2024/38 Weekly Update from the MCE SIG “City ISAC I4C+” Highlights: Upcoming webinar: Webinar on Benchlearning 5 Dec. 2024 2pm – 3 pm CET / Webinar “HIRING4CYBER in a European Public Administration” 3rd December 2024 10am – 12 noon CET / Webinar with US Coalition of City CISOs: LA Threat Intel Pilot 19th Nov. 2024 6 pm CET / 1/2 life of security solutions is 1 year / Backup your data from third party solutions / Threat actors pressure for payment in innovative ways / “Buy and bleed” – live with it / In 2023, the average breakout time was just 62 minutes.
** For Back Issues see https://isac4cities.eu/blog **
The City ISAC (I4C+) is an Information and Analysis Centre whose members are IT and cyber security decision makers exchanging knowledge to improve their cities and collective cyber resilience. I4C+ is a Special Interest Group (SIG) hosted by Major Cities Europe (MCE). Dr. Oliver Schwabe is a member of MCE and in his function Chair of the ISAC for Cities Plus (I4C+). He is the person in charge of this effort on behalf of MCE and the responsible contact person. I4C+ is recognized by the European Agency for Cybersecurity ENISA. See https://isac4cities.eu/.
| Weekly [TLP:RED] |
Please contact us directly for more information – these are summaries only and the “key” is in the actual stories shared privately. The stories are based on personal sensitive knowledge shared by peers in personal conversations under Chatham House Rules. This “stuff” may look obvious (?) – the magic lies between the lines and only becomes visible in a personal conversation.
This week´s thoughts are based on the scope of essential services your public administration subscribes to, operates, and manages, including what IT systems support their delivery.
- Weekly [TLP:RED] for Publicly Elected Officials (Repeat # 7): EU Funded projects are great – but make sure your Head of IT signs them off as well.
- Weekly [TLP:RED] for Essential Services Managers (Repeat # 7): Never accept stand-alone “agile” projects from vendors – you can embed agile “tasks” into waterfall projects though.
- Weekly [TLP:RED] for IT Leaders (Repeat # 7): Always order more than you truly need and connect it to the network as “hot” standbys for when other kit fails.
| Summary |
Hi everyone, I hope you are doing well. Colleagues from five cities / regions from Belgium, Bulgaria, Croatia, Ireland and Italy again joining Friday morning plus our friends from ECSO.
One colleague sharing some details from a recent event where the Antwerp incident was discussed in detail. He will try to organise a repeat session for us. Main point of interest perhaps is that the solutions they put in place 2 years ago to mitigate future threats are today no longer sufficiently protective – threat actors move on and while established solutions are of course continuously updated, we do need to think about continuously introducing new solutions with an expect ½ life of a year or so.
Another colleague then sharing current challenges about losing suppliers due to them sunsetting products and a discussion ensued around how common the issue is and best ways to deal with that. Clear communications to users were one critical activity described including informing them that changes etc to the solution would no longer be possible until a suitable replacement was found – honesty and transparency count. A further point raised was that when you buy a solution, if possible, ask for full source code and full data APIs to ease migrating to a different solution later – it is not unusual to lose all your data if you do not do at least the latter – run your own backups regularly (i.e., via PowerBI).
The above then got us into a nice meme a colleague recently received around a threat actor breaching a system, requesting ransomware and then threatening to inform Oracle of unlicensed databases if payment was not made. Another colleague then mentioned that such an audit would probably cost them €1m… Hmmmm – innovative!…. similar to a recent event in the US where a threat actor threatened to inform the authorities of their breach since the company had not yet done so… On the other hand, if we look at how some solution prices are doubling if not increasing tenfold, I sometimes wonder who the real threat actors are. One colleague laughed and told us of a vendor meeting where, due to the nature of the solution, he had the Chief of Police in the room and asked them jokingly to arrest the vendor for extortionist pricing…. “Buy and bleed” is the mantra of today it seems. Going to cloud based solutions does not help by the way – most solution providers are sitting on the platforms of the big cloud providers anyway and hence themselves subject to massive price increases they will pass on. Guess this inspired the image of us poor administrations paying more and more to industry for security….
Before I forget, one final small story from a colleague whose purchasing processes ended up being so slow that he was without critical security updates for two months – the contract ran out in a specific month, and the continuation agreement only got paid 2 months later… luckily nothing happened, but a solid reminder that we must trigger renewals/payments solidly ahead of expiry dates!
Cheers,
Oliver
Insights from AI
Staying ahead of cyber threat actors is important – but doable? I asked CoPilot “how fast to cyber threat actors innovate?” The AI responded as per below:
“Cyber threat actors are known for their rapid innovation and adaptability. The speed at which they innovate can be quite alarming:
AI and Machine Learning: Threat actors are quickly adopting AI and machine learning to enhance their attack methods. This allows them to automate tasks, analyze large datasets, and develop sophisticated attack strategies1.
Breakout Time: The average time it takes for an attacker to move from an initially compromised host to another within the same organization has decreased significantly. In 2023, the average breakout time was just 62 minutes, with the fastest recorded breakout time being only 2 minutes and 7 seconds2.
Emerging Threats: New types of attacks, such as AI-enabled attacks, data poisoning, and SEO poisoning, are constantly emerging. These threats evolve as attackers find new ways to exploit vulnerabilities1.
Interactive Intrusions: There has been a notable increase in interactive intrusions, where attackers engage directly with their targets through methods like social engineering and credential phishing.
The rapid pace of innovation among cyber threat actors means that defenders must continuously adapt and improve their security measures to stay ahead. It’s a constant game of cat and mouse, with both sides evolving their tactics.”
| In the News |
- Join Our upcoming Webinar on Benchlearning 5 December 2024 2pm – 3 pm CET: Learn how ISAC Baseline can help your city enhance its cybersecurity and collaborate in a community of peers across Europe. Register for our webinar on November 5th and see how compliance work with NIS2 requirements is effectively supported by Benchmarking and a Solution Library with shared security practices using the Benchlearning principle. Registration is here: https://events.teams.microsoft.com/event/a826eed1-27ff-4804-ad3f-d1bfe0803de5@ab59e806-3337-45df-8257-2bc61793098b
- With ECSO and Region Toscana – Join our Webinar “HIRING4CYBER in a European Public Administration” 3rd December 2024 – 10:00-12:00 CET. INVITE LINK PENDING.
CORE ISSUE – It is extremely difficult for the European Public Administration to select and retain skilled workers dealing with cybersecurity topics. This is true for all the steps: 1) Scouting – how to make sure that interested people apply? Are they aware of the job opportunity? 2) Hiring process – how to design job profiles that meet the needs of the PA? 3) Retaining employees.
CHALLENGES: competition with the private sector that can pay higher salaries, many people not interested in working within a public administration.
ASPECTS TO CONSIDER: 1) Are PAs targeting the right people? They could be both young people (before University) or people that need re-skilling. 2) What drives a person to work for a PA? The answer could be job security, location, willingness to contribute to the topic for civil society. 3) How to cooperate with universities in order to stimulate interest towards working in a PA? 4) What are the institutional constraints of a PA in the recruitment process and how to best avert/use them to the PA’s benefit?
We want to understand what drives people that apply, and we are looking for solutions!
- With the US Coalition of City CISOs: LA Threat Intel Pilot: 19.Nov. 2024 06:00 PM CET. The Coalition of City CISOs in partnership with the City of Los Angeles and Joint Regional Intelligence Center invite you to participate in the LA Regional TISP. This LA Regional platform collects and processes threat data and automates threat intelligence sharing. Powered by the Anomali Platform, we can collaborate on threat visibility and stay up to date on ongoing threat intelligence information. The City of Los Angeles will be able to aggregate IBM X-Force Threat Intelligence and other threat data feeds and distribute other finished threat intelligence products via the LA Regional platform. Benefit: Provides public sector organizations (cities, counties, and public critical infrastructure) and private critical infrastructure entities with a venue to collaborate and share threat intelligence research, enabling members’ analysts to make better decisions about threat activity in their areas of interest. If you are a public administration and are interested in attending please contact me.
- Bucharest’s District 5 City Hall hit by ransomware attack https://www.romania-insider.com/bucharest-district-city-hall-ransomware-attack-october-2024
| City ISAC Services (Member Funded) |
We have published our services at Services Offered – EU ISAC for Cities (isac4cities.eu). Please do review and consider reaching out to include such in your activities and budgets.
| Project Cyber Securing Public Administrations “CySec4PA” – DIGITAL-ECCC-2024-DEPLOY-CYBER-07-CYBERSEC-02 |
We continue preparing a proposal for DIGITAL-ECCC-2024-DEPLOY-CYBER-07-CYBERSEC-02 “Support for Implementation of EU Legislation on Cybersecurity and National Cybersecurity Strategies (2024)” that will be due for submission on January 21st, 2025.
The focus is on supporting NIS2 deployment by raising local / regional NCAF maturity through replicating / localising the ISAC Baseline Cooperation model currently implemented by our friends at I-Trust. If any local / regional public administrations or Local Government Management associations are interested, please contact me – I expect that we will be able to deploy to a maximum of 3 EU member states. One nation close to joining already.
If you would like to nominate your national government management association or similar (i.e., association of cities) to participate, please contact me.
Please remember you can reach the whole group via city-isac-i4c-tlpwhite@majorcities.eu. A dedicated group for those cities signing the NDAs is available separately.
Also note our LinkedIn organisational page at https://www.linkedin.com/company/eu-city-information-sharing-and-analysis-center-isac/ and our discussion group at https://www.linkedin.com/groups/12773643/. Do follow us / join.
Join our weekly Friday morning coffee chats from 9am-10am CET – feel free to come in your pyjamas. Let me know if you are missing an invite and I will send.
Thank you for the support, your City ISAC I4C+ Team.
Cheers and ever onwards
Oliver
Innovating our Future… Together
Chair City ISAC I4C+ / Dr. Oliver Schwabe.
Email: oliver.schwabe@isac4cities.eu Mobile: +49 (0) 1709053671. Web: https://i4c.isacs.eu/ & https://www.majorcities.eu/isac-for-cities-plus/