Helping Cities Lay the Groundwork for Managing Vendor Risk and Cloud Security Risk
For the past year, the MIT Cybersecurity Clinic has been making updates to the tools and techniques we use to assess the information security readiness of cities, towns and hospitals. While industry-wide frameworks like NIST 800-53, ISO 27000-series, NIST CSF, and the like provide the knowledge complex entities need, they are not right-sized for municipal agencies that often consist of small teams very early in their security journey.
It is with this knowledge that the Clinic has created a tailored assessment toolkit and questionnaire to help public agencies in their efforts to stay resilient and secure, even as they increase digitalization of services and face dynamically shifting threats.
Ransomware attacks remain a major concern for public agencies who provide essential services for their citizens. They rely on the public’s trust to maintain these services. Washington DC’s police department (2021) and Baltimore’s EMS services (2019) suffered ransom attacks. Both needed to restore services and rebuild public trust. The MIT Cybersecurity Clinic’s cyber risk assessment process gives special weight to
Understanding essential/ mission-critical services, functions, processes, and supportive technologies;
Building resilience/ recovery measures, response/ contingency plans, and testing these to protect essential services;
Managing residual risk through insurance; and
Investing in relationships with peer, state, and federal agencies for additional support.
In tandem with ransomware, there has also been an increase in third-party/ supply chain attacks and compromises in security due to cloud misconfigurations or attacks in recent years. Making matters worse, sometimes attackers purposefully target vendors that users rely on or trust the most, all to get a foothold in user environments. Some notable cases include:
The Microsoft Exchange server compromise (2021) that left vulnerable not only emails, calendars, and collaboration environments, but could have been used as a launch point for further server hijacking, planting backdoors, data theft, or malware deployment;
The SolarWinds incident (2021) that further exposed pivot points to entities like security firm FireEye, the National Nuclear Security Administration, DHS, other public and private entities that used SolarWinds’s IT infrastructure monitoring tool, Orion;
The Accellion incident (2021) where attackers targeted the firewall vendor’s File Transfer Appliance, which was dedicated to moving sensitive user data;
A cloud storage misconfiguration (2021) that exposed sensitive citizen data of over 80 municipalities, including addresses, phone numbers, driver’s license numbers, and tax documents;
Another cloud storage misconfiguration by a Utah COVID testing company (2021) that left patient personal data exposed, including scanned passports and health insurance IDs.
These instances serve as yet another reminder that today’s IT environments are ever-growing, interconnected, and complex webs of supplier and user relationships. The attack surfaces at and between the nodes are becoming more difficult to defend.
With all of this in mind, we added three new learning and assessment modules to our vulnerability assessment tools:
Vulnerability management, with greater emphasis on prioritized remediation,
Vendor risk management, and
Cloud security configurations.
In these modules, we provide short guides for student assessors that talk about
What students are going to need to find out from their client community or agency;
What recommendations students will be expected to provide if they observe gaps in practice;
How clients are likely to act to these recommendations;
What questions students may expect to encounter from the client once recommendations are provided – with an indication of how students ought to respond, and
What supplementary resources and guidance student can offer so that clients are able to do more independent research and take follow-up actions on their own.
Why These Three Modules in Particular?
In previous iterations, this module focused exclusively on identifying vulnerabilities, but the challenge - as we now know - has less to do with running scans, and more to do with closing those vulnerabilities in a timely, risk-appropriate manner.
Keeping with the fundamentals of information security, this module now emphasizes process - including knowing when to perform assessments/scans, a sample logic tree for prioritizing remediations, and what to do when an important vulnerability is ‘risk-accepted’ or marked as an exception - as some inevitably are for critical urban infrastructure and services. This module aims to help public entities re-interrogate these processes for improvement on their own,
Vendor Risk Management
Sun Tzu says, in the Art of War, that “you can be sure of succeeding in your attacks if you attack places which are undefended.” Vendor risk continues to be one of the most daunting and least mature security domains, not only for municipalities, but even for larger more resourced enterprises. Knowing this, hackers will make their way, not to well-defended perimeters, but to less guarded supplier connections.
In this module, we again emphasize prioritizing and right-sizing the assessment process by learning which client services/ functions are mission-critical, learning which vendors/ products/ processes support those services, and concentrating protection efforts there. The prime challenge often is not in creating templates or criteria to risk-rank services and vendors (though this can also take time), but rather collaborating cross-departmentally within each organization to change the way things are done every step of the way, navigating the politics, and all the while, trying not to extend procurement cycles or add undue complexity. There is no one-size-fits-all prescription in this domain; so recommendations need to include considerable flexibility for implementation.
Cloud Security Configurations
Cloud solutions can be useful in the public sector for a variety of reasons. Saving time and human resources by offloading infrastructure maintenance responsibilities as well as potential cost-savings are two major drivers. Security in the cloud and hybrid environments, however, can be quite different from traditional on-premise IT. The upside is that all major cloud providers have a variety of built-in security features with detailed user instructions that cover common threats. The challenge, though, is that default settings can be insecure, and require quite a bit of configuration and customization based on what an organization is doing in the cloud.
We apply the same guiding principles as before in this module, emphasizing understanding key services that need to survive disruptions (requiring resilience controls) and sensitive data that needs to be kept secure (requiring data protection and monitoring controls). Rather than prescribing specific configurations, we review ways of determining whether these two requirements are understood and which safeguards can be implemented to serve these objectives.
What is Next?
Beginning Fall 2022, we will incorporate these new modules into our client assessments for municipalities and hospitals. With feedback from clients and students, we will continue to revise them along pragmatic and educational lines. For more information regarding the Clinic, its work and our new assessment tools, please visit our website or contact Prof. Lawrence Susskind.