Public sector cybersecurity. What does every administration IT manager need to know?

Dawid Piec:

Hello everyone and welcome to the secure administration webinar. My name is Dawid Piec and I am responsible for handling issues pertaining to the central and local administration clients at EXATEL. With me are Michał Sobotka and Pawel Deyk from the Sales Support Team. Today, we’ll be looking into cybersecurity of public sector and trying to dispel some myths about cybersecurity. We will show you that cybersecurity is crucial to the operation of offices and talk about possible threats. There’s no entity that cannot be a potential victim to a cyber attack, really. It’s a myth. Any entity can be attacked. We will discuss this matter first.

Here on this slide, you can see sample news releases. Such situations happen every day and any entity can be attacked. Those attacks can vary. We cannot say that no one will attack a random small municipality, because it happens. As we can see in an example below: “Thieves robbed the municipality of half a million PLN.” It is a real threat, especially dreadful in today’s world in which we use network to practically everything and most applications are connected to one another – and we need to secure ourselves against such threats. Which regulations do we need to know? What is the National Cybersecurity System? What about the other regulations? Michał is here to answer those questions.

Michał Sobotka:

Hello. Let’s face the facts – when it comes to regulations on data security, a lot has changed over the last few years. Recently, the Act on the National Cybersecurity System (NCS) came into force. It is, in fact, a regulation that implements the NIS Directive into our legal system. This directive standardises the cybersecurity issues and data security indecent management across the European Union. In Poland, the compliance with the NIS Directive is ensured by the aforementioned act and the secondary legislation.

Dawid:

What are the key concepts of the Act on the NCS?

Michał:

First of all, we have to define the term “cybersecurity”. We instinctively know, what cybersecurity means, but our legislator defines it as the resistance of information systems to actions that breach confidentiality, integrity, availability, and authenticity of processed data or services related to them. The key concepts here are critical incident, major incident, and significant incident. It is also important to remember who the operator of essential services and the digital service provider are. The operator of essential services is an entity that has been designated by the competent authority and therefore has certain responsibilities as defined in the Act. When it comes to a digital service provider, it’s an entity providing services to the general public and others. These are primarily providers of commerce platforms, search engines, as well as companies that specialise in provision of cloud computing services.

Dawid:

How does it work in practice, who do we report to and where?

Michał:

CSIRTs (Computer Security Incident Response Teams) were established, which in Poland are divided into three areas – CSIRT MON, CSIRT GOV and CSIRT NASK – which are managed by relevant ministers and reported to by their subordinate institutions. CSIRT MON concerns broadly defined Polish defence services, CSIRT GOV – government administration institutions, and CSIRT NASK handles other areas.

Dawid:

Obviously we have discussed only one of those acts. If I am a manager, do additional laws still apply to me? Is there anything else I should know?

Michał:

Well, it is important to remember that the Act on the Cybersecurity is not the only regulation that we have to comply with when processing data – especially personal data. The Personal Data Protection Act has been in force for several years, not long ago the GDPR came into force, as well as the amendment adjusting domestic regulations to this regulation.

Dawid:

Not so long ago GDPR was on everybody’s lips, including mass media, but what did it actually mean for us, IT managers?

Michał:

For IT managers it meant that first and foremost we need to pay close attention to the method of processing personal data. To tell the truth, the mobilisation of data processing alone didn’t do much, because people responsible for processing data have to protect it at all times. However, it should be remembered that under the current regulation the protection of such data is already more strictly defined and the consequences of failure to comply with these guidelines are quite severe.

What is meant by the control of data processing? This is nothing more than the application of security systems proportionate to the category of data processed. We also have certain obligations, such as reporting the discovery of an incident relating to the processing of personal data within 72 hours. This is also important because the determination of an incident occurrence must be based on knowledge of that incident, and without the proper equipment, we may lack that knowledge.

Dawid:

What are our penalties for not complying with this regulation? What does it depend on?

Michał:

The consequences of not complying with the Act depend on several factors. First, the degree of culpability, i.e. whether we have implemented appropriate data protection systems. What I have in mind here are not only procedures and the internal circulation of documents, categories of persons who may have access to these documents, but also technical security measures for IT systems – nowadays, as we all know, most documentation is in digital form and we must take special care of them. Another factor that may contribute to increasing or decreasing the potential penalty is the nature and timing of the violation. What data and of what nature was stolen, how long did we not know about it and was it in the circulation? So we’re back to that 72 hours I was talking about earlier. There is also such a thing as the degree of cooperation with the supervisory authority, i.e. how, once an incident is detected, we cooperate with the competent authorities to remove the effects of that incident. This is an open-ended topic, which we could talk about for a long time, but the most important thing is to properly secure the data, also from the technical point of view, and in the case of detecting an incident, to draw consequences from it by implementing appropriate security measures in our own network.

Dawid:

Well, that’s what I think Article 25 of the GDPR is about.

Michał:

Exactly. We are coming back to proportionality here, because we all know very well that cybersecurity is not free these days, but on the other hand we must also remember that, thanks to the new regulations, incidents are not cheap either. Therefore, we really need to consider whether the technical measures we want to use or are using are appropriate for the category of data we are processing. An important note for institutions such as hospitals that process crucial personal data. Violation and leakage of data regarding patients and their diseases can be a very serious incident involving a large financial penalty. We know that the Personal Data Protection Office can impose penalties, because recently one of the entities processing personal data was fined almost a million PLN. The reason of that was simply the failure to fulfil the notification duty, which is like the basis of all obligations related to the processing of personal data.

Dawid:

We talk about penalties, technical options, costs, but really what could be the cost of not complying with the GDPR? What amounts are we talking about?

Michał:

The costs can be very high. In the case of the Personal Data Protection Act and the European Council Regulation, there are two penalty thresholds – the first is EUR 10 million or 2% of the company’s annual turnover, and the second is EUR 20 million or 4% of the company’s annual turnover. As I mentioned earlier, the amount of the penalty may depend on the degree of culpability and other circumstances connected with respecting the integrity of personal data. For example if we implement advanced security systems and procedures and despite this we do not manage to avoid an incident, it is known that our degree of culpability will be negligible as we will never be 100% protected against an unauthorized action, but we can do everything to prevent it. This is something that the authority responsible from imposing the penalty will certainly pay attention to. In the case of Polish regulations, and especially in the case of public finance sector entities, these penalties may be lower. I emphasize the word “may” because they don’t have to.

Dawid:

So we have several regulations. Could you summarize them in a few words? Is it worth securing yourselves at all?

Michał:

These regulations state, above all, that it is necessary to secure oneself and that the security process should not be looked upon as a one-time activity, e.g. purchase of devices and licenses for some software, but as a continuous process. The Act on the NCS implies the cyclical nature of certain activities. For example, matters related to the conduct of audits. Entities that are operators of essential services are obliged to conduct audits regularly every two years, whereas the first audit must take place within one year of receiving the decision regarding becoming the operator of essential services. So I encourage you to look at security not just as a one-time purchase, but as a process in your business. I also recommend considering whether it is a good idea to, for example, pass such consequences to IT teams – it is not always right when the person under control is simultaneously the controlling party.

Dawid:

How to check what is the state of our network and whether we are well secured?

Michał:

It may often seem like the security level of your network is high because seemingly nothing suspicious is going on. However, to really answer that question there are a few things you need to do. Our company, while providing its services, performs many activities which are necessary to answer the question whether we are safe or not. These include penetration testing, network scanning, and IT audits.

Dawid:

What are the types of penetration tests, what can we say about them?

Michał:

When it comes to testing, the scenarios can vary. It all really comes down to knowing the infrastructure that the penetration tester is supposed to investigate. It may happen that the penetration tester knows absolutely nothing about the infrastructure, or on the contrary that they know everything about the infrastructure and the system they are checking. Then, of course, there are all the possible mixed scenarios.

Dawid:

What really comes out of these penetration tests in the end? What can we say about them? What are the effects?

Michał:

The effects are most often surprising to companies that undergo such tests. Here again I must refer to our company’s experience. Given that we’re providing this kind of services, we know for a fact that things like protocol configuration errors, outdated software versions, problems with properly configured externally delivered digital services happen very often. We encounter problems with configuration of our security devices, we have options to check whether there is any unwanted traffic on our network. Very often we find out about the presence of unauthorised devices, i.e. some Access Points, forgotten routers and servers. It also happens we find a forgotten branch.

Dawid:

What happens after the penetration tests are performed appropriately? What should we, as the client, get from that?

Michał:

Such tests end with a report which will constitute a compendium of knowledge regarding what we are dealing with here. In the case of our company, we also give some recommendations on how to configure devices within the network, how to configure the network itself, services and service systems. We also give instructions on how to proceed if an incident has already happened and we have found a data integrity breach. Moreover, we offer services such as reverse engineering of software – I mean, of course, malware that has entered our network – or computer forensics, which will lead to the fact that the entire process of penetration of our network by malware will be discovered by us and we will be able to determine the scope of the incident – which is particularly important in the context of the Act on the NCS – and how it happened.

Dawid:

So we discussed basic parameters. We know what regulations apply to us and how to check the network, what that network should look like. We get the report, instructions and then the question arises: what cybersecurity solutions can we apply? Which ones are effective for us and which are not? What can we choose from these solutions?

Paweł Deyk:

As you know, there are many manufacturers and solutions in the cybersecurity market. It’s hard to figure out which ones do the best job. Some of them also have overlapping functions and tasks. This is difficult from the client’s point of view, and for this reason it is worthwhile to support outside competence. EXATEL, which as an operator has been swiftly developing its competences in this area for several years, tested many different platforms in order to select the leaders in their areas and for classes of their solutions. We cooperate with providers of DDoS protection solutions, next-generation firewalls, network monitoring tools and Web Application Firewalls. We are very much aware of what is going on in the market and we always try to offer our customers solutions that we have tested ourselves as well as provide services on the platforms that we also have and which we use and sell – also as services.

Dawid:

Let’s talk about some specific solutions that we, as EXATEL, would recommend.

Paweł:

Starting from the edge of the network, i.e. the point of contact with the Internet, we offer, among others, a platform for protection against DDoS attacks. Links with high capacity are quite attractive for hackers, and such high capacity links are usually used in the public sector. These attacks are meant to block the system operation or the entire network. Protection against attacks is in fact based on two elements: the CP probe, which analyses the traffic and detects any anomalies suggesting that it may be a DDoS attack and then redirects the traffic to the TMS cleaning unit using BGP protocol. In our case it is a Arbor Networks’ solution. Once the unwanted traffic is cleared, the correct traffic is routed back to the client’s devices and thus does not halt the organisation’s operations. Importantly, this protection allows you to defend against volumetric or IP fragmentation attacks, as well as those related to resource exhaustion. EXATEL is also working on its own solution – TAMA – which will be tested by our clients this year.

Dawid:

This is one of the solutions we use at the edge of the network. What else could we recommend to our clients?

Paweł:

In case of public administration, usually there is a firewall or UTM solutions implemented, which partially fulfil their role and block unwanted network traffic, but they have some flaws. Nowadays a lot of applications use the same ports and it’s hard to distinguish them at the device level. Some of them also use encrypted traffic, so in this case there’s a problem with blocking unwanted traffic properly. This is why we recommend next-generation firewall solutions. They differ, among other things, in that they work on higher layers, not only from layer 2 to 4, but also up to layer 7, and have increased performance with additional features. I will tell you more about them in a moment. What also sets these solutions apart – in this case we’re talking about Palo Alto Networks – is the possibility to make three important identifications. We can identify applications that users work with. We can also identify the users themselves, not only by the addresses from which they connect or the IP/MAC address of the device, as well as analyse the content, i.e. we can apply web filtering mechanisms here or identify specific files. This is a functionality that is not provided by standard firewall or UTM solutions.

Dawid:

So we buy the device and its provides us with maximum security. Can we feel safe?

Paweł:

Partially. What’s crucial when it comes to maintaining a security system is how we make sure that we update rules and policies on devices and how we adapt solutions to the way in which network changes – it’s a dynamic environment. EXATEL offers Managed Firewall service, which means that we take the entire burden of maintenance, implementation and management of this solution to ourselves. We operate in two models – either we install a local device in the customer’s environment and manage it, or we can redirect all traffic to our central platform so you don’t even need to purchase a device for your own network. Of course, we guarantee the appropriate SLA and signature database updates for this service.

Dawid:

So, this is how we protect internal network. How can we secure services? That’s another important issue these days.

Paweł:

Web Application Firewall class solutions that can secure the service on many levels and at many stages of application usage. In our environment, we promote the F5 Networks platform which deals specifically with web application traffic. A platform that is installed on many modules that we can run depending on our needs. Some of the most interesting instances that can be seen here on the slide, include WebSafe, protecting against phishing at the user’s end, APM protection – control over access via remote connections (whether SSL VPN, SSO) and authenticated to cloud services like Office 365. Another module, for example, is the AFM, which is a layer 3 and 4 firewall that filters incoming traffic to the application. In addition, we also have to handle modules such as LTM, which is an application-level load balancer allowing you to choose the best resources available at the moment in the software environment and ASM, which is the main module that deals with protection against layer 7 attacks. Vulnerability attacks are often not blocked properly by standard firewall solutions. The point is that often attacks impersonate valid traffic and they look like the correct action so it’s hard to find a rule that will block the attack. In such a case, there are advanced mechanisms for such a solution to learn how the correct traffic looks like.

Dawid:

Do we, at EXATEL, provide this kind of services to our clients?

Paweł:

This solution is perfect for platforms and e-services that some of you probably have in your environments. We have implemented it to protect one of the nationwide e-service platforms for one of the ministries. We provide this solution as a service and it is rather convenient to maintain and easy to pay for. A client using our service gains protection from attacks that rests with an experienced partner operating from the outside. These can be either zero-day attacks on vulnerability, attacks from the from the list of the most crucial security risks (OWASP TOP10) or brute-force attacks on login panels or simply attempts to replace malicious or compromising websites. By purchasing such a solution, we protect our image, reputation, and allow the application to work properly which limits certain abuses. We can also offer penetration testing of your application to detect vulnerabilities, as well as analysis of the source code to verify whether it can be exploited in a malicious way.

Dawid:

We’ve discussed the DDoS solution, the next-generation firewall, the WAF solution, but how to find out what’s wrong with the network? What is the smartest way to check this?

Paweł:

We often face situations where we know something is wrong, we can see that the performance of this network is inadequate, but it is hard to diagnose the problem. In such a case the devices that monitor network traffic would come in handy – such as the one suggested by us, the Flowmon Networks solution, which examines flows based on metadata. This solution uses probes which are passive sources of metadata, take copies of the traffic and pass all the information to the collector – the heart of this system, which is collecting, analysing and aggregating all the statistics as well as allowing the administrator to see what is really happening in their network. One of the most important features of the Flowmon Networks’ platform is the Anomaly Detection System which allows for behavioural analysis of traffic. Thanks to it we can see if traffic is acting in a standard way. The administrator is flagged in the event of unusual traffic or for example when devices that don’t usually “communicate” with each other are now connecting. Additionally, it can take certain actions beyond displaying an alert and, for example, automatically run the Traffic Recorder module which allows for full packet capture. This feature is crucial when it comes to finding the source of an attack or certain auditing activities. Additionally, there is the Application Performance Monitoring module which enables you to identify whether delays in some application or resource are related to network delays or, for example, are caused by incorrect database configuration. Those are the tools available through the platform.

Dawid:

This is one of those platforms. What other solutions we can get? What platforms can we use for this?

Paweł:

Another of the solutions we recommend is designed for larger organisations. It’s a Fidelis Networks platform – Elevate which has three components. I’m talking about network traffic analysis (Network), host activity analysis (Endpoint) and Deception. Network primarily analyses network traffic sessions through protocols. It detects all malicious and unwanted activities. It can also detect all kinds of anomalies and find files with fake extensions. Such a platform can also serve well as a resource for creating DLP policies and protecting against data leakage. Part of the Endpoint is a solution protecting and allowing to monitor your endpoint devices. Above all, it enables you to identify and stop an attack in its early stages, when unwanted things are happening – but they haven’t yet been detected by your systems. Thanks to this feature a post-breach analysis verifying which station was infected and how and what happened to the malware next can be performed Deception is the latest component in this solution. It involves generating system-traps that reflect the client’s actual infrastructure and have some kind of decoy to attract the attacker’s attention. These decoys could be some fake panel login credentials or files with crafted sensitive data that distract from critical customer resources and real systems. They also make it possible to generate alerts that someone is trying to log on to various systems using data found in our network, i.e. to detect an attack already in progress.

Dawid:

You said this is a solution designed for large organisations. Are there solutions like this for smaller organisations and offices? Something more accessible?

Paweł:

For smaller organisations, in addition to protecting the network edge, we suggest first and foremost a basic check of the local network, i.e. what devices are connected, whether they are secure, whether they are not trying to spread some malware. This is possible through the use of Network Access Control. One example here is NetShield which also produces small Nano solutions for small offices and remote branches. By using such a solution, we protect primarily against unauthorised access. Interestingly, the solution is agentless and does not require much infrastructure intervention, making it affordable and easy to install.

Dawid:

So we have several solutions – firewall, DDoS… That’s a lot. Are we able to gather all of them in one place to make them easier to manage?

Paweł:

This is certainly a challenge. SIEM-type systems or systems for aggregating and correlating logs from different sources serve this purpose. These systems have evolved over time from the simplest applications, i.e. just collecting logs, aggregating them into various packages, through more advanced solutions that analyse user behaviour, i.e. UEBA, to the third generation. Here, we are presenting and using a SIEM system from the RSA manufacturer. It has a more comprehensive approach to the topic – using this solution we can observe both system logs and information from end devices. That happens through endpoint modules, in addition to all of the previously mentioned ones, and feeds its engines with information from the Threat Intelligence module – that is, from known, but not yet widely published vulnerability information – thanks to which we can approach the topic in a holistic way. Such systems should be at the heart of a truly mature organisation that cares deeply about security and be an essential tool for the cybersecurity team.

Dawid:

So we’re at the point when we buy a solution. Do these systems require a lot of work and maintenance? How can we put this into practice?

Paweł:

The effects of implementing these systems depend largely on how we use them. We need to consider who will operate these systems, keep them up to date and how such incident alerts will be handled in the first place. The SIEM system will generate a number of such alerts and it is the administrators’ job to assess which of them are correct.

Dawid:

How to deal with it in the simplest, least invasive and least costly for the company way?

Paweł:

We offer Security Operations Center (SOC) service. This is simply outsourcing certain tasks related to incident handling and monitoring of occurring network events. Our team of SOC specialists work 24/7/365. For organisations that don’t necessarily want to fully outsource this service and can afford a full support team and to buy the service on three lines, we suggest the SOC Starter service – the best product to begin with. We run it analogously to the SOC service, that is, we first perform an initial analysis where we examine what sources we have available and then select a few of those sources that will bring the most interesting information to the security team. In the case of the SOC Starter service we suggest a firewall and four others, e.g. DNS, Proxy, and then prepare the fine-tuning of standard correlation rules that will generate such alerts. This service operates on a secure EXATEL link and consists in monitoring what is happening at our customers’ network in a limited number of incidents undertaken per day. The entry costs are not as high as for a full SOC service and they give a very good example of what the real risks are and which areas need improvement. If it turned out that this is not enough for the organisation, we have, of course, a whole range of other models of cooperation in the form of outsourcing the SOC service, e.g. we can outsource only the first line or support only the third line, which handles only advanced security services.

Q&A

Dawid: Which security measures we consider the most important? Which one should be implemented first?

Paweł: I think it’s a good idea to start by asking yourself if you know what is going on in your network, i.e. if you’ve done any penetration tests or audits of your infrastructure recently. If so, you will know what solutions you need and then you can try to choose one of the platforms or consult with EXATEL specialists which platform should you try out first. You should start with Proof of Concept testing, especially when it comes to large platforms that interfere quite a bit with your environment. We are here to help in the case of penetration tests, audits and the testing of specific solutions.

Dawid: To what extent is statutory liability assumed by an outsourcing company, for example EXATEL? Will a contract with a cybersecurity service provider be considered due diligence in case of security measures?

Michał: First of all, the contract with a cybersecurity service provider will not be considered an alibi. It is important that these services are provided in a reliable and professional manner. In contrast, please note that in the case of the NCS, the liability is assumed for an omission. If you are the operator of essential services and you fail to designate a contact person, handle incidents, implement proper documentation, and maintain it, you will need to pay a penalty. Admittedly, it is not high, but in the case of persistence, it can amount to as much as one million PLN. To answer the question – a contract with the professional cybersecurity service provider will most likely allow you to avoid payment of penalties under the Act on the NCS. When it comes to GDPR however, the situation is a little different. In this case, the penalties are for the incidents of the violation, not the omission. It is market practice to adequately insure and implement appropriate security measures. Remember that any system that is supposed to provide security can be at some point hacked into. It is crucial to follow a certain process related to cybersecurity: implementation, checking, reporting, corrections, etc.

Dawid: Is there a way for clients without much of a cybersecurity knowledge to perform cybersecurity check at low-cost or free of charge?

Paweł: If your organisation hasn’t given serious thought to how to get started with cybersecurity or hasn’t come up with any constructive conclusions, we recommend contacting an EXATEL Sales Support Specialist first. Through a simple survey, we can identify what resources are available in your organisation and assess which areas are at the biggest risk of attack. This way we will be able to assess whether it is worth, for example, conducting Proof of Concept tests of solutions such as Network Access Control, whether there is a chance that some devices in your network may be forgotten or someone would like to use them to attack. We can think about performing Proof of Concept tests of solutions, for example using Flowmon Networks. It will quite clearly show where problems in the network are, which devices are working properly and which have, for example, configuration problems. There are also smaller, simpler solutions. You can order an audit of the IT environment which will allow you to identify these systems and with the help of such a report, you will be able to later plan expenditure on the purchase of systems and convince the decision-makers that it is not just the administrator’s whim that something does not work or that the organisation is inadequately protected – your argument is supported by the experienced partners who know a lot about security and provide such services for years.