We put the IT in city®

CitySmart Blog

Wednesday, December 02, 2009
Dave Mims, President
GovTech is reporting that electronic theft of government records has skyrocketed this year. In 2008, only(!) 3 million records were compromised but 2009 saw more than 79 million records in the hands of the bad guys. That’s a huge jump and it makes me wonder why. I’ll leave the statistics to the number crunchers but I’ve got to think that many of these records are do to poor data management policies for remote workers. In fact, the article points out that a sizeable portion of the records were lost because of stolen laptops, hard drives and other external storage devices. This highlights the need for a policy regarding the mobile workforce, one that can be easily enforced. As more offices move to a more remote set up, this problem is only going to increase. If you haven’t already grab your IT team or your favorite IT vendor and begin developing remote worker policies to protect sensitive information. No one wants to have to explain a huge data theft on their watch…
Wednesday, November 25, 2009
The team at Sophicity wishes everyone a happy and safe Thanksgiving holiday, filled with food, drink and merriment all around!! (We sure could use a few days off as we've been real busy helping cities and municipal league prepare for 2010!)
Monday, November 23, 2009
Jeramie Mercker, Director of Technology
The State of Virginia has had a rough year. After having medical records held for ransom, and numerous other IT woes, comes its ongoing tense relationship with Northrup Grumman over the State's outsourced IT contract. This time, it appears that many critical network services were left without backup connections, meaning that if the internet connection went down, so did all the services attached to it. In this case, the DMV system went down repeatedly causing havoc in DMV offices across the state. When folks dug into the contract, it appeared that the reason the backups were not in place is because it was not specified in the contract and so NG didn't build it out. While folks continue to argue over what is or is not included in the contract, Va.'s system continue to operate at risk. This is further proof that when implementing any It project, whether it be in or out sourced, planning is absolutely essential to make sure all of the bases are covered.
Thursday, November 19, 2009
Jeramie Mercker, Director of Technology
Connecticut is demonstrating some creative thinking with a new web-based permitting system that can be shared by the state’s municipalities. Essentially, this will allow the cities to handle the issuance of building permits and similar documents by providing citizens an easy way to request them online. The technology is nothing new, but what’s interesting here is that they are forming a sort of IT co-op so that smaller municipalities can afford a system that would normally be well out of their reach. This is the kind of thinking that will help cities make those much needed budget cuts.
Tuesday, November 17, 2009
Clint Nelms, Practice Manager: Network Infrastructure
Phishing is a form of fraud that masquerades as an official email or website which attempts to steal a victim’s username, password, and other information. Typically, a scammer will send an email that appears to be from a well-known bank, asking the user to log in to their account. When the victim clicks the link, it sends them to a website that looks and acts exactly like their bank’s website with one key difference: it’s actually a fake run by the scammer. Once the user logs in to this fake site, their user name and password are captured and saved. The user’s data is then used for theft, hacking, or other mischief. Due to its simplicity, phishing is prevalent and effective. How effective? Research firm Gartner estimates that in 2007, phishing attacks resulted in over $3.2 billion stolen in the United States.

City government should not take phishing lightly because scammers with passwords to crucial systems like traffic, police, or public works could wreak havoc on the city’s infrastructure. Imagine what they could do to the traffic grid! With that said, phishing is only as effective as the number of people who fall for it. Implementing anti-phishing best practices can go a long way toward preventing a successful attack. Here are four of the most important:


Best Practice 1: Conduct Anti-Phishing Training

Awareness is a phisher’s worst enemy. As more cities move to web-based services, scammers can easily prey on unsuspecting employees. Before giving any employee access to email or web-based services, hold a mandatory anti-phishing training session to review these best practices and use policies. Train non-technical staff to never give out their username and password via email, over the phone, or in person, even to IT support staff. Also, train them to always log into a system manually instead of clicking a link in an email. For technical staff, train them to never ask for passwords or provide email links to any web-based systems. When providing support, all instructions should be in plain text and simply direct users to, for example, “please log into the accounting system.” IT teams should have all the necessary clearance to access systems without the need for user passwords. Finally, train all employees to report suspected phishing attempts immediately to their IT department or other designated person.


Best Practice 2: Implement Anti-Phishing Technologies

Ask your IT team what kind of anti-phishing technologies are in place on the city’s network or email service. Many phishing scams can be halted before they even reach the email server by using technologies that scan incoming email traffic and compare it to a list of known phishing sites. However, these services are not guaranteed to catch all phishing attempts as newer scams or those directed at a single organization likely won’t show up on the detection list. Still, these technologies can drastically reduce the number of incoming phishing emails and offer a good first line of defense.


Best Practice 3: Use a Web Brower with Anti-Phishing

Most modern web browsers have built-in anti-phishing technology to help detect fraudulent websites. Before the browser loads a website it checks to make sure that the site is legitimate by comparing the address to a list of known phishing sites. If a fraudulent site is detected, the browser warns the user of a potential phishing hazard. This is, however, also a weakness of browser-based security measures because the browser only issues a warning; it will not prevent a determined user from ignoring the warning and entering information anyway. As above, browsers are also not guaranteed to catch all phishing websites as newer scams or those directed at a single organization likely won’t show up on the list. Even so, anti-phishing browsers are an important part of a protection strategy and are typically the last line of defense between the user and the scammer. Speak to your IT team and have them update the city’s browsers to the newest version in order to get the best possible protection.


Best Practice 4: Perform Routine Phishing Audits

If awareness is the most important defense, persistence is a close second. Even the best technologies aren’t going to completely stop phishing, so ongoing training and testing are important. The best way to get a feel for how well your employees are doing is to simulate a phishing scam on them! Work with your IT support team to create a phishing site that collects user data and an email that looks like an official city email which contains a link to the phishing site. Send the phishing email out to all of your staff and then sit back and see who falls for it. For those that take the bait, inform them what happened and schedule an anti-phishing refresher training course. If employees remain vigilant in looking out for phishing attempts, it makes it that much harder for scammers to practice their criminal art.

Tuesday, November 17, 2009
Dave Mims, President
When the NSA talks about network security for governments, it’s probably a pretty good idea to listen. In a recent interview with GCN, the NSA’s information assurance director provided three best practices to thwarting attacks on your network. They are:
  • Implementing best security practices
  • Proper network configurations
  • Strong network monitoring
What are “best security practices” and "proper network configurations"? He doens't really get into that, but I happen to know a few people that can help you with that… ;)
Friday, November 13, 2009
Tim Verras, Director of Marketing and Customer Experience
The Georgia Municipal Association today launched its 2010 Connection website. It’s a pretty cool idea, as it links local Georgia cities with the candidates for the 2010 Gubernatorial Election via social media. There’s videos, profiles, Twitter feeds and a ton of other information. The best part: it’s hosted on top of our Tribune Content Management system (I know, I know, a shameless plug. But I am the marketing guy…) . If you’re a local city in Georgia, check it out and get in touch with the candidates!
Wednesday, November 11, 2009
Jeramie Mercker, Director of Technology
Scientific American is reporting on how cities are making efforts to reduce their carbon footprints through innovative plans like carbon taxes, municipal solar power, and other emerging green technologies. Once thing the article skips is that cities can reduce their carbon emissions by reducing their power consumption in the IT department. This is a topic we’ve written about before and its fitting here because before a city embarks on an expensive solar project, reduced carbon emissions could start at home for free by using smart energy management policies for their network. They could also start consolidating their network to drastically reduce energy needs (and thus carbon). This method costs a bit of money, but it’s still cheaper than most green technologies and the savings will quickly show on-going ROI.
Monday, November 09, 2009
Dave Mims, President
Washington Post discussed the DC traffic outages this week, highlighting the need for municipalities to have regular equipment checks and on-the-books lifecycle management. Traffic signals all over the DC area were knocked out after a 37-year old computer literally melted down. The lost business revenue from the crippling gridlock traffic is estimated to be in the millions, probably far more than it would have cost the city to replace the system. This is a good example of why regular maintenance and tracking the operational life of critical infrastructure is important. Unlike your dishwasher at home, you don’t want to just wait until brakes to get a new one.
Friday, November 06, 2009
Dave Mims, President
GovTech continues its run of excellent articles with a piece on IT risk management for government agencies. While the article is focused more on the state and federal level, the five tips that are detailed still hold very true for cities. Risk management is arguably the most intensive and difficult problem facing any IT manager because it requires an understanding that goes far beyond technology, delving into how the business of running a city is affected by a loss of services. This is more than simply having a good data backup plan in place. A true risk management plan needs to address how critical city services will function in the wake of a disaster, an outage, or even a flu outbreak. As cities become more reliant on technology to run the operations, these sorts of risk plans become absolutely essential to mitigating risks. Check out the article for some great tips on starting a plan of your own.
| 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 |