For the last 20 months or so, we’ve worked with nearly 200 government municipalities on cyber loss control projects, now largely completed. Based on the findings from this effort, we’ve identified those areas where many municipalities are most vulnerable and are excited to share practical tips and actionable insights to increase information security in municipalities. In this post—the eighth and final post in our Cyber Security Foundation for Municipal Government series—we’ll overview critical controls for managing “technical vulnerabilities” that relate to your IT hardware and software itself.
Keep Local Controls Up-to-Date
Many municipalities have local controls like antivirus/anti-spam/anti-malware software and a network firewall. New malware is unleashed without warning and can strike thousands of organizations before anyone even knows it’s out there; WannaCry being a perfect example.
But anti-malware vendors respond very quickly to these threats, so it’s essential to keep your protective software continuously up-to-date. Turn on “automatic updates” for the best protection.
“Patch everything”—operating systems and applications—is known to be one of the single most efficient and effective protection efforts from cyber attack. A very high percentage of malware targets known vulnerabilities on unpatched systems.
Microsoft makes it pretty easy to patch Windows systems with security updates. But vulnerabilities are patched all the time in your other software, too. For example, if you are leveraging virtualization don’t forget to patch your VMware environments. It’s also a good idea to periodically verify that patches are being applied.
Use Browser Add-Ons to Improve Users’ Web Security
The popular web browsers like Chrome, Firefox and Internet Explorer are becoming more secure all the time and do a pretty good job thwarting many threats automatically with their default settings. But the web is a dangerous place full of drive-by downloads, phishing sites, malvertising… and new attacks are launched all the time.
Some of the most popular security add-ons for browsers include:
- Password managers (e.g., LastPass)
- Tracking blockers, which can help protect privacy and keep you safe from malicious ads
- Script blockers to give users control over whether or not a website can run script code
- Add-ons for setting up Virtual Private Networks (VPNs) to improve the safety of public wi-fi
- Simple tools to ensure that the HTTPS connection protocol is used whenever it’s available
- So-called browser firewalls, which effectively are dashboards that help with multiple web security/privacy issues
Minimize Admin Access
Back in Part 2 of this series we blogged about access controls and the need to use stronger controls on admin accounts. If compromised or mishandled accidently, a breached admin account can do a lot of damage.
This is why we recommend a least privilege administrative model, and in general block end-users from using admin or root-level accounts unless they’re performing admin tasks that require that level of access. Windows 7 and Windows 10 make it easy to do this through features like User Account Control.
Other Technical Controls
In addition to the above, other important technical controls that are cost-effective to implement include:
- Disable unused and/or legacy services and unused ports and protocols—these are open doors for cyber attack.
- Implement gateway controls to filter spam and other content, restrict wireless traffic to a subnet, limit access to critical systems, etc.
- If you’re doing regular patching and have taken most or all of the above steps, consider regular network penetration testing or vulnerability assessment, annually or more often, to identify vulnerabilities that have slipped past your radar.
Pivot Point Security is a one-stop shop for any advice or services you may need. Let us work with you to develop the best plan and approach to improve your information security posture. Contact us to connect with an expert and start the conversation.
This post concludes the series on foundational security controls for municipalities. We hope you found it useful. Stay safe out there!
Ongoing Series: Cyber Security Foundation for Municipal Governments
We are overviewing this foundational cyber security guidance for municipalities in a series of blog posts. The full list of topics we will be covering includes:
- Covering the bases
- Password management and access control
- Backup and encryption
- Malware and social engineering attacks
- Cyber security awareness education
- Contingency planning: Incident response, disaster recovery and business continuity
- Vendor risk management
- Patching and other “technical controls” (CURRENT POST)