2024/24 Weekly Update from the MCE SIG “City ISAC I4C+” Highlights: User Comms should be at Grade Level 10 / Cyber incidents can trigger a state of emergency – prepared? / Ready for the Thunder Run attack? / Comparing CIS18 scores with peers should be in a conversation / Prohibit the use of credit cards for purchasing IT services
** For Back Issues see https://isac4cities.eu/blog **
The City ISAC (I4C+) is an Information and Analysis Centre whose members are IT and cyber security decision makers exchanging knowledge to improve their cities and collective cyber resilience. I4C+ is a Special Interest Group (SIG) hosted by Major Cities Europe (MCE). Dr. Oliver Schwabe is a member of MCE and in his function Chair of the ISAC for Cities Plus (I4C+). He is the person in charge of this effort on behalf of MCE and the responsible contact person. I4C+ is recognized by the European Agency for Cybersecurity ENISA. See https://isac4cities.eu/.
| Weekly [TLP:RED] |
Please contact us directly for more information – these are summaries only and the “key” is in the actual stories shared privately. The stories are based on personal sensitive knowledge shared by peers in personal conversations under Chatham House Rules. This “stuff” may look obvious (?) – the magic lies between the lines and only becomes visible in a personal conversation.
This week´s thoughts are based on the scope of essential services your public administration subscribes to, operates, and manages, including what IT systems support their delivery.
- Weekly [TLP:RED] for Publicly Elected Officials: Ensure that repeat phishing exercise failures can be reprimanded in a disciplinary process.
- Weekly [TLP:RED] for Essential Services Managers: Prohibit the use of credit cards for purchasing IT services.
- Weekly [TLP:RED] for IT Leaders: Write user communications at Flesh-Kincaid Grade Level 10 or below (see https://goodcalculators.com/flesch-kincaid-calculator/) to improve user understanding.
| Summary |
Hi everyone, I hope you are doing well. Since it is vacation time, only two cities, Estonia and Italy, joined us on Friday morning (we received apologies from Ireland).
First, we looked at how a colleague uses a PID (Probability Impact Diagram) to show their cyber risks’ current and future positions. For example, a risk might be High/High in 2024, then High/Medium in 2025, and Medium/Medium in 2026. This is a neat visualization, paired with a phased plan focusing on compliance (like CIS18), then reducing probability (through controls), and finally reducing impact (through segmentation). While this is straightforward for security professionals, it is explained simply for senior non-security leaders (keeping it at a maximum of a 10th-grade level).
One colleague is preparing to conduct internal phishing exercises with local support. We discussed another colleague’s experience, who is preparing the 21st iteration of such exercises. These exercises are essential security activities and help identify repeat offenders, so they can be spoken to individually.
The phishing exercise discussion led us to talk about business units buying third-party email list distribution services (like Mailchimp) to manage large groups of users. These services are flawed from a security perspective because they can trigger domain blacklisting due to spam suspicion and are often hacked. This happens because relevant internal IT services are not offered. The internal lack is often due to the unwillingness to buy professional on-prem solutions, which are not cheap. However, businesses will buy third-party services and compromise security. The easier internal IT makes it for businesses to do their work, the less we will see such situations. The AI image below shows a monkey operating an IT solution 😊
We finished by talking about the joy of problem-solving, especially when incidents add adrenaline. Modern IT/security departments have become more like managers of third-party solution suppliers than actual operators of solutions. The “old guard” struggles with this, especially because third parties are often less professional than desired (unless we pay for professionals).
Wishing everyone a safe summer!
Cheers,
Oliver
Insights from Chatbots
I was curious about the opinion of Bing Chat about when does a city declare a state of emergency. The AI responded as per below:
“A city can declare a state of emergency in various situations where the safety and protection of its citizens are at risk. This can happen before, during, or after events such as:
– **Natural disasters** (e.g., hurricanes, earthquakes, floods)
– **Civil unrest** (e.g., riots, protests)
– **Armed conflicts**
– **Medical pandemics or epidemics**
– **Other biosecurity risks**²
The declaration allows the government to implement policies and measures that would normally not be permitted, to manage the situation effectively². The specific criteria and process for declaring a state of emergency can vary depending on local laws and regulations⁴.
Source: Conversation with Copilot, 29/07/2024
(1) State of emergency – Wikipedia. https://en.wikipedia.org/wiki/State_of_emergency.
(2) Declaring a Local State of Emergency or Disaster. https://blogs.mml.org/wp/coronavirus/files/2021/03/x-FS-Declaring-a-Local-State-of-Emergency-or-Disaster-Plus.pdf.
(3) How a Disaster Gets Declared | FEMA.gov. https://www.fema.gov/disaster/how-declared.
(4) Fact Sheet: Declaration Process/Current FEMA Status. https://www.fema.gov/press-release/20210318/fact-sheet-declaration-processcurrent-fema-status.
(5) Getty Images. https://www.gettyimages.com/detail/illustration/state-of-emergency-sign-on-red-warning-sign-royalty-free-illustration/1213456554.”
| In the News |
- Microsoft: DDoS defense error amplified attack on Azure, leading to outage https://www.helpnetsecurity.com/2024/07/31/microsoft-azure-ddos/?utm_campaign=DAM&utm_medium=email&_hsenc=p2ANqtz-9IVwprnCdOXR6D6y_LuAOzvHMEljdkXy0DkTNL-k6zbHm60VjPupUrx3MjLLfAnZu-e8A5XgguQuj33tVGZ_38q-x4l4x8RlY5UJhZxxLrW4YOAxc&_hsmi=318156548&utm_content=318156548&utm_source=hs_email
- Microsoft 365 users targeted by phishers abusing Microsoft Forms https://www.helpnetsecurity.com/2024/07/29/microsoft-365-phishing-forms/?utm_campaign=DAM&utm_medium=email&_hsenc=p2ANqtz-8wv3KfVTM74-9K1urgp-3aIT_6PFjDgphrMkhaxWULGoy2RPT_cB6svP5ejChpIdFa2pcSrIKVcjFBY2ITd77ZXYeRJBguipcMDhWGGYpCMKC4Z-c&_hsmi=317729220&utm_content=317729220&utm_source=hs_email
- EU artificial intelligence act officially enters into force https://www.jurist.org/news/2024/08/eu-artificial-intelligence-act-officially-enters-into-force/?utm_campaign=DAM&utm_medium=email&_hsenc=p2ANqtz-9anxn7iS0vSU7cV_pV1rMw6rnKQlsS-YhBIixIv4i4Z8_8ZEyVEoLUc2IT2HWbMPE0V_zxA1_-A3eCTnLXV2PasKkdoX6adIF0bnJWrwhCquDoNPI&_hsmi=318496389&utm_content=318496389&utm_source=hs_email.
| City ISAC Services (Member Funded) |
We have published our services at https://isac4cities.eu/services-offered and are now proceeding to establish collaboration agreements with third parties we have been working with for a while. These will include joint marketing and enablement plans. Please do review and consider reaching out to include such in your activities and budgets.
One specific activity to plan some budget for is an intensive comparison of your CIS18 control status with peers in comparable organisation – the comparison should not focus on the actual scores, but on HOW others are tackling the challenges – there is a HUGE amount to learn, and it can be done in a very short time-frame. The process is typically completing a few high-level assessments, and then a longer conversation with peers reflecting on differences. Our role as ISAC is to facilitate this – reach out.
| Project “VAUBAN” – 2024 Multi-ISAC Tabletop |
You might remember that our City ISAC is a founding member of the EU Council of ISACs where we have many EU ISAC members from sectors like health, energy, finance, water, energy etc. As part of the work with the EU Council of ISACs we are also building out our relationship with ENISA. ENISA is planning a face-to-face Multi-ISAC event in October and we, the City ISAC, may have an opportunity to run a 120 minute tabletop with many ISACs in the room plus a wide range of ENISA representatives. The preliminary discussions have gone well, and we now have a 120-minute time slot in the morning of the second day. The tabletop will address all ISACs in the room and be based on a public administration being breached and asking for the support of the community to help tackle the challenge. The exercise will address all NIS2 domains and offer the ISACs a chance to jointly help.
The Red Team is beginning to learn more about the cyber activities in the Ukraine war (see https://www.europarl.europa.eu/RegData/etudes/BRIE/2022/733549/EPRS_BRI(2022)733549_EN.pdf & https://www.csis.org/analysis/cyber-operations-during-russo-ukrainian-war) and thinking about designing a thunder run strategy with the phases (a) disable communication channels (b) disable traffic services (c) disable electricity, heating & water services. The attack would start in the Christmas week with the initial aim of getting the city to declare a state of emergency within one week.
FYI: In cybersecurity, a “thunder run” strategy refers to a rapid and aggressive cyberattack aimed at creating chaos and confusion within the target’s systems. This approach is designed to disrupt critical infrastructure, command and control centres, and other essential services, much like its military counterpart. For example, during the Russo-Ukrainian War, Russian cyberattacks on government and military command and control centers, logistics, and emergency services were consistent with a thunder run strategy. These attacks aimed to stoke chaos, confusion, and uncertainty, ultimately avoiding a prolonged conflict.
Please remember you can reach the whole group via city-isac-i4c-tlpwhite@majorcities.eu. A dedicated group for those cities signing the NDAs is available separately.
Also note our LinkedIn organisational page at https://www.linkedin.com/company/eu-city-information-sharing-and-analysis-center-isac/ and our discussion group at https://www.linkedin.com/groups/12773643/. Do follow us / join.
Join our weekly Friday morning coffee chats from 9am-10am CET – feel free to come in your pyjamas. Let me know if you are missing an invite and I will send.
Thank you for the support, your City ISAC I4C+ Team.
Cheers and ever onwards
Oliver
Innovating our Future… Together
Chair City ISAC I4C+ / Dr. Oliver Schwabe.
Email: oliver.schwabe@isac4cities.eu Mobile: +49 (0) 1709053671. Web: https://i4c.isacs.eu/ & https://www.majorcities.eu/isac-for-cities-plus/