Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/19/2016
04:30 PM
Gary Hayslip
Gary Hayslip
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

What Smart Cities Can Teach Enterprises About Security

The more you simplify your security program while still being effective, the better, says San Diego's chief information security officer. Here's his three-step process.

I’ve been in the cybersecurity industry for 30 years, and even my 27 years experience with the Department of Defense and U.S. Navy could not have prepared me for the challenge I faced with building a security program for San Diego’s citywide enterprise network. One of the main things I’ve learned over these past three years is that you can’t have security through obscurity. You need a continuous and unified view of your security posture if you want to operate a top-notch program.

People don’t think of a city as a large enterprise network, but at the end of the day, that’s exactly what it is — a $4 billion dollar business that provides services for roughly 1.5 million citizens.

In fact, the two share some distinct commonalities.

First, cities are massive and they never throw out any information. That means that there is data being stored on outdated technology from 20 years ago that might not be secure; obviously, 20 years ago, no one was concerned about being hacked.

This also means that there is a mix of old and new technology sprawled across the city, including legacy applications and programs like PowerBuilder and intelligent smart city devices such as LED street lights that create security gaps and blind spots. In San Diego, there are 24 discrete networks and 40,000 endpoints that run across 40 departments, including parks and recreation, public safety, transportation, and even golf courses and cemeteries that require point-of-sale (POS) systems. 

Second and most importantly, cities never shut down. San Diego runs 24 hours a day, 7 days a week, and 365 days out of the year, which means that from a security standpoint, you can’t take the network offline or rip and replace old technology with new technology without interrupting the daily business operations of the city and its people.

This is probably very similar to your typical enterprise with its complex network with hundreds, if not thousands of devices and endpoints that process and store sensitive data distributed across cities, states, and countries. For retailers using POS systems and credit card readers, there’s also an added layer of Payment Card Industry (PCI) compliance regulations that they are required to meet and document.

Resilient Security = Visibility
Security does not exist in a vacuum. It’s a living, breathing lifecycle. The one thing I realized immediately in San Diego was that if I was going to build a resilient security program for one of the world’s smartest cities, I needed complete visibility into all its vast systems and devices, and a toolset that could properly assess and manage its security risk.

Having full visibility is crucial in understanding what security risks are out there. No city or enterprise has just one solid perimeter, especially with today’s extension of cloud and mobile technologies. The current environment is riddled with connected devices and smart technology to help improve our lives, but that also creates a more complicated and diverse threat landscape.

In order to achieve that level of visibility, organizations must start with a basic assessment of their environment. Using an industry standard, such as the NIST Cybersecurity Framework or Center for Internet Security (CIS) Critical Cybersecurity Controls is a great way for an enterprise to gauge the maturity of its network, create a baseline security standard and get an ongoing security program off the ground. These assessments help identify areas of improvement which can then become projects based on the gaps and risks that you need to fix. For example, some organizations might choose to develop a written policy for admin passwords while others would target better compliance and auditing enforcement through new software or hardware.

Start with a Framework
In my case, I immediately looked at the NIST Cybersecurity Framework as a guiding principle because I knew a baseline of security would not only set me up for success, but also make the IT and InfoSec departments’ jobs more streamlined and efficient. Implementing NIST from the beginning helped me identify weak spots in the network and figure out what solutions to put in place to reduce our risk exposure and understand the data flowing across our multiple networks.

Once we had the framework in place, we used the Tenable Network Security platform to anchor our cybersecurity suite as we continuously inventoried, assessed, scanned, monitore,d and remediated the network for cyber threats, as well as planned for future growth. For example, the city has to think about PCI compliance, as well as auditing and reporting, and has to correlate security threat and risk data from various security vendors, including Tenable, Splunk, Carbon Black, PacketSled, AttackIQ, and Sumo Logic.

One of the advantages of working with a vendor-neutral enterprise cybersecurity solutions provider like Tenable is that I didn’t just fill one security gap, I filled four and I was able to use the technology to unify data coming in from some of our other tools. San Diego averages close to a million cyber attacks a day, so having a comprehensive and continuous security monitoring tool in place was essential in identifying the most critical threats to the city.

It’s taken me nearly three years to get a complete picture of San Diego’s overall security posture, and the one thing I can’t reinforce enough is that the security lifecycle never ends; you will always be assessing for risk, which means you will always be monitoring your network. Enterprises have complex networks, so the more you can simplify your security program while still being effective, the better. All it takes is a simple three-step process:

  1. Assess your network by adopting a security framework such as NIST or CIS Critical Security Controls.
  2. Identify the network threats and gaps, and determine which policies, procedures, and solutions you need to adopt.
  3. Create a comprehensive security program that gives you a holistic view of the overall IT environment and the ability to continuously monitor for vulnerabilities.

Related Content:

As chief information security officer (CISO) for the City of San Diego, Gary Hayslip advises the city's executive leadership consisting of mayoral, city council, and 40+ city departments and agencies on protecting government information resources. Gary oversees citywide ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Active Directory Needs an Update: Here's Why
Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus,  1/16/2020
Google Lets iPhone Users Turn Device into Security Key
Kelly Sheridan, Staff Editor, Dark Reading,  1/15/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5647
PUBLISHED: 2020-01-22
The Chrome Plugin for Rapid7 AppSpider can incorrectly keep browser sessions active after recording a macro, even after a restart of the Chrome browser. This behavior could make future session hijacking attempts easier, since the user could believe a session was closed when it was not. This issue af...
CVE-2011-3612
PUBLISHED: 2020-01-22
Cross-Site Request Forgery (CSRF) vulnerability exists in panel.php in UseBB before 1.0.12.
CVE-2011-3613
PUBLISHED: 2020-01-22
An issue exists in Vanilla Forums before 2.0.17.9 due to the way cookies are handled.
CVE-2011-3614
PUBLISHED: 2020-01-22
An Access Control vulnerability exists in the Facebook, Twitter, and Embedded plugins in Vanilla Forums before 2.0.17.9.
CVE-2011-3621
PUBLISHED: 2020-01-22
A reverse proxy issue exists in FluxBB before 1.4.7 when FORUM_BEHIND_REVERSE_PROXY is enabled.