps in managing bandwidth and performance. It allows you to identify devices that may be consuming too much bandwidth or causing network slowdowns.
Compliance: Many regulations require organizations to keep track of devices accessing their networks to ensure data privacy and security. Staying compliant can help avoid legal issues and penalties.
Asset Management: Effective asset management involves knowing what devices are in use, which can help in maintaining and updating them appropriately.
Policy Enforcement: By identifying all devices, you can enforce security policies more effectively, ensuring that each device meets the necessary security standards before it is granted access.
Incident Response: In the event of a security incident, knowing what devices are on the network can speed up the investigation and response process, helping to contain and mitigate the impact.
Keeping an inventory of all devices accessing your network is a fundamental practice for maintaining strong cybersecurity and efficient network management.”
| In the News |
- No specific updates this week
| City ISAC Services (Member Funded) |
We have published our services at Services Offered – EU ISAC for Cities (isac4cities.eu). Please do review and consider reaching out to include such in your activities and budgets.
| Project Cyber Securing Public Administrations “CySec4PA” – DIGITAL-ECCC-2024-DEPLOY-CYBER-07-CYBERSEC-02 |
No updates – still paused as we explore various options for a new lead proposer.
Please remember you can reach the whole group via city-isac-i4c-tlpwhite@majorcities.eu. A dedicated group for those cities signing the NDAs is available separately.
Also note our LinkedIn organisational page at https://www.linkedin.com/company/eu-city-information-sharing-and-analysis-center-isac/ and our discussion group at https://www.linkedin.com/groups/12773643/. Do follow us / join.
Join our weekly Friday morning coffee chats from 9am-10am CET – feel free to come in your pyjamas. Let me know if you are missing an invite and I will send.
Thank you for the support, your City ISAC I4C+ Team.
Cheers and ever onwards
Oliver
Innovating our Future… Together
Chair City ISAC I4C+ / Dr. Oliver Schwabe.
Email: oliver.schwabe@isac4cities.eu Mobile: +49 (0) 1709053671. Web: https://i4c.isacs.eu/ & https://www.majorcities.eu/isac-for-cities-plus/