2024/26 Weekly Update from the MCE SIG “City ISAC I4C+” Highlights: Threat estimates only +/30 % correct / Betting odds of Ransomware Event next week at 3:2 / Threat actors know how we will react – not good? / Make sure you can extract all data at any time without cost from security solutions / Single points of failure are often deep within solutions and easy to reach.
** For Back Issues see https://isac4cities.eu/blog **
The City ISAC (I4C+) is an Information and Analysis Centre whose members are IT and cyber security decision makers exchanging knowledge to improve their cities and collective cyber resilience. I4C+ is a Special Interest Group (SIG) hosted by Major Cities Europe (MCE). Dr. Oliver Schwabe is a member of MCE and in his function Chair of the ISAC for Cities Plus (I4C+). He is the person in charge of this effort on behalf of MCE and the responsible contact person. I4C+ is recognized by the European Agency for Cybersecurity ENISA. See https://isac4cities.eu/.
| Weekly [TLP:RED] |
Please contact us directly for more information – these are summaries only and the “key” is in the actual stories shared privately. The stories are based on personal sensitive knowledge shared by peers in personal conversations under Chatham House Rules. This “stuff” may look obvious (?) – the magic lies between the lines and only becomes visible in a personal conversation.
This week´s thoughts are based on the scope of essential services your public administration subscribes to, operates, and manages, including what IT systems support their delivery.
- Weekly [TLP:RED] for Publicly Elected Officials: Estimating probability of an event is for CISOs using wisdom of the crowd, estimating impact is for CEOs using financial figures.
- Weekly [TLP:RED] for Essential Services Managers: You have single points of failure deep within solutions – ask the question and the answer will surprise.
- Weekly [TLP:RED] for IT Leaders: Ensure you can extract ALL your data from any third-party solution at any time without additional cost.
| Summary |
Hi everyone, I hope you are doing well. Five cities joining from Croatia, Estonia, Germany, Ireland, and Italy, on Friday morning for a lively conversation ranging from promotions turning into unexpected challenges, through becoming responsible for (old) city elevators, to perhaps setting up a betting shop for cyber incidents.
Since things were quiet on the incident front, one colleague shared how they were looking closely at the robustness of their estimation of probability and impacts. Obviously, a key process in understanding which of the many threats we face should be prioritised. We learned that estimating impact (including financial impact) is typically a lot more accurate than when we estimate probability, and that a key activity to get better at probability estimation is to make sure we are asking enough colleagues for input – see https://en.wikipedia.org/wiki/The_Wisdom_of_Crowds for some more details (we tried this out on a few examples and actually experienced that this seems to work). The colleague shared that internal research had shown that the probability estimation of a risk was probably only around 60%-70% accurate (+/- 30% uncertainty), which then suggested it is good enough to use only a three-level scale (i.e., high/medium/low) in a 3×3 matrix for risk priorisation.
The above then reminded us that there is a similarity between estimation and “betting”, so we thought we would try a bet and agreed on the challenge “What is the probability that the weekly ENISA OSINT report next week, will include a ransomware attack on a public administration of around 100k citizens?” We were six individuals in the call and three of us guessed at “Low”, two guessed at “High” and one guessed at “Medium; “High” = Yes, “Low” = No, and “Medium” = “Don´t know”… (apologies if my memory fails me – I forgot to copy our chat). The betting odds for this happening are hence 3:2. That means for every €2 I bet, I get €3 back – if I bet €100 and won, I would win €150 and make a profit of €50. We will see next week how our betting goes…
So if risk management is the required approach for determining treatment priorisation (NIS2 does explicitly say this as well), and one foundation of risk management is estimating the probability of an event, with the “wisdom of the crowds” being an effective approach to this, we need to get better at implementing the relevant processes – “casual” conversations are better than nothing at all, however we need to formalize these for compliance reasons please.
I asked CoPilot to create an image of “the villain spectre betting on a cybersecurity incident happening next week with a fluffy white cat on the table”. AI came up with the following photo…
On another note, a story not shared in the call but perhaps of interest, is the recent experience of a colleague looking to change security solutions and learning that they were unable to migrate configuration and historical information from the current vendor solution – may not seem critical, but it would save a huge amount of effort. They are learning the hard way that you need to be able to extract ALL of your data from a vendor solution at any time – and vendors will not enable this unless specifically required to do so AND their solution must be tested for this – amazing how little can be exported usually and of course no vendor interested in making a move away from them easy.
Before I forget, in another conversation with I-Trust this week, we shared notes on single points of failure that are often deep within technical solutions and very easy to reach (did you know that in mobile call routing the SIM authentication process is not really well protected?). Weakpoints can be stunningly simple to reach – we need to ask the question to the experts and will be surprised by answers.
Continuing to wish everyone a safe summer!
Cheers,
Oliver
Insights from Chatbots
I was curious about the opinion of Bing Chat about why betting might be an appropriate way to estimate the probability of an event. The AI responded as per below:
“Betting is often used to estimate the probability of an event because it involves calculating odds, which are essentially a reflection of the likelihood of different outcomes. Here are a few reasons why betting can be an effective method for estimating probabilities:
1. **Market Efficiency**: Betting markets aggregate the opinions of many participants, which can lead to more accurate probability estimates. This is similar to the concept of the “wisdom of the crowd.”
2. **Incentives**: Bettors have a financial stake in the accuracy of their predictions, which can motivate them to research and analyze information thoroughly before placing bets.
3. **Dynamic Adjustments**: Betting odds are continuously updated based on new information and betting patterns, allowing them to reflect the most current probabilities.
4. **Mathematical Foundation**: Betting odds are based on mathematical calculations of probability. For example, fractional odds, decimal odds, and moneyline odds all represent different ways to express the likelihood of an event occurring¹².
5. **Risk Assessment**: Betting requires assessing the risk and potential reward, which involves understanding the underlying probabilities. This can help in making more informed decisions.
Overall, betting provides a structured and quantifiable way to estimate probabilities, leveraging both individual analysis and collective wisdom³.
Source: Conversation with Copilot, 18/08/2024
(1) The Math Behind Betting Odds & Gambling – Investopedia. https://www.investopedia.com/articles/dictionary/042215/understand-math-behind-betting-odds-gambling.asp.
(2) Betting odds explained: guide to how betting odds work – The Telegraph. https://www.telegraph.co.uk/betting/sports-guides/betting-odds-explained/.
(3) Betting odds explained – how to calculate sports betting odds. https://www.overlyzer.com/en/sports-betting/odds/.
(4) Betting odds explained: How to calculate odds – Sports Trading Network. https://www.sportstradingnetwork.com/article/betting-odds-explained-how-to-calculate-odds/.”
| In the News |
- Etten-Leur community parking system impacted by cyber attack: https://www.internetbode.nl/etten-leur/424707/bezoek-aanmelden-niet-mogelijk-door-cyberaanval-systeem-2park
| City ISAC Services (Member Funded) |
We have published our services at https://isac4cities.eu/services-offered.Please do review and consider reaching out to include such in your activities and budgets.
One service to highlight this week is organising expert reviews of technical approaches (i.e., (micro-segmentation). “Experts” in this respect are not vendors / consultants, but peers who have implemented specific solutions and learning from their experiences. Please do reach out with any specific areas of interest and we will organise.
| Project “VAUBAN” – 2024 Multi-ISAC Tabletop |
You might remember that our City ISAC is a founding member of the EU Council of ISACs where we have many EU ISAC members from sectors like health, energy, finance, water, energy etc. As part of the work with the EU Council of ISACs we are also building out our relationship with ENISA. ENISA is planning a face-to-face Multi-ISAC event in October and we, the City ISAC, have an opportunity to run a 120 minute tabletop with many ISACs in the room plus a wide range of ENISA representatives in the morning of the second day. The tabletop will address all ISACs in the room and be based on a public administration being breached and asking for the support of the community to help tackle the challenge. The exercise will address all NIS2 domains and offer the ISACs a chance to jointly help.
The Red Team continues to develop a playbook, and this week began exploring how to create a “plan” for steering the reactive behaviour of a victim. We need to assume that the Red Team knows the process that will be enacted by the administration crisis team, which begins begging the question whether following “standard” process (i.e., disconnecting from the Internet, recovering backups etc is the *right* strategy for the Blue Team?
Please remember you can reach the whole group via city-isac-i4c-tlpwhite@majorcities.eu. A dedicated group for those cities signing the NDAs is available separately.
Also note our LinkedIn organisational page at https://www.linkedin.com/company/eu-city-information-sharing-and-analysis-center-isac/ and our discussion group at https://www.linkedin.com/groups/12773643/. Do follow us / join.
Join our weekly Friday morning coffee chats from 9am-10am CET – feel free to come in your pyjamas. Let me know if you are missing an invite and I will send.
Thank you for the support, your City ISAC I4C+ Team.
Cheers and ever onwards
Oliver
Innovating our Future… Together
Chair City ISAC I4C+ / Dr. Oliver Schwabe.
Email: oliver.schwabe@isac4cities.eu Mobile: +49 (0) 1709053671. Web: https://i4c.isacs.eu/ & https://www.majorcities.eu/isac-for-cities-plus/