Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/19/2016
04:30 PM
Gary Hayslip
Gary Hayslip
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

What Smart Cities Can Teach Enterprises About Security

The more you simplify your security program while still being effective, the better, says San Diego's chief information security officer. Here's his three-step process.

I’ve been in the cybersecurity industry for 30 years, and even my 27 years experience with the Department of Defense and U.S. Navy could not have prepared me for the challenge I faced with building a security program for San Diego’s citywide enterprise network. One of the main things I’ve learned over these past three years is that you can’t have security through obscurity. You need a continuous and unified view of your security posture if you want to operate a top-notch program.

People don’t think of a city as a large enterprise network, but at the end of the day, that’s exactly what it is — a $4 billion dollar business that provides services for roughly 1.5 million citizens.

In fact, the two share some distinct commonalities.

First, cities are massive and they never throw out any information. That means that there is data being stored on outdated technology from 20 years ago that might not be secure; obviously, 20 years ago, no one was concerned about being hacked.

This also means that there is a mix of old and new technology sprawled across the city, including legacy applications and programs like PowerBuilder and intelligent smart city devices such as LED street lights that create security gaps and blind spots. In San Diego, there are 24 discrete networks and 40,000 endpoints that run across 40 departments, including parks and recreation, public safety, transportation, and even golf courses and cemeteries that require point-of-sale (POS) systems. 

Second and most importantly, cities never shut down. San Diego runs 24 hours a day, 7 days a week, and 365 days out of the year, which means that from a security standpoint, you can’t take the network offline or rip and replace old technology with new technology without interrupting the daily business operations of the city and its people.

This is probably very similar to your typical enterprise with its complex network with hundreds, if not thousands of devices and endpoints that process and store sensitive data distributed across cities, states, and countries. For retailers using POS systems and credit card readers, there’s also an added layer of Payment Card Industry (PCI) compliance regulations that they are required to meet and document.

Resilient Security = Visibility
Security does not exist in a vacuum. It’s a living, breathing lifecycle. The one thing I realized immediately in San Diego was that if I was going to build a resilient security program for one of the world’s smartest cities, I needed complete visibility into all its vast systems and devices, and a toolset that could properly assess and manage its security risk.

Having full visibility is crucial in understanding what security risks are out there. No city or enterprise has just one solid perimeter, especially with today’s extension of cloud and mobile technologies. The current environment is riddled with connected devices and smart technology to help improve our lives, but that also creates a more complicated and diverse threat landscape.

In order to achieve that level of visibility, organizations must start with a basic assessment of their environment. Using an industry standard, such as the NIST Cybersecurity Framework or Center for Internet Security (CIS) Critical Cybersecurity Controls is a great way for an enterprise to gauge the maturity of its network, create a baseline security standard and get an ongoing security program off the ground. These assessments help identify areas of improvement which can then become projects based on the gaps and risks that you need to fix. For example, some organizations might choose to develop a written policy for admin passwords while others would target better compliance and auditing enforcement through new software or hardware.

Start with a Framework
In my case, I immediately looked at the NIST Cybersecurity Framework as a guiding principle because I knew a baseline of security would not only set me up for success, but also make the IT and InfoSec departments’ jobs more streamlined and efficient. Implementing NIST from the beginning helped me identify weak spots in the network and figure out what solutions to put in place to reduce our risk exposure and understand the data flowing across our multiple networks.

Once we had the framework in place, we used the Tenable Network Security platform to anchor our cybersecurity suite as we continuously inventoried, assessed, scanned, monitore,d and remediated the network for cyber threats, as well as planned for future growth. For example, the city has to think about PCI compliance, as well as auditing and reporting, and has to correlate security threat and risk data from various security vendors, including Tenable, Splunk, Carbon Black, PacketSled, AttackIQ, and Sumo Logic.

One of the advantages of working with a vendor-neutral enterprise cybersecurity solutions provider like Tenable is that I didn’t just fill one security gap, I filled four and I was able to use the technology to unify data coming in from some of our other tools. San Diego averages close to a million cyber attacks a day, so having a comprehensive and continuous security monitoring tool in place was essential in identifying the most critical threats to the city.

It’s taken me nearly three years to get a complete picture of San Diego’s overall security posture, and the one thing I can’t reinforce enough is that the security lifecycle never ends; you will always be assessing for risk, which means you will always be monitoring your network. Enterprises have complex networks, so the more you can simplify your security program while still being effective, the better. All it takes is a simple three-step process:

  1. Assess your network by adopting a security framework such as NIST or CIS Critical Security Controls.
  2. Identify the network threats and gaps, and determine which policies, procedures, and solutions you need to adopt.
  3. Create a comprehensive security program that gives you a holistic view of the overall IT environment and the ability to continuously monitor for vulnerabilities.

Related Content:

As chief information security officer (CISO) for the City of San Diego, Gary Hayslip advises the city's executive leadership consisting of mayoral, city council, and 40+ city departments and agencies on protecting government information resources. Gary oversees citywide ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/1/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Attacker Dwell Time: Ransomware's Most Important Metric
Ricardo Villadiego, Founder and CEO of Lumu,  9/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-24860
PUBLISHED: 2020-10-01
CMS Made Simple 2.2.14 allows an authenticated user with access to the Content Manager to edit content and put persistent XSS payload in the affected text fields. The user can get cookies from every authenticated user who visits the website.
CVE-2020-24861
PUBLISHED: 2020-10-01
GetSimple CMS 3.3.16 allows in parameter 'permalink' on the Settings page persistent Cross Site Scripting which is executed when you create and open a new page
CVE-2020-25990
PUBLISHED: 2020-10-01
WebsiteBaker 2.12.2 allows SQL Injection via parameter 'display_name' in /websitebaker/admin/preferences/save.php. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
CVE-2020-8109
PUBLISHED: 2020-10-01
A vulnerability has been discovered in the ace.xmd parser that results from a lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. This can result in denial-of-service. This issue affects: Bitdefender Engines version 7.84892 and prior vers...
CVE-2019-20902
PUBLISHED: 2020-10-01
Upgrading Crowd via XML Data Transfer can reactivate a disabled user from OpenLDAP. The affected versions are from before version 3.4.6 and from 3.5.0 before 3.5.1.