Would you be comfortable giving your plumber the key to your house so he/she can come in at any time to fix anything they might feel is amiss? The answer is probably no. Did you know that when you give a vendor unfettered access to your network you are essentially doing the same thing?
Similarly, how would you feel if you let a family member or friend use your laptop and they installed a piece of software without telling you? Depending on what it was, it could compromise your laptop (and you) in ways you weren’t expecting. This same thing can happen in your District’s network if you don’t control which users can install software or connect to your internal network from any device.
This is the essence of CISA’s (Cybersecurity and Infrastructure Security Agency) fourth CPG “Minimize exposure to common attacks (CPG 2.Q and 2.W)”.
This CPG has two components. One is the idea of limiting outside access to your network to what is absolutely necessary. You have many systems (like HVAC, transportation apps, building security, and camera systems) in use in your District that may be accessible via the internet. When outside vendors or companies can access your network, there is the potential that bad actors can as well. If this access is necessary (as it sometimes will be), you should limit and monitor that access as much as possible. The second component is to limit what general district users can do with your network (prevent installation of unauthorized software and connection via unauthorized hardware) and verification that your precautions are working and only authorized programs and devices are on your network.
This week’s suggestion:
- Talk to your Tech Director about what controls and monitors are in place to limit and monitor software installation and control and monitor access to the network from both internal and external sources.
Do you have questions about where to start with controlling and monitoring your network access? Are you feeling overwhelmed by the NIST Cybersecurity Framework and CPGs? Call CSI and ask how we can help you understand and help mitigate your Cyber risk. We have a specific service to help you get started on the NIST CSF journey. Just contact Lisa MacDougall (lmacdougall@csiny.com) or 845.897.9480.