2024/21 Weekly Update from the MCE SIG “City ISAC I4C+” Highlights: Perimeter security is either completely secured (Green) or not (Red) / Micro-segmentation reduces the “blast radius” when breached / Third-party providers are not secure by default / Be a “demonic” customer / Technical debt is the key cause of incidents / Running the “if it breaks, then you fix it” model ? / MISP Training Offer
** For Back Issues see https://isac4cities.eu/blog **
The City ISAC (I4C+) is an Information and Analysis Centre whose members are IT and cyber security decision makers exchanging knowledge to improve their cities and collective cyber resilience. I4C+ is a Special Interest Group (SIG) hosted by Major Cities Europe (MCE). Dr. Oliver Schwabe is a member of MCE and in his function Chair of the ISAC for Cities Plus (I4C+). He is the person in charge of this effort on behalf of MCE and the responsible contact person. I4C+ is recognized by the European Agency for Cybersecurity ENISA. See https://isac4cities.eu/.
| Weekly [TLP:RED] |
Please contact us directly for more information – these are summaries only and the “key” is in the actual stories shared privately. The stories are based on personal sensitive knowledge shared by peers in personal conversations under Chatham House Rules. This “stuff” may look obvious (?) – the magic lies between the lines and only becomes visible in a personal conversation.
This week´s thoughts are based on the scope of essential services your public administration subscribes to, operates, and manages, including what IT systems support their delivery.
- Weekly [TLP:RED] for Publicly Elected Officials: Creating a shared cyber resource base with sister cities is easier than with others.
- Weekly [TLP:RED] for Essential Services Managers: Ensure you have (and test) a “pen and paper” business continuity plan for your services.
- Weekly [TLP:RED] for IT Leaders: Perimeter security is either completely secured (Green) or not (Red).
| Summary |
Hi everyone and hope you are well – four cities joining from Belgium, Bulgaria, Estonia and Italy on Friday morning and a guest speaker from I-Trust joined us to share current experiences of benchmarking “breach data” (incidents) among several national local administrations.
Key discussion themes were then what constitutes a breach / incident – there are varying perceptions of this (see also https://csrc.nist.gov/glossary) whereby there are also lots of different views of how to classify the severity of a breach. Severity is important to understand of course (i.e., disruption and disablement of an IT service in relation to the criticality of the business process it involves).
We then shared some basic principles / priorities of breach protection, recognizing that the top priorities need to be FULLY securing our Internet facing services and then containing the damage when these are breached (reducing the “blast radius” through micro segmentation for example). The most important thing to perhaps realise is that there is no “red/yellow/green” when it comes to the security of our perimeter – any weakly protected services lead to a RED for the perimeter. Think of your city wall – in case of a siege any open gate threatens the whole city.
We continued to rant about the miserable quality of most third-party cyber providers and that we continuously experience that assurances given are simply not delivered on. Granular quality assurance might help, however getting third-parties to deliver what they promise is usually a nightmare as well – face it, simply moving to another supplier gets us into exactly the same situation again. Maybe the best thing is, as a former manager of mine once suggested, is simply to become a really “demonic” vendor manager? Definitely something we can help with as an ISAC service if you like – let us know!
Wrapping up our rants we reminded ourselves that cyber threats in our organisations are typically caused by technical debt which consists of infrastructure debt, application debt, tooling debt, data debt, process debt, knowledge debt, security debt, coding debt, and skillset debt. Tech debt is managed by recognising, recording, reporting and resolving. As ever a structured transparent plan with appropriate mapping of breaches/incidents is basic security hygiene.
Below image is Co-Pilot´s attempt to picture cyber threat actors as an organised crime context where the focus is on regular extortion so that we are left alone… Sort of making us an offer we can´t refuse…
Cheers
Oliver
Insights from Chatbots
I was curious about the opinion of Bing Chat about what the “if it breaks, then you fix it” operating model that most of us are faced with for many reasons. The AI responded as per below:
“The “if it breaks, then you fix it” model, also known as the **break/fix model**, is a reactive approach to IT service management. Here’s a breakdown of what it entails:
– **Definition**: It’s defined as hiring IT service providers to perform one-time services and paying them only for the work done plus the cost of parts¹.
– **Operation**: Under this model, a business calls an IT service provider whenever there is downtime due to a system breakdown, network disruption, or hardware failure¹.
– **Service**: The technician then comes to the client’s location to fix issues and bills the customer an hourly rate plus the cost of parts¹.
– **Support**: There is no continuous support or maintenance work involved in this model. IT support teams are called out for services on an “as-needed” basis¹.
This model can be compared to calling a plumber only when a leak occurs, rather than having regular maintenance checks. While it may seem cost-effective initially, it can lead to unpredictable costs and does not allow for proactive maintenance, potentially leading to frequent disruptions and long-term inefficiencies².
Source: Conversation with Copilot, 28/06/2024
(1) What Is the Break/Fix Model? Definition, Pros & Cons | Kaseya. https://www.kaseya.com/blog/what-is-break-fix/.
(2) Major Differences Between Managed IT Services vs. Break-Fix Models …. https://netsurit.com/en-us/managed-service-vs-break-fix/.
(3) Break/Fix vs. Managed Services: All You Need to Know. https://www.kaseya.com/blog/break-fix-vs-managed-services/.
(4) Break/fix IT: What is it, and what are its flaws? | predictiveIT. https://www.predictiveit.com/2023/12/break-fix-it-what-is-it-and-what-are-its-flaws/.
(5) Why the Break Fix Model for IT Services Is Dying | Impact. https://www.impactmybiz.com/blog/why-the-break-fix-model-for-it-services-is-dying/.”
| In the News |
- Former IT employee gets 2.5 years for wiping 180 virtual servers https://www.bleepingcomputer.com/news/security/former-it-employee-gets-25-years-for-wiping-180-virtual-servers/?utm_campaign=DAM&utm_medium=email&_hsenc=p2ANqtz-_VinwUDojj98xj158buiPiSVjzF-iqVbclL0z4lz9jW1GjIMzTXiN50BWkcLt9vijAgN_kR5IIPKQ6CRrYD1l28Mxq_MBuGH_pzNMVASTgmZ5V9VI&_hsmi=311937268&utm_content=311937268&utm_source=hs_email
- City of Fleury-les-Aubrais paralysed by cyberattack https://www.francebleu.fr/infos/faits-divers-justice/la-mairie-de-fleury-les-aubrais-entierement-paralysee-par-une-cyberattaque-majeure-8094912
- Why are threat actors faking data breaches? https://www.helpnetsecurity.com/2024/06/24/faking-data-breaches/?utm_campaign=DAM&utm_medium=email&_hsenc=p2ANqtz-9lShIIqGD4_SUz7PwHwD5yPauq0fsH4wgX_yU4P7oUShm1akFTwdakKYPE52QJ8YAwzHIq8FXlZcRdZkOuRkOZsLbJb4DrdtDCExWlOsETXMNXyM0&_hsmi=312924915&utm_content=312924915&utm_source=hs_email
- Polyfill Supply Chain Attack Affects More Than 110,000 Websites https://www.spiceworks.com/it-security/cyber-risk-management/news/polyfill-supply-chain-attack-infects-websites/#:~:text=Security%20researchers%20have%20warned%20that,headers%20to%20obfuscate%20their%20tracks
| City ISAC Services (Member Funded) |
We have published our services at https://isac4cities.eu/services-offered and are now proceeding to establish collaboration agreements with third parties we have been working with for a while. These will include joint marketing and enablement plans. Please do review and consider reaching out to include such in your activities and budgets.
Additionally we are pleased to offer MISP Training in London which is open to ALL ISACs members – GSMA Conference: We are delighted to invite you to Day 2 of our first in-person T-ISAC Summit, held at GSMA HQ in London on 10th September 2024. Please register your interest via the link below.
Day 2 of the summit will be dedicated to developing engagement and highlighting the importance of threat intelligence sharing across industry verticals using MISP. We will be joined the Circl team who have specifically created sessions that will be of interest to members connected to Security Operation Centre, Cyber threat intelligence and Cyber Emergency Response Teams or equivalent.
As an in-person event, the GSMA T-ISAC summit will provide enhanced networking opportunities between industry experts, participants will also benefit from a variety of interactive sessions featuring real-time Q&A. We will explore use-cases where we can show cross sectorial threats, the successes, and pitfalls of sharing across verticals to develop better strategies, taxonomies and other frameworks and the advantages of using them. In addition, we will cover initiatives such as Mail2MISP and other integration ideas. We plan to round off the day with a Capture the Flag exercise, with prizes up for grabs.
If you would like to attend Day 2 of the T-ISAC summit, please fill out the short form on our website to register your interest.
| Project “VAUBAN” – 2024 Multi-ISAC Tabletop |
You might remember that our City ISAC is a founding member of the EU Council of ISACs where we have many EU ISAC members from sectors like health, energy, finance, water, energy etc. As part of the work with the EU Council of ISACs we are also building out our relationship with ENISA. ENISA is planning a face-to-face Multi-ISAC event in October and we, the City ISAC, may have an opportunity to run a 120 minute tabletop with many ISACs in the room plus a wide range of ENISA representatives. The preliminary discussions have gone well, and we now have a 120-minute time slot in the morning of the second day. The tabletop will address all ISACs in the room and be based on a public administration being breached and asking for the support of the community to help tackle the challenge. The exercise will address all NIS2 domains and offer the ISACs a chance to jointly help.
After a few discussions we are going to explore an initial scenario where the task of the Red Team is to gain access to the disaster recovery solution for critical services operated by a local administration and to then inject a malware loader into that.
We were delayed in convening the RED TEAM planning activity and will launch that shortly – if you are interested in joining please let me know.
Please remember you can reach the whole group via city-isac-i4c-tlpwhite@majorcities.eu. A dedicated group for those cities signing the NDAs is available separately.
Also note our LinkedIn organisational page at https://www.linkedin.com/company/eu-city-information-sharing-and-analysis-center-isac/ and our discussion group at https://www.linkedin.com/groups/12773643/. Do follow us / join.
Join our weekly Friday morning coffee chats from 9am-10am CET – feel free to come in your pyjamas. Let me know if you are missing an invite and I will send.
Thank you for the support, your City ISAC I4C+ Team.
Cheers and ever onwards
Oliver
Innovating our Future… Together
Chair City ISAC I4C+ / Dr. Oliver Schwabe.
Email: oliver.schwabe@isac4cities.eu Mobile: +49 (0) 1709053671. Web: https://i4c.isacs.eu/ & https://www.majorcities.eu/isac-for-cities-plus/