2024/4 Weekly Update from the MCE SIG “City ISAC I4C+” Highlights: Reduce Vendor Profitmaking by “Obfuscation” / Remember “Transition Costs” / Fear the Shadow Admin Accounts / Who needs “HTTPS” ? / Virtual 2024 VAUBAN Tabletop Exercise on Tuesday 19 March 2024 from 2 pm to 4 pm CET.
** For Back Issues see https://isac4cities.eu/blog **
The City ISAC (I4C+) is an Information and Analysis Centre whose members are IT and cyber security decision makers exchanging knowledge to improve their cities and collective cyber resilience. I4C+ is a Special Interest Group (SIG) hosted by Major Cities Europe (MCE). Dr. Oliver Schwabe is a member of MCE and in his function Chair of the ISAC for Cities Plus (I4C+). He is the person in charge of this effort on behalf of MCE and the responsible contact person. I4C+ is recognized by the European Agency for Cybersecurity ENISA. See https://isac4cities.eu/.
| Weekly [TLP:RED] |
Please contact us directly for more information – these are summaries only and the “key” is in the actual stories shared privately. The stories are based on personal sensitive knowledge shared by peers in personal conversations under Chatham House Rules. This “stuff” may look obvious (?) – the magic lies between the lines and only becomes visible in a personal conversation.
- Weekly [TLP:RED] for Publicly Elected Officials: Make sure the line items of all purchases are checked to avoid importing IT solutions not approved by IT (i.e., web-based services).
- Weekly [TLP:RED] for Essential Services Managers: Walk the floor to make sure everyone logs out of PCs/laptops when leaving their desk. There is no digital security without physical security.
- Weekly [TLP:RED] for IT Leaders: Before purchasing licenses from a vendor, check whether there are cheaper in-country major customers of theirs that you can leverage instead.
| Summary |
Hi everyone and hope you are well – three cities joining again this week and you missed a fascinating discussion on “inside tricks” to significantly reduce license costs – the key theme was that vendors must offer the same purchasing conditions across the EU, but do not talk about this, since the offers vary significantly across EU countries. Profitmaking by “obfuscation”… Interesting as well was that actual license costs for various solutions was shared and that led to quite some astonishment on the differences. Vendors consistently pushing to move from perpetual to current licensing models and of course only highlighting cloud solutions where any scaling costs a lot of many (in-house this is of course different because we can work with 6 to 8 year renewal cycles while cloud services usually work with 3 year renewal cycles that are fully invoiced in advance). One member even facing a license cost increase of 50% of their overall 2024 IT budget (major result is that existing assets now need to be “sweated” more. Yes, the biggest ransomware actors are the major software companies – but there are ways to beat them as we hear from the colleagues.
The cost nightmare then got us to discussions on the nightmare involved with transitioning from one asset provider to another (i.e., for switches). The new solution may be cheaper once it is implemented and if it is the only solution on the estate, but the normal situation is that you will end up with an estate of mixed IT assets that really do not enjoy communicating with each other – this “grey zone” between current and future state is extremely resource and finance challenging – we need to plan for it. Actually, since we usually do not plan for it, any “replacement” of solutions will never actually retire the old solution completely from the estate – the legacy kit / tech debt will just keep growing and costing resources / funding – sort of what the bottom of a pot looks like when you cook the contents for too long…
One member then sharing the joys of returning to be a software developer for a new in-house unified billing solution for the local administration (two developers just resigned and emergency assistance needed by him…). Building a new system for over 130k bills monthly for many different services with differing data collection approaches (i.e., in gas, water, etc.) is no small task!
As we reflected on the insane mess of solutions that develop over the decades, one member then shared current work on how they are investigating the threats of “shadow admins” (see intelligence providers like https://www.pingcastle.com/ and https://www.pingcastle.com/documentation/map/). The network visualisation of IT trust relationships quickly uncovers that colleagues with admin rights in one application (i.e, PowerBI) could easily use those privileges to escalate connected privileges in areas such as MS Exchange and AD. The initial entry point is usually not really secured and leads to these colleagues being “shadow admins” in that someone with access to their accounts could easily privilege themselves throughout the IT estate. For more information see https://www.cyberark.com/resources/threat-research-blog/shadow-admins-the-stealthy-accounts-that-you-should-fear-the-most.
The other special topic we got into was one member’s recent experience with a potential new service provider only using “http” connectivity and then replying that the cloud was secure by default so that they did not need to do “https”… words failed us and the story just highlighted that vendors often really have no clue whatsoever when it comes to cloud security #sigh.
Cheers
Oliver
| In the News |
Please note the release of Soctim’s public sector digital trends 2024 collection, summary briefing and supporting infographic launched on Monday 22 January 2024.
Set in a perfect storm of rapidly advancing new technologies, increasing public expectations and the extreme pressures the sector faces from a financial crisis and digital skills shortages, the report examines a fundamental shift needed for local government and the wider sector.
As you’d expect in a Socitm report, it goes beyond the focus on technology to evidence how services must primarily become digital in everything they do if positive outcomes for people, communities and their environments are to be realised.
Here are links to the collection:
Website collection: https://socitm.net/resource-hub/collections/public-sector-digital-trends-2024/
Infographic: https://socitm.net/resource-hub/socitm-research/public-sector-digital-and-technology-trends-2024-infographic/
Exec summary: https://socitm.net/resource-hub/socitm-research/public-sector-digital-trends-2024-summary/
Full report (pdf): https://media.socitm.net/wp-content/uploads/2024/01/22134459/Socitm-Report-Public-sector-digital-trends-2024-Full.pdf
| City ISAC Services (Member Funded) |
The agreement with our hosting organisation Major Cities Europe is now being finalised. Key themes remain benchmarking NIS2/CIS Controls as the basis for robust risk management through Defence-In-Depth solutions and enabled through awareness building.
| Project “DAVID” (Member Funded) |
Continuing to plan a virtual open space event to roughly outline the possible cooperation requirements for municipalities in the event of a security incident. In a subsequent step, the catalogue of requirements would have to be developed and the requirements for such services would have to be defined through administrative assistance or inter-municipal cooperation processes. The virtual event would then be followed up by an in-person workshop, so that ideally by the end of 2024 not only the requirements have been defined and the implementation clarified, but also a “light” exercise has taken place to test the concept. This effort will be led by a local administration with the support of a third-party public-private-partnership IT service/infrastructure provider.
| Project “VAUBAN” |
Pleased to announce the EU City ISAC I4C+ and Major Cities Europe present the 2024 VAUBAN interactive cyber simulation “The Battle for the Golden Ticket”. Draft text below and do pencil this into your diary.
“The EU City ISAC I4C+, hosted by Major Cities Europe, will be holding the virtual version of its 2024 VAUBAN Tabletop Exercise on Tuesday 19 March 2024 from 2 pm to 4 pm CET.
The “Golden Ticket” gives administrator level access to all key IT systems of an organisation (including infrastructure). A person with the “Golden Ticket” can “turn off” any IT asset, and / or prevent anyone from accessing them. A threat actor with a “Golden Ticket” is a nightmare to any organisation.
Guided by two local administrations and supported by cyber experts and white hackers, we will jointly and interactively go through the story of the frantic fight of the Blue Team of a regional administration to prevent the confirmed initial breach of a professional Red Team from reaching the “Golden Ticket” (elevated privileges on all core systems) and the harrowing experience of local administrations faced by the potential shutdown of core financial services. At the end, participants will also explore how peer collaboration might have made this scenario less threatening, how principles of asymmetric warfare can help us identify pragmatic preventative actions, and why advances in Artificial Intelligence are making “Goliath” even more powerful…
Registration is open to any individuals interested in cyber security for local administrations. The event should be of particular interest to elected public officials, managers of essential services for regional and local administrations, as well as IT (Security) leaders.
Key learning points will include understanding how easy such a breach can happen, how damaging such a breach can be, and how we can prepare for when this happens – because it is not “whether” this will happen, but “when”, and those least prepared are usually the first to be impacted.”
| Project “Regions4Cyber” |
No updates. Remember we are exploring the possible cooperation requirements for municipalities in the event of a security incident, to then in a subsequent step, find the most suitable approach for requesting these will be defined through administrative assistance or inter-municipal cooperation processes. This is currently focused on Germany and in German language, however preparations are also being made for “twinning” the effort into other EU nations / regions.
Please remember you can reach the whole group via city-isac-i4c-tlpwhite@majorcities.eu. A dedicated group for those cities signing the NDAs is available separately.
Also note our LinkedIn organisational page at https://www.linkedin.com/company/eu-city-information-sharing-and-analysis-center-isac/ and our discussion group at https://www.linkedin.com/groups/12773643/. Do follow us / join.
Join our weekly Friday morning coffee chats from 9am-10am CET – feel free to come in your pyjamas. Let me know if you are missing an invite and I will send.
Thank you for the support, your City ISAC I4C+ Team.
Cheers and ever onwards
Oliver
Innovating our Future… Together
Chair City ISAC I4C+ / Dr. Oliver Schwabe.
Email: oliver.schwabe@isac4cities.eu Mobile: +49 (0) 1709053671. Web: https://i4c.isacs.eu/ & https://www.majorcities.eu/isac-for-cities-plus/