Governments should look under the hood to make sure their IT systems are safe from cyber criminals

Cities and counties should take a close look at their entire IT setup to ensure security against cyber threats, says Josh Koenig, co-founder & chief strategy officer at Pantheon, a website operations platform that offers tools that enable building Drupal and WordPress cloud-based sites with streamlined workflows, scalable infrastructure, and a fast, efficient content delivery network. The company provides web-hosting solutions to governments.

“The first step is to assess the current state of security: the surface area, the technical situation and the practices and processes that govern the human elements of security. Unless this has been done recently, or there’s been zero change or staff turnover since the last audit, the most important thing is to know where to focus. In all likelihood, there are multiple issues to address,” Koenig tells Co-op Solutions.

The surface area, which can be susceptible to digital attack, encompasses all the equipment and software that connect to an organization’s network. These include applications, code, ports, servers and websites. It also encompasses unauthorized applications or devices that team-members and other users may install without management’s permission.

Koenig says that if IT leaders don’t have a comprehensive picture of the state of security, they risk neglecting something that is important. “They might focus on the first thing they find and leave open other unknown gaps that could be far more critical.”

Koenig says public-facing systems like websites have a much larger attack surface. “As more public services move online, the criticality of these systems goes up. A static website being knocked offline is embarrassing, but one that’s compromised can facilitate identity theft, spread misinformation and do other harmful activities.”

He adds that another area of vulnerability is anything that’s Internet-connected but still managed via a legacy or on-premise approach. “While there’s psychological comfort in knowing where the systems are, the truth is that in most organizations, this infrastructure is the most likely to be outdated or suffer from human error in terms of maintenance.”

A third area of vulnerability, according to Koenig, is where organizations have “moved to the cloud” but with a pure lift-and-shift approach, swapping out virtual for physical hardware. “Unless they have a very strong devops (development and operations) or cloud management practice, it’s very easy for human error and oversight to result in under-governed systems or orphaned nodes on the network.”

Koenig suggests the following exercise for public-sector IT officials: “Local governments will typically want to assess vulnerabilities across two different axes: criticality (how damaging an exploit would be) and likelihood of breach. If you make a 2×2 matrix and plot your systems, the obvious place to focus is on the high/high upper right quadrant.”

The 2×2 matrix is a decision-support tool that provides teams and managers with a visual framework that can aid in prioritizing tasks.

According to Koenig, governments should adopt basic DevSecOps (development, security and operations) practices for applications deployed by IT to ensure the stability and security of updates. “This is the first line of defense against supply chain attacks, and it guards against edge-cases where minor bug fixes from an upstream source can manifest as regressions or stability issues in your particular implementation.”

He also suggests: “Additionally, organizations that are in the process of moving to the cloud should seek to ‘move up the stack’ as far as possible to maximize gains from automation. Dropping manual system administration work for software-driven configuration management or moving all the way to Platform as a Service (PaaS) or Software as a Service (SaaS) solutions should be an active part of every roadmap conversation.”

Koenig says government officials can also adopt a web-application-firewall (WAF) solution as part of their Internet-facing cloud strategy. “Anything exposed to the Internet will face automated exploit attempts within a matter of hours, so keeping the bots at bay is important, as more governments deliver their services digitally.” A WAF can help protect web applications by filtering and monitoring HTTP traffic between a web application and the Internet.

OMNIA Partners, who sponsors this page, offers a robust portfolio of cooperative contracts in the public procurement space. The firm lists a number of cooperative contracts under the keyword “web development.”

Michael Keating is senior editor for American City & County. Contact him at [email protected].