Network Resiliency and Security Playbook for local government

Someone shared this with me, I wanted to pass it on. It’s from November 2017 – it’s a Network Resiliency and Security Playbook written to help local and state governments adopt best practices for preventing significant communications infrastructure failures and stopping or mitigating intrusions, hacking, and other disruptions of communications networks.

Intended audience…

The target audiences for this Playbook include information technology (IT) leaders and staff—the government employees who are responsible for implementing, operating, and maintaining IT systems—and the users of those government networks, including first responders. Because these audiences have a range of IT knowledge and expertise, this document includes high-level introductory information and links to useful background resources, as well as detailed technical descriptions of best practices.

Why you need it…

This Playbook addresses some of the key reasons that local and state government entities need to routinely include security and resiliency in their infrastructure development processes:

  • Local governments are attractive targets for cyber threats because they are often easy targets—especially those that do not have sufficient security resources and expertise

  • Local government networks can also be attractive targets in their own right, given their maintenance of sensitive data such as tax and voter rolls, contracts, procurements, traffic data, public-run utilities, etc.

  • Smaller governments often experience difficulty funding and staffing critical IT functions; as a result, those local governments might delay updating systems and applications, or even patching known issues, due to worry about proper functioning of legacy systems and risk of unintended impacts

  • Poor or inadequate segmentation of government networks can lead to large impacts from modest intrusion efforts

  • Local governments’ networks are increasingly interconnected with other systems, including those of other local governments, federal agencies, and private sector partners

  • Ransomware attacks make any target attractive regardless of size or sensitivity of data

  • Storms, floods, and other natural threats are a constant concern for any network, but especially for mission-critical public safety and government communications networks

If you’re still reading this may be a great tool for you!

New Year’s Resolution: Protect your Internet of Things

The Minneapolis Star Tribune ran an interesting article this week on cyber security and the Internet of things. The quick take is that the Internet of Things will make life so much more convenient but will also open us up for greater security risk. I think that’s the balance we have any time we use the Internet – for email, for web browsing, to buy anything. It’ makes life easier but riskier. The difference with the Internet of Things is that the risk more directly impacts our home and our bodies…

Consumers will soon become accustomed to conveniences such as starting a dishwasher from work, even though it’s hardly a necessity, said Ken Hoyme, a scientist with Minneapolis-based technology researchers Adventium Labs.

Small smart devices are “the weakest links” in a network, he said, whether it’s in a hospital or a home. For instance, he said computer worms can get into hospital systems through CAT scan machines with built-in browsers for automatic updates.

Breaking into an organization’s network could be as simple as exploiting out-of-date software on a smart thermostat to gain access to other connected systems, or simply changing the temperature settings to overheat a server room.

Hoyme said medical devices attached to the Internet could also be hacked, but that the dangers associated with not implanting a smart defibrillator far outweigh the likelihood of being the victim of a cyberattack. The University of Minnesota’s Technological Leadership Institute recently held a public forum on securing wireless medical devices against hacking.

If you’re looking for a short list for New Year’s Resolutions – you might at least consider how wide you want to balance convenience with security and privacy

Did you know you were a public hotspot hub for Comcast?

Here’s an ideological question – would you forgo personal privacy and security for the common good? If you could open up your home wireless router to others would you? I have certainly heard of people finding a way to share access with their neighbors since I’ve been in involved with ISPs. I remember in 1995, customers of MRNet found ways to connect their network through a dialup connection. (Can you imagine sharing a dialup connection now!) But the decision was always on the customer to share. Comcast has turned that around a little; according to CNN

Comcast has been swapping out customers’ old routers with new ones capable of doubling as public hotspots. So far, the company has turned 3 million home devices into public ones. By year’s end it plans to activate that feature on the other 5 million already installed.

Anyone with an Xfinity account can register their devices (laptop, tablet, phone) and the public network will always keep them registered — at a friend’s home, coffee shop or bus stop. No more asking for your cousin’s Wi-Fi network password.

And yes, this has been happening in Minnesota…

Comcast’s project that started in northern New Jersey has now spread to Boston, Chicago, Houston, Indianapolis, Minneapolis, Philadelphia, San Francisco, Seattle and elsewhere.

They say they have found ways to make it secure for the end user and to make sure added usage does not hinder speeds. All good developments – but to me the hiccup is doing it without informed consent. I assume customers have signed something (no one waking more eloquently about usage agreements that John Oliver on acceptable use) but according to the article, only one percent have opted out, which tells me most folks haven’t realized this was happening.

So two questions – should an ISP have permission/ability/right to open up the network in this way? Second – will they be opening up the technology to make this possible to others? So can a community looking to expand broadband learn any tricks? And a while back there was some pressure on coffee shops and others who offer public WiFi, often through “home” type connections to upgrade to commercial Hot Spot services – does this help those businesses offer public hot spots more easily and within the boundaries of their contract.

PSA on Security, Privacy and the Internet

It’s not often that I stand on a soapbox – and admittedly my life is kind of an open book online – but I thought the video below was worth sharing.

My intent is not to scare people away from using the Internet but just to be wise in the information they share. A recent report indicates that people aren’t very careful…

A new study by Amdocs Ltd. shows consumers are willing to barter personal data for service discounts, higher broadband speeds and priority customer service. The survey found that 57 percent of respondents said they would exchange data on Facebook friends, family members, and locations in return for a better service deal.

Last week I saw an interesting TED University talk by Jennifer Healey on personal ownership of our digital footprint. She chastised the privacy policies that no one reads pointing out that we are giving out a lot of information about ourselves for very little in return. Part of the problem is that right now access to personal digital information is an all or nothing proposition. There are times when you might be OK with sharing your personal data (from buying history to contacts) when the return is worthwhile – but access to the latest game app might not be it.

People need the power to be able to manage and negotiate with their own personal, digital data. There ought to be a better way – but in the meantime be prudent in the information you share and the access you give to various websites and apps in exchange for using their tools.

Is your community ready for a cyber attack?

Sometimes I lie awake at night and worry about what would happen if the Internet stopped working. How would I get work done? How would I communicate? How would the bank handle my money? Yet, I don’t have the best passwords. I suspect my firewall would be pretty easy to hack. Thanks to FourSquare I leave a digital footprint everywhere I go. I’m terrible about backing up anything. I’m all worry, no action. That makes me worry even more that everyone is like me. We worry about security late at night but we lapse into convenience in the light of day. Was US Bank like me?

The US Bank website was attacked last week. The Minneapolis/St Paul Business Journal (and others) reports that it was a denial of service attack…

The attacks flooded bank websites with 10 to 20 times more Internet traffic than the usual DOS attack. And even though the still-unidentified group behind the attacks announced its targets days ahead of time, banks were unable to cope with them.

So why weren’t they ready? I don’t know and I don’t want to pick on US Bank (they weren’t the only bank hit), but last spring I attended a National Security Conference at the U of M and one of the themes that came up was that human dynamics may be the weakest link in security these days…

Security often comes down to human error – or maybe human weakness. People open links they shouldn’t, download software they shouldn’t, transmit info via insecure wires networks. Sometimes that’s because people can be gullible; sometimes that’s because hackers can be good and persistent. Administrators don’t keep up on updates or take the time to shut all security doors and windows.

My worry was deepened last summer at TED Global, where we heard about groups who are looking to wreak havoc on security just because they can and where Marc Goodman from Future Crimes Institute, painted a very bleak picture of cyber security.

Marc Goodman did offer one ray of hope

Technology, he says, is affording exponentially growing power to non-state actors and rogue players, with significant consequences for our common global security. How to respond to these threats? The crime-fighting solution might just lie in crowdsourcing.

This fits in well with another TED speaker, Navy Admiral James Stavridis, who spoke of the need to build bridges, not walls. But part of crowdsourcing, part of building bridges is convincing more people that these topics are worth their time and consideration.

So back to my original question – Is your community ready for a cyber attack? If you don’t know the answer, who does? I’m hoping to find out more about who knows and how I can spread the word at the Cyber Security Summit next week (Oct 9-10). I’ll post my notes – but what I have picked up from previous cyber security conferences is that our greatest weakness is our potential strength – people! So I’d encourage others to attend.

Cyber Security Summit 2012: Oct 9-10 in Minneapolis

I am excited to report that I’m planning to attend the 2012 Cyber Security Summit. I will take good notes and post, but I encourage folks to think about attending too. As we build our entire lives online, I think it makes sense for everyone to work together to protect those online lives and security is definitely a case where you’re only as strong as your weakest link. So it behooves technology and community leaders to make sure that they are not that weakest link!

The Cyber Security Summit is focused on changing the paradigm of how we look at digital space and security. Our mission is to bring together leaders from the government, business, and non-profit sectors to collaborate on digital infrastructure security issues. These important issues have a profound impact on all units of society, from the largest- governments and multinational corporations, to the smallest- store owners and individuals. In an ever increasing digital world, all levels of government and business operations must be reexamined to address growing cyber security threats.

The Cyber Security Summit serves as a platform for the discussion and generation of new knowledge on a topic that is critical to our state’s and our nation’s future. By fostering the collaboration of the public and private sectors, our goal is to conceive new, innovative counter measures against cyber security threats.

Tuesday, October 9, 2012 – Wednesday, October 10, 2012 7:30 AM – 6:00 PM in Minneapolis