2024/9 Weekly Update from the MCE SIG “City ISAC I4C+” Highlights: VAUBAN Virtual Tabletop Monday April 8th 2pm-4pm CET / If it is not minuted then disregard / CIS18 is Esperanto for Security / We need to secure end-to-end / Get those Joo Janta 200 Super-Chromatic Peril Sensitive Sunglasses
** For Back Issues see https://isac4cities.eu/blog **
The City ISAC (I4C+) is an Information and Analysis Centre whose members are IT and cyber security decision makers exchanging knowledge to improve their cities and collective cyber resilience. I4C+ is a Special Interest Group (SIG) hosted by Major Cities Europe (MCE). Dr. Oliver Schwabe is a member of MCE and in his function Chair of the ISAC for Cities Plus (I4C+). He is the person in charge of this effort on behalf of MCE and the responsible contact person. I4C+ is recognized by the European Agency for Cybersecurity ENISA. See https://isac4cities.eu/.
| Weekly [TLP:RED] |
Please contact us directly for more information – these are summaries only and the “key” is in the actual stories shared privately. The stories are based on personal sensitive knowledge shared by peers in personal conversations under Chatham House Rules. This “stuff” may look obvious (?) – the magic lies between the lines and only becomes visible in a personal conversation.
- Weekly [TLP:RED] for Publicly Elected Officials: If a threat that can trigger legal liability is officially minuted, then you have become legally aware of it and can be held liable for penalties if an incident occurs.
- Weekly [TLP:RED] for Essential Services Managers: If you can get a threat that can trigger legal liabilities minuted, then you have transferred that liability.
- Weekly [TLP:RED] for IT Leaders: Formal minuted meetings of budget presentations can limit your liabilities in the case of incidents.
| Summary |
Hi everyone and hope you are well – three cities joining on Friday morning and explored a new type of TLPRED – what is in your desk? There were some interesting answers and a few good laughs – Café Corretto has regional variations it seems 😊
One colleague just recovering from an E-Government audit that focused on the implementation of various national policies and directives (down to ensuring any email communications were in Latin letters…) Went well though and that reminded us that on the cyber side remember that CIS controls are the “Esperanto” for meeting most requirements – https://www.cisecurity.org/controls is simply the best orientation – regardless of where you are – and yes, you will be “red” across the patch, but that will happen with any audit approach. And yes, no-one has the resources and funding to “go green” – but if you get the results and investment requests “minuted” in official sessions with the City Council, then you should at least avoid any personal liabilities for incidents.
Incident wise the “normal” dominates – DDOS attacks are happening all the time, phishing is a continuous challenge, and good staff is difficult to recruit. One colleague losing a sys admin unfortunately – the private sector made a good offer – and now has them consulting remotely until the staff position is filled. Hmmm…. sys admin with elevated privileges logging in remotely… that brought us to the recent news-story of the German Taurus discussion where a sensitive Webex was apparently hacked – actually the “hack” was on an unsecured / open Internet connection via a hotel wi-fi – users VPN didn´t work so they switched to another approach… Remember the end-to-end connection is what we need to secure – not just individual elements.
NIS2 continues to challenge everyone as well. Basically, we are seeing what we expected – cities are being required to nominate CISOs and all services are being declared as critical / essential with the following remediation work simply impossible to address with existing funding and resources. That then driving the movement to cloud providers with the “prayer” that they will provide secure solutions. Well, they do partially as we know, but it remains shocking that securing these cloud solutions remains an “add-on” that can cost 3-4 times as much as the solution itself.
The EU Council of ISACs had their monthly meeting this week – about a dozen Chairs of ISACs across various sectors joining. Key topics were efforts by sectors to ensure cloud security providers are made accountable for robust default security offerings as a default part of their offerings, the PTP Event at InfoSecurity Europe (London) with the concept of industry villages and how we could collaborate and the possibilities to provide MISP training to our communities. We are also working with ENISA to set up a face-to-face meeting in Athens later this year – ENISA seems to have some budget for third-party travel (but not their own).
Which reminds me – if you are in cyber you may always want to carry a pair of Joo Janta 200 Super-Chromatic Peril Sensitive Sunglasses – for the fans of the Hitchhiker´s Guide to the Galaxy you will remember they turn black when you are in a dangerous situation – sort of helpful maybe when that incident strikes!
Cheers
Oliver
Insights from Chatbots
I was curious about the opinion of Bing Chat about why we often ignore danger (i.e. the cyber security threat). The AI suggested:
Ignoring danger can be a complex behaviour influenced by various psychological factors. One reason is the **cost-benefit analysis** individuals perform, consciously or unconsciously, when deciding whether to heed a warning. If the perceived cost of compliance is high, or if the danger seems distant or unlikely, people might choose to ignore the risk ¹.
Cognitive biases also play a role. We might downplay unwelcome information or be overly optimistic, leading us to underestimate the potential dangers ². Additionally, a sense of exceptionalism or futility can cause both individuals and governments to underplay threats ³.
Moreover, the overuse of warning signs can lead to desensitization, making people less likely to heed them, especially when the hazards seem minor or non-existent ⁴.
In essence, the decision to ignore danger often stems from a mix of perceived risk, personal goals, and psychological factors rather than a simple disregard for safety.
Source: Conversation with Bing, 09/03/2024
(1) The Psychology of Warnings. https://www.visualexpert.com/Resources/psychwarnings.html.
(2) Why Do We Ignore Obvious Dangers? | | Observer. https://observer.com/2016/05/why-do-we-ignore-obvious-dangers/.
(3) Why We Keep Ignoring Crisis Warnings | The Swaddle. https://theswaddle.com/why-we-keep-ignoring-crisis-warnings.
(4) Why Do We Ignore Warning Signs-Sometimes With Tragic Results?. https://safetyrisk.net/why-do-we-ignore-warning-signs-sometimes-with-tragic-results/.
| In the News |
- NIST Cybersecurity Framework 2.0 Officially Released – See https://www.securityweek.com/nist-cybersecurity-framework-2-0-officially-released/.
- CISA warns state, local government about Phobos ransomware https://statescoop.com/cisa-phobos-ransomware-state-local-government/.
| City ISAC Services (Member Funded) |
No update. The agreement with our hosting organisation Major Cities Europe has been finalised. Key themes are benchmarking NIS2/CIS Controls as the basis for robust risk management through Defence-In-Depth solutions and enabled through awareness building. As soon as final formal steps are completed, we can move forward with a formal offering to members.
| Project “DAVID” (Member Funded) |
No update. Waiting for the final MOU from our Big 5 partner and will publish details as soon as that is formally signed. Two work packages being planned:
- Work Package 1: NIS 2 Directive Review and Outlook: Conduct an interview-based assessment of NIS2 directive implementation with selected members (6) of I4C+. The results of the interviews will be used to identify weak spots in the directive and to provide a strategic outlook including strategy recommendations for the expected NIS3 directive. Identified gaps shall be summarized in a point of view reflecting the current security posture with respect to NIS2 requirements and potential expectations towards the NIS3. However, it is important to note that the outcome should not be used as a gap analysis of the assessor’s current security posture.
- Work Package 2: Defence in Depth: To strengthen I4C+ members’ cyber resilience, shape the understanding of joint-cyber security as an integral approach among members. Based on the outcome of the work outlined above, deliver a best practice catalogue including suggestions for a respective toolbox. Furthermore, inputs can be utilized to enhance the overview for the Defence in Depth to close respective gaps. Collected raw data will be given to the I4C+ for further analysis .
| Project “VAUBAN” – 2024 “Battle for the Golden Ticket” Monday 8 April 2024 from 2 pm to 4 pm CET. |
Everyone should have received the invitation via separate email by now. Please feel free to forward in your networks. Please reach out if you are interested in actively supporting the event. See also https://isac4cities.eu/join-the-battle-for-the-golden-ticket-webinar-about-managing-it-security-april-8-2-to-4-pm-cet.
| Project “Regions4Cyber” |
ECSO has launched its Cyber Resilient Regions Community: As a follow-up form the “Regions contributing to cybersecurity sovereignty” webinar ECSO hosted on the 26th of June 2023, ECSO has now opened a dedicated community for Regions that wish to cooperate at the European level to increase their cybersecurity resilience – The Cyber Resilient Regions Community (CRR). This community is a closed and safe space for Local and regional Authorities (LRAs) CISO’s or similar roles, Managing Directors and other cybersecurity/security or IT specialists to engage in cooperation, best practice exchange, networking, and capacity building to address their cybersecurity resilience. This community is run together with ECSO partners Regione Toscana, Major Cities of Europe (https://majorcities.eu/) and ISAC4Cities (https://isac4cities.eu/). For more information on the community and its governance please let me know.
Please remember you can reach the whole group via city-isac-i4c-tlpwhite@majorcities.eu. A dedicated group for those cities signing the NDAs is available separately.
Also note our LinkedIn organisational page at https://www.linkedin.com/company/eu-city-information-sharing-and-analysis-center-isac/ and our discussion group at https://www.linkedin.com/groups/12773643/. Do follow us / join.
Join our weekly Friday morning coffee chats from 9am-10am CET – feel free to come in your pyjamas. Let me know if you are missing an invite and I will send.
Thank you for the support, your City ISAC I4C+ Team.
Cheers and ever onwards
Oliver
Innovating our Future… Together
Chair City ISAC I4C+ / Dr. Oliver Schwabe.
Email: oliver.schwabe@isac4cities.eu Mobile: +49 (0) 1709053671. Web: https://i4c.isacs.eu/ & https://www.majorcities.eu/isac-for-cities-plus/