We have added a Web Application Firewall (WAF) to our public web site. The WAF drops web connections and requests that are automatically identified as malicious, which in turn improves integrity by reducing the chances of a malicious hack into our system and databases. Additionally, availability is improved since we discovered in testing that up to 40% of our web traffic is malicious in nature, with WAF these connections will no longer reach our web servers.
The IT Security Team is developing an in-house penetration testing capability using both COTS and shareware tools. The penetration testing results provide insight into the weakness of our organization in regards to social engineering susceptibility and other vulnerabilities not identifiable by automated security scans.
To meet the PCI data security standard for credit card processing – and to improve the security of our remote access – we have introduced two factor authentication for the most privileged level of remote access. This ensures that discovery of a password to a privileged account will be insufficient to access the network remotely as that privileged user.
The IT Security Team moved server Vulnerability Scanning from a pilot program into a mandated policy-based initiative with the support of our CIO. The new policy requires server administrators to regularly scan their servers for security vulnerabilities and remediate identified vulnerabilities within a short time frame. Enforcement of this policy reduces our exposure to system availability negatively impacted by hackers or other malicious actors exploiting security vulnerabilities.
We identified performance issues with our legacy anti-virus solution on some virtual servers and have transitioned to an anti-virus COTS product that is optimized for virtual servers in our virtual environment. We expect to see performance improvements in many virtual servers next quarter, when deployed into production. Additionally, having two anti-virus products in our enterprise (one vendor for physical servers, and another for virtual) gives us a vendor diversity which increases the odds that we can identify threats, since it has been proven that no security vendor stops 100% of all security threats.
The IT Security Team develops a quarterly security report to gauge our security posture using select metrics. The topical areas are vulnerability scanning (number of servers scanned and risk scores of systems), endpoint security (number of infections found and the reporting method used to discover the infections), and cyber security awareness training (number of employees trained to date). This data will be used to inform future decisions about cyber security.
Enhanced the security of the password reset self-service feature on our employee portal by increasing the complexity and accuracy of the identification questions. We have also improved availability by letting remote employees reset their password (previously this was a feature only available to employees on site).
The IT Security Team deployed into production the City’s first laptop encryption to reduce the risk of sensitive data disclosure for laptops. This safeguard will prevent a malicious actor from retrieving City of Boston data in the event of a lost or stolen laptop. Laptop hard drives are now encrypted and rendered unreadable if removed from the machine.
The IT Security Team has continued with its nascent Cyber Security Awareness Training program, now in its second year. The training attempts to reduce the risk of adverse security events caused by end user behavior through education. For the first time we are now requiring all new hires to attend this training. To date three hundred (300) existing employees have been trained across the majority of City Hall affiliated departments. Upon completing the training, attendees receive a mouse pad enumerating key cyber security tips (lock your screen when unattended, choose a good password, and never share your password).