Cybersecurity On The Front Lines

Municipalities, including local, city, county, and state government have unique challenges when it comes to cybersecurity. Often reliant upon IT generalists to perform the security heavy lifting, municipalities rely on an abundance of tools, and people, to get the job done.

Over the last few years, the public sector has become an increasingly popular target for ransomware and nation-state hacking. Often these organizations have to fight threats while dealing with outdated infrastructures, limited budgets, and no dedicated security staff.

We interviewed the IT directors of two city municipalities in Texas and learned that for these organizations it comes down to people – it’s about trust and relationship building, up and down the org chart. And in the end, the human element might make a bigger impact on security than shiny tools.

Here’s what we learned from Shane McDaniel, Director of IT for the City of Seguin, just outside of San Antonio; and Scott Joyce, Director of Information Services with the City of Euless, a suburb in the Dallas-Fort Worth area.

Episode Table of Contents

• [01:17] IT and cybersecurity in the City of Seguin
• [06:17] Spam filtering and endpoint
• [11:00] Cloud solutions
• [20:15] Cybersecurity in the City of Euless
• [25:19] Vulnerability management

IT and Cybersecurity in the City of Seguin

Seguin is a city of just over 30,000 people, and the municipality has about 450 employees. Their role is ‘to keep the lights on’ in the city, including offering utility services and managing public safety. Shane McDaniel, Director of IT, has an efficient department of nine full-time staffers. Typically, the city would also run an intern program, but the recent pandemic put a temporary stop to that.

Shane reports to the City Manager, who is the municipality equivalent of a CEO. Hired by the council, the City Manager reports directly to the council and runs the city. As the IT Director, Shane interacts with the council for budgeting matters. Required to seek approval for any projects that cost more than $50,000, he regularly attends and presents at council meetings, especially as the city has been involved in large infrastructure projects over the last few years.

The IT department looks after a range of areas, including SCADA operations, public safety, telecom, networking, and cybersecurity. Over the last few years, the city has upgraded a number of its infrastructure platforms and is also moving services to the cloud.

Shane joined the City of Seguin in March 2018 from the City of McKinney. Prior to that, he worked in private industry in the cybersecurity space, military intelligence, and security agencies. With a strong background in security, Shane is able to multi-task both IT and cybersecurity responsibilities. He is hoping to appoint a dedicated resource soon, and when that happens, the next 2-3 years’ worth of work is already planned out for them. In the meantime, security is everyone’s job.

As is typical in government, skill sets, roles, and tasks in IT are varied. Someone might be asked to work on a telecom system in the morning, and then install a new operating system on a desktop in the afternoon. While larger municipalities can afford for roles to be more specialized, smaller municipalities do the best they can with the resources they have available.

Security awareness and training

One of the first items on Shane’s agenda when he arrived was security training and phishing tools for the city’s employees. This dovetailed nicely with Texas House Bill 3834 – passed in April 2019 – which requires each municipality to implement a security awareness program. City staff are now required to take security awareness courses on an annual basis.

Spam filtering and endpoint

He also shared how it took some time for the team to fine-tune and adjust the tools to their environment. Spam filtering, for example, has very strict parameters. These tools have tripped the occasional false positive – in one instance, causing the city to miss out on a large grant, simply because the spam filter stopped a particular email from getting to its recipient on time.

On the flip side, strong spam filters have been effective at blocking a large number of targeted spear phishing attempts, including several from bad actors attempting to impersonate city employees reaching out to change their direct deposit information. Shane stated that currently, only about 1% of attempts make it past the filter.

For the endpoints, the city utilizes a cloud-based EDR solution. The IT department receives daily alerts and reports, and whenever anything is flagged, devices are scanned. As Shane explained, this is another area where he would like the city to be able to take a more proactive approach, but workflow limitations mean that the organization heavily relies on the EDR tool.

Network Monitoring Tools

The City of Seguin recently upgraded to a more flexible network design, utilizing a fiber ring, and bolstered their perimeter security and internal visibility with Sentinel’s threat defense and network monitoring tools. Shane explained that the re-architecture also gave them more network visibility and flexibility to segment the network more securely.

Cloud solutions

When possible, Shane likes to move public services online and in the cloud. Recently, they stood up a new parks and recreation cloud-based ERP that carries out a lot of different business processes with no hooks into the city’s financial system. Shane’s approach is to embrace cloud solutions wherever possible and appropriate for the municipality, but sometimes – like with SCADA infrastructure and other utilities – it’s simply not possible.

Other Government resources

With limited resources and budget, Shane leans on other free government resources and tools whenever possible. For example, Seguin recently implemented a DNS monitoring service from the MS-ISAC, and they’re lined up to receive pen testing and vulnerability assessment services from DHS.

Cybersecurity in the City of Euless

In the second part of this podcast, we heard from Scott Joyce, Director of Information Services with the City of Euless. Euless is a city of approximately 60,000 in North Texas.

Scott has an IT team of six people, including himself, and one of those people is a dedicated GIS resource. It’s a small team where everyone (Scott included) wears multiple hats. The city has no dedicated security resource, so the role falls to everyone in the IT team. Depending on their areas of expertise, people are responsible for the security of that specific area.

As it’s typical in municipalities, Scott reports directly to the Deputy City Manager. His role is to act as the liaison between IT and administration. Managing relationships with the council, he listens to both sides and helps them understand one another – a rather unique skillset in IT that’s only found in organizations in the public sector.

The technology stack

Scott believes in a layered approach to cybersecurity. On the edge is the Sentinel Outpost, followed by a firewall, and a traditional network of switches. Scott’s team manages ACLs across the network, utilizing a least privilege approach to limit access. Endpoints have anti-virus of course, but perhaps the most important aspect of security is their people.

Euless offers annual cybersecurity training, which is included in their citywide training program. And for Scott, the relationships between people in the organizations are key to the success of security measures. It’s important that members of staff trust the IT department and Scott as their leader. When someone is presented with a threat on their desktop, the last thing any organization would want is for people to feel they can’t or don’t want to call IT to ask for guidance. Scott considers the human element the most critical component of the security stack.

Vulnerability management

The City of Euless puts a high priority on regular security patches, prioritizing Microsoft and Cisco devices. While they don’t have the resources to dedicate staff, time, and hardware to test every single patch that comes out, they’re willing to risk some occasional downtime in the interest of more comprehensive security.

For more information on how some of our clients prioritize their budget decisions and use various tools across their networks, check out our monthly podcast. We share honest, objective takes from real people fighting bad actors on the front lines.