Assessing the Security Posture of Counties

Recognizing a problem before it becomes an emergency is a leadership trait. Pro-active security posture assessment of IT Infrastructure at County Administration is one such case in point. Given the amount and nature of citizen data and such other socially critical information that the County Administration holds, it becomes very important to have a continuous/periodic assessment of its IT infrastructure for any vulnerabilities. County administration heads can pre-empt security threats through pen testing.

Counties generally have the vision to grow the economy, foster local business partnerships, and distribute resources to the people. They create an impact by developing urban communities, conducting training programs for in-demand trades, and fostering economic development. While doing so it makes sense for counties to assess the security posture so that the reputation they built over decades should not ruin due to cyber-attacks.

Digital transformation has helped both users as well as cybercriminals. Digitization is crucial for counties to increase service quality, improve interactions with citizens, and enhance administrative efficiency. As the city administration has to work with network-based information systems they need to ensure e-governance, facilitation of justice, medical services, public works, and procurement receive protection from cyber-attacks.?

Developing a security posture

It is at this stage that security posture comes into the picture. Government counties should have a security posture to measure their visibility in their information assets. As a rule, the County's cybersecurity visibility must extend to all types of assets and security issues.

Before going into defense, it is vital to assess the current information security posture so that the County can build a mechanism to identify and block potential security risks.

The County should ensure its security risk management methodology is followed consistently where relevant security controls are implemented in time. Such controls can prevent unauthorized, accidental, or deliberate use of digital assets by external or internal elements for personal gains or malicious activities.

Developing a security posture

It is at this stage that security posture comes into the picture. Government counties should have a security posture to measure their visibility in their information assets. As a rule, the County's cybersecurity visibility must extend to all types of assets and security issues.

Before going into defense, it is vital to assess the current information security posture so that the County can build a mechanism to identify and block potential security risks.

The County should ensure its security risk management methodology is followed consistently where relevant security controls are implemented in time. Such controls can prevent unauthorized, accidental, or deliberate use of digital assets by external or internal elements for personal gains or malicious activities.

Assessing security vulnerabilities

Rising incidents have proved that information security is a forethought, not an afterthought. Therefore, counties should make it a strategic imperative to assess their current security posture by performing the following with the help of a managed cybersecurity provider:

External penetration test: With external pentest, county administration could pinpoint open services and vulnerabilities present in hosts exposed to the Internet. They can employ strategies like using the cybersecurity managed services provider to act as a malicious external party trying to access the internal network and data and compromise the County information systems. An external penetration test can detect any compromise on social media, password dumps, and public cloud databases. The managed cybersecurity services provider should employ a combination of automated and manual testing methods to perform pen-test depending on the situation. External pent-test gives insights to the County administration to identify the lack of knowledge of its workforce.

Internal penetration test: Counties need to point out vulnerabilities in the hosts present in County's internal networks. Testing attacks will help discover flaws in the existing security program so that the firm can create a well-secured network. Here the cybersecurity managed services provider will try to penetrate the internal client network through available network ports or wireless infrastructure. The county administration needs to provide the right cybersecurity defenses by giving unrestricted access to the internal network to identify the weak points.

Social engineering penetration testing: Counties need social engineering pen-testing to identify the weakest link or potential workers who can be victims or threats. Onsite tests help to detect impersonation, tailgating, USB drops, and Dumpster Diving. Simultaneously, testers should conduct off-site tests remotely to test users’ security awareness on vishing, phishing, and smishing. Testing the 'victims' on how they got tricked will give information on the activities of fired workers, mistreated workers, or staff who lack security awareness.

Operational security review of Office 365 and MS Azure Government Cloud: To protect assets on the public cloud, it is essential to conduct an operational security review of the County's Azure configuration to ensure it is in harmony with industry best practices. The study should gauge the efficiency of deployed controls.

Training

According to a McKinsey survey, only 16% of executives agree that their enterprises are well prepared to deal with cyber risk. In addition, the survey finds that the confidence level of employees to avoid breaches is 1 out of 3. The low figure shows the expectation from cybersecurity managed service providers to impart knowledge to deal with cyber risks through training.

As the administration is busy with community development initiatives, Counties need to ensure welfare measures should have a trickle-down effect without interruptions like cyber-attacks on County information networks. Experienced cybersecurity managed service providers should have the foresight to assess, test, and train the staff so that the pen-testing will give lasting protection from cyber-attacks or workers lacking knowledge on security.

By Research Team, SBase Technologies Inc.

SBase is an underwriter and sponsor for CentralTexasCIO and DallasCIO chapters, working with CIOs on these types of challenges including cloud, cyber,?data, and digital solutions. The "answer is in the room" with the Inspire Leadership Network .

Bharath Sama , Pradeep T. , Srikanth Krishnarao , and Syed I B.