Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/19/2016
04:30 PM
Gary Hayslip
Gary Hayslip
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

What Smart Cities Can Teach Enterprises About Security

The more you simplify your security program while still being effective, the better, says San Diego's chief information security officer. Here's his three-step process.

I’ve been in the cybersecurity industry for 30 years, and even my 27 years experience with the Department of Defense and U.S. Navy could not have prepared me for the challenge I faced with building a security program for San Diego’s citywide enterprise network. One of the main things I’ve learned over these past three years is that you can’t have security through obscurity. You need a continuous and unified view of your security posture if you want to operate a top-notch program.

People don’t think of a city as a large enterprise network, but at the end of the day, that’s exactly what it is — a $4 billion dollar business that provides services for roughly 1.5 million citizens.

In fact, the two share some distinct commonalities.

First, cities are massive and they never throw out any information. That means that there is data being stored on outdated technology from 20 years ago that might not be secure; obviously, 20 years ago, no one was concerned about being hacked.

This also means that there is a mix of old and new technology sprawled across the city, including legacy applications and programs like PowerBuilder and intelligent smart city devices such as LED street lights that create security gaps and blind spots. In San Diego, there are 24 discrete networks and 40,000 endpoints that run across 40 departments, including parks and recreation, public safety, transportation, and even golf courses and cemeteries that require point-of-sale (POS) systems. 

Second and most importantly, cities never shut down. San Diego runs 24 hours a day, 7 days a week, and 365 days out of the year, which means that from a security standpoint, you can’t take the network offline or rip and replace old technology with new technology without interrupting the daily business operations of the city and its people.

This is probably very similar to your typical enterprise with its complex network with hundreds, if not thousands of devices and endpoints that process and store sensitive data distributed across cities, states, and countries. For retailers using POS systems and credit card readers, there’s also an added layer of Payment Card Industry (PCI) compliance regulations that they are required to meet and document.

Resilient Security = Visibility
Security does not exist in a vacuum. It’s a living, breathing lifecycle. The one thing I realized immediately in San Diego was that if I was going to build a resilient security program for one of the world’s smartest cities, I needed complete visibility into all its vast systems and devices, and a toolset that could properly assess and manage its security risk.

Having full visibility is crucial in understanding what security risks are out there. No city or enterprise has just one solid perimeter, especially with today’s extension of cloud and mobile technologies. The current environment is riddled with connected devices and smart technology to help improve our lives, but that also creates a more complicated and diverse threat landscape.

In order to achieve that level of visibility, organizations must start with a basic assessment of their environment. Using an industry standard, such as the NIST Cybersecurity Framework or Center for Internet Security (CIS) Critical Cybersecurity Controls is a great way for an enterprise to gauge the maturity of its network, create a baseline security standard and get an ongoing security program off the ground. These assessments help identify areas of improvement which can then become projects based on the gaps and risks that you need to fix. For example, some organizations might choose to develop a written policy for admin passwords while others would target better compliance and auditing enforcement through new software or hardware.

Start with a Framework
In my case, I immediately looked at the NIST Cybersecurity Framework as a guiding principle because I knew a baseline of security would not only set me up for success, but also make the IT and InfoSec departments’ jobs more streamlined and efficient. Implementing NIST from the beginning helped me identify weak spots in the network and figure out what solutions to put in place to reduce our risk exposure and understand the data flowing across our multiple networks.

Once we had the framework in place, we used the Tenable Network Security platform to anchor our cybersecurity suite as we continuously inventoried, assessed, scanned, monitore,d and remediated the network for cyber threats, as well as planned for future growth. For example, the city has to think about PCI compliance, as well as auditing and reporting, and has to correlate security threat and risk data from various security vendors, including Tenable, Splunk, Carbon Black, PacketSled, AttackIQ, and Sumo Logic.

One of the advantages of working with a vendor-neutral enterprise cybersecurity solutions provider like Tenable is that I didn’t just fill one security gap, I filled four and I was able to use the technology to unify data coming in from some of our other tools. San Diego averages close to a million cyber attacks a day, so having a comprehensive and continuous security monitoring tool in place was essential in identifying the most critical threats to the city.

It’s taken me nearly three years to get a complete picture of San Diego’s overall security posture, and the one thing I can’t reinforce enough is that the security lifecycle never ends; you will always be assessing for risk, which means you will always be monitoring your network. Enterprises have complex networks, so the more you can simplify your security program while still being effective, the better. All it takes is a simple three-step process:

  1. Assess your network by adopting a security framework such as NIST or CIS Critical Security Controls.
  2. Identify the network threats and gaps, and determine which policies, procedures, and solutions you need to adopt.
  3. Create a comprehensive security program that gives you a holistic view of the overall IT environment and the ability to continuously monitor for vulnerabilities.

Related Content:

As chief information security officer (CISO) for the City of San Diego, Gary Hayslip advises the city's executive leadership consisting of mayoral, city council, and 40+ city departments and agencies on protecting government information resources. Gary oversees citywide ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Tor Weaponized to Steal Bitcoin
Dark Reading Staff 10/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8369
PUBLISHED: 2019-10-21
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
CVE-2019-18224
PUBLISHED: 2019-10-21
idn2_to_ascii_4i in lib/lookup.c in GNU libidn2 before 2.1.1 has a heap-based buffer overflow via a long domain string.
CVE-2019-16985
PUBLISHED: 2019-10-21
In FusionPBX up to v4.5.7, the file app\xml_cdr\xml_cdr_delete.php uses an unsanitized "rec" variable coming from the URL, which is base64 decoded and allows deletion of any file of the system.
CVE-2019-16986
PUBLISHED: 2019-10-21
In FusionPBX up to v4.5.7, the file resources\download.php uses an unsanitized "f" variable coming from the URL, which takes any pathname and allows a download of it. (resources\secure_download.php is also affected.)
CVE-2019-16987
PUBLISHED: 2019-10-21
In FusionPBX up to v4.5.7, the file app\contacts\contact_import.php uses an unsanitized "query_string" variable coming from the URL, which is reflected in HTML, leading to XSS.