Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/19/2016
04:30 PM
Gary Hayslip
Gary Hayslip
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

What Smart Cities Can Teach Enterprises About Security

The more you simplify your security program while still being effective, the better, says San Diego's chief information security officer. Here's his three-step process.

I’ve been in the cybersecurity industry for 30 years, and even my 27 years experience with the Department of Defense and U.S. Navy could not have prepared me for the challenge I faced with building a security program for San Diego’s citywide enterprise network. One of the main things I’ve learned over these past three years is that you can’t have security through obscurity. You need a continuous and unified view of your security posture if you want to operate a top-notch program.

People don’t think of a city as a large enterprise network, but at the end of the day, that’s exactly what it is — a $4 billion dollar business that provides services for roughly 1.5 million citizens.

In fact, the two share some distinct commonalities.

First, cities are massive and they never throw out any information. That means that there is data being stored on outdated technology from 20 years ago that might not be secure; obviously, 20 years ago, no one was concerned about being hacked.

This also means that there is a mix of old and new technology sprawled across the city, including legacy applications and programs like PowerBuilder and intelligent smart city devices such as LED street lights that create security gaps and blind spots. In San Diego, there are 24 discrete networks and 40,000 endpoints that run across 40 departments, including parks and recreation, public safety, transportation, and even golf courses and cemeteries that require point-of-sale (POS) systems. 

Second and most importantly, cities never shut down. San Diego runs 24 hours a day, 7 days a week, and 365 days out of the year, which means that from a security standpoint, you can’t take the network offline or rip and replace old technology with new technology without interrupting the daily business operations of the city and its people.

This is probably very similar to your typical enterprise with its complex network with hundreds, if not thousands of devices and endpoints that process and store sensitive data distributed across cities, states, and countries. For retailers using POS systems and credit card readers, there’s also an added layer of Payment Card Industry (PCI) compliance regulations that they are required to meet and document.

Resilient Security = Visibility
Security does not exist in a vacuum. It’s a living, breathing lifecycle. The one thing I realized immediately in San Diego was that if I was going to build a resilient security program for one of the world’s smartest cities, I needed complete visibility into all its vast systems and devices, and a toolset that could properly assess and manage its security risk.

Having full visibility is crucial in understanding what security risks are out there. No city or enterprise has just one solid perimeter, especially with today’s extension of cloud and mobile technologies. The current environment is riddled with connected devices and smart technology to help improve our lives, but that also creates a more complicated and diverse threat landscape.

In order to achieve that level of visibility, organizations must start with a basic assessment of their environment. Using an industry standard, such as the NIST Cybersecurity Framework or Center for Internet Security (CIS) Critical Cybersecurity Controls is a great way for an enterprise to gauge the maturity of its network, create a baseline security standard and get an ongoing security program off the ground. These assessments help identify areas of improvement which can then become projects based on the gaps and risks that you need to fix. For example, some organizations might choose to develop a written policy for admin passwords while others would target better compliance and auditing enforcement through new software or hardware.

Start with a Framework
In my case, I immediately looked at the NIST Cybersecurity Framework as a guiding principle because I knew a baseline of security would not only set me up for success, but also make the IT and InfoSec departments’ jobs more streamlined and efficient. Implementing NIST from the beginning helped me identify weak spots in the network and figure out what solutions to put in place to reduce our risk exposure and understand the data flowing across our multiple networks.

Once we had the framework in place, we used the Tenable Network Security platform to anchor our cybersecurity suite as we continuously inventoried, assessed, scanned, monitore,d and remediated the network for cyber threats, as well as planned for future growth. For example, the city has to think about PCI compliance, as well as auditing and reporting, and has to correlate security threat and risk data from various security vendors, including Tenable, Splunk, Carbon Black, PacketSled, AttackIQ, and Sumo Logic.

One of the advantages of working with a vendor-neutral enterprise cybersecurity solutions provider like Tenable is that I didn’t just fill one security gap, I filled four and I was able to use the technology to unify data coming in from some of our other tools. San Diego averages close to a million cyber attacks a day, so having a comprehensive and continuous security monitoring tool in place was essential in identifying the most critical threats to the city.

It’s taken me nearly three years to get a complete picture of San Diego’s overall security posture, and the one thing I can’t reinforce enough is that the security lifecycle never ends; you will always be assessing for risk, which means you will always be monitoring your network. Enterprises have complex networks, so the more you can simplify your security program while still being effective, the better. All it takes is a simple three-step process:

  1. Assess your network by adopting a security framework such as NIST or CIS Critical Security Controls.
  2. Identify the network threats and gaps, and determine which policies, procedures, and solutions you need to adopt.
  3. Create a comprehensive security program that gives you a holistic view of the overall IT environment and the ability to continuously monitor for vulnerabilities.

Related Content:

As chief information security officer (CISO) for the City of San Diego, Gary Hayslip advises the city's executive leadership consisting of mayoral, city council, and 40+ city departments and agencies on protecting government information resources. Gary oversees citywide ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Microsoft Patches Wormable RCE Vulns in Remote Desktop Services
Kelly Sheridan, Staff Editor, Dark Reading,  8/13/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15113
PUBLISHED: 2019-08-16
The companion-sitemap-generator plugin before 3.7.0 for WordPress has CSRF.
CVE-2019-15114
PUBLISHED: 2019-08-16
The formcraft-form-builder plugin before 1.2.2 for WordPress has CSRF.
CVE-2019-15115
PUBLISHED: 2019-08-16
The peters-login-redirect plugin before 2.9.2 for WordPress has CSRF.
CVE-2019-15116
PUBLISHED: 2019-08-16
The easy-digital-downloads plugin before 2.9.16 for WordPress has XSS related to IP address logging.
CVE-2017-18547
PUBLISHED: 2019-08-16
The nelio-ab-testing plugin before 4.6.4 for WordPress has CSRF in experiment forms.