I’ve done a fair amount of IT security assessment work for municipalities over the years and one thing stands out: the sheer complexity of the average municipal network. From general city services to police, fire and 911 operations, there are a lot of moving parts in any municipal IT environment.
Those moving parts translate to complexity, which directly correlates with information risk. Whether you have performed a generic “network assessment,” an in-depth technical vulnerability assessment, or not much at all, odds are good that you have overlooked a thing or two that’s creating risk.
IT security assessments for municipalities typically uncover weaknesses including:
• Lack of network segmentation between administrative, police, water works and similar networks. This includes open or poorly-secured wireless networks and Ethernet drops in public (or semi-public) places such as city council meeting rooms and civic center concession areas that provide direct access into the back-end network environment.
• Numerous websites, content management systems, and business applications that have never been tested or, in the case of internal-facing systems, are assumed to be secure because everyone can be trusted if they are on the inside.
• Shared network accounts (admins and regular users), especially for kiosk-based systems around town. These can create accountability issues when security incidents arise.
• No good network traffic baselines to help understand what “normal” is.
• Lack of network logging and event monitoring — go ahead and outsource this and be done with it.
• Network-connected computers that are not on the Windows domain, and thus, do not fall under the same security controls as domain-based computers.
• Unencrypted phones, tablets, and laptops, including highly-mobile systems in police squad cars and related areas.
• Little to no internet content filtering to actually enforce otherwise reasonable acceptable usage policies.
• Strong dependence on outside developers and cloud service providers to always do the right things when it comes to security — which rarely happens.
• Limited physical security, especially in and around IT areas that are of utmost importance to protect, such as IT offices, data centers and backup power generators.
• Misunderstanding of existing firewall rule bases — this includes who can do what, when and where, and is something that can be resolved by performing an automated firewall rule base analysis.
• Minimal compliance oversight — especially involving PCI DSS and HIPAA/HITECH for those with their own health plans.
• No incident response plan that outlines the specific steps that must be taken during an external breach, malware attack, laptop loss or other incident. This is arguably the most risky aspect.
One final thing that stands out regarding municipalities and IT security is the general lack of budget. Join the crowd, huh? The thing is, the people ultimately responsible for IT security treat this dilemma as if the security threats can wait until the city gets more funding. It doesn’t work that way — all of the recent information security studies by Verizon, Trustwave and others underscore the importance of doing something today, before it is too late.
I’ve found some of my municipal clients have more secure networks than just about any other type of business I see. It all comes down to leadership that includes IT oversight and being able to sell security initiatives to city council members, police chiefs, and other higher-ups. It can be done if the choice is made to make it happen.
Kevin Beaver is a consultant with Atlanta-based Principle Logic LLC (www.principlelogic.com). He has authored/co-authored 11 books on information security, including “Hacking for Dummies” and the Security on Wheels audio books and blog (www.securityonwheels.com). Follow him on Twitter, @kevinbeaver or connect to him on LinkedIn.