Beto Juarez, Senior Vice President of IT and CIO for the San Diego Housing Commission, hired CDW•G to conduct a comprehensive security assessment of its public-facing web services.

Jul 09 2021

Agencies Proactively Turn to Third-Party Security Assessments

A comprehensive evaluation can help government organizations mitigate risks.

At the San Diego Housing Commission, the COVID-19-inspired push to remote work triggered the need for a cybersecurity assessment — a deep look at the agency’s cyber controls and defensive posture.

The work-from-home modality “brought a whole new dynamic into how we look at security,” says Senior Vice President of IT and CIO Beto Juarez. 

“We were looking to see if there were any gaps in our public-facing websites and any of the devices that are outside our network. We wanted to make sure that there were no open ports, that the servers were properly patched,” he says.

At a time when security needs are changing rapidly, a third-party cyber assessment can help to give government agencies an edge, experts say. Security assessments help to drive a number of practical outcomes across all levels of government, regardless of their functions.

“A lot of government organizations focus only on what they can see,” says Ismael Valenzuela, a certified instructor for the SANS Institute. “When you bring in a third party for an assessment — a red team exercise or cyber simulation — those things can go deeper than just the vulnerabilities. They emulate real threats, they abuse trust, which is the way real-world threats operate today.”

RELATED: Find out how penetration testing can aid your agency.

San Diego Takes a Proactive Approach to Security

Juarez brought in CDW•G to help vet the resilience of his systems.

“It is an industry best practice to always have a third party come in and conduct a deep penetration test on your environment,” he says. “With a company like CDW, one of their strengths is their cybersecurity services. They have a line of business dedicated to doing just that. It’s really important to partner with somebody that has that type of experience.”

The CDW•G team deployed a range of technologies, including the NESSUS vulnerability scanner and Open Web Application Security Project tools Burp Suite and Fiddler. That breadth of diagnostic tools helped to ensure a comprehensive assessment.

“You can’t just rely on one tool or one vendor. We want a partner who can throw the gamut at us,” Juarez says. 

Beto Juarez, Senior Vice President of IT and CIO for the San Diego Housing Commission

“It is an industry best practice to always have a third party come in and conduct a deep penetration test on your environment,” says Beto Juarez, senior vice president of IT and CIO, San Diego Housing Commission

“A company like CDW has the ability to leverage a vast array of tools, and the more that you can throw at a network to try to find vulnerabilities, the better prepared you are. We want to be able to withstand these attacks from all these different open-source and commercial tools,” he adds.

In San Diego, the assessment showed cybersecurity systems in good working order. “There were a couple of devices on the network that needed to have their firmware updated and things like that, but there was nothing that was in the red. We had some yellows and we had a lot of greens as well,” Juarez says.

San Diego’s housing agency is not alone in this approach. The Albuquerque Bernalillo County Water Utility Authority, for example, recently teamed with Cisco to conduct a cyber assessment of its digital controls on the operational side.

“We realized that we knew very well the security posture of our IT environment, but in the operational technology environment, there were a lot of unknowns,” says CISO Kristen Sanders. “We can’t protect what we don’t see. With the convergence of IT and OT, we needed to ensure that we were ­protecting both.”

Follow a Roadmap for Cybersecurity Improvement

The Cisco team leveraged its Cyber Vision diagnostic tool to assess system security. By using that mechanism, “we can actually see the alerting, the inventory, the protocols,” Sanders says. “It even works really well with other third-party products, so we’re able to take the messages from Cyber Vision and integrate them into our different dashboards. We can view all the data and bring it all together.”

At the Albuquerque, N.M.-area utility, the assessment helped to generate a roadmap for future improvements.

“It gave us a rundown of the operating system and what devices might have vulnerabilities. We could then hand that over to our specialists and have them verify that those devices had the patches and things that were recommended,” Sanders says. “It gave us a spreadsheet to go off, showing exactly what we needed to look at.”

The water authority now has a ­baseline understanding of its cyber ­configurations that it can leverage going forward. 

22

The number of states that offer voluntary cybersecurity training programs for state employees

Source: National League of Cities, “State and Local Partnerships for Cybersecurity: A State-by-State Analysis,” April 2020

“Now, we can ­standardize on this information for any new equipment that we purchase,” Sanders says. 

“We have continuous monitoring of the ­environment; it’s not a ‘one time and then done’ situation. We can actually be alerted immediately if a new device ­suddenly connects to the network, if anything changes from the baseline.”

EXPLORE: How to combat the threat of social engineering attacks. 

Get an Opportunity to Prepare for the Worst

The city of Rancho Cucamonga, Calif., meanwhile, conducted a third-party assessment to ensure its city officials know what to do in case of a ­ransomware attack. 

“We conducted a tabletop exercise with our city ­executive staff, and it was an outward assessment of how city leadership would deal with a breach,” says Director of Innovation and Technology Darryl Polk. The planning exercise “gives city leadership insight into the decisions that would have to be made on the fly,” he says. 

“If we wait and try and invent these processes while we are in the ­incident, that draws resources away from where they are needed. The more we can plan for external mitigation, the more it frees us to focus on the technology piece if and when we ever end up in this situation.” 

San Diego Housing Commission’s Juarez says the deep dive by the CDW•G team helped to reassure him that critical citizen data is safe from prying eyes. “They go through our ­website. They also scan our networks, scan our servers. They go through ­multiple layers. They are real attacks that are meant to poke holes and find vulnerabilities within our systems,” he says.

That prodding helps the agency to meet its own high standards around security. “Cybersecurity is always ­priority No. 1 because we have a lot of sensitive data, we have a lot of ­personal data,” he says. “We take ­privacy quite seriously.” 

Just as importantly, the assessment helped the housing agency to validate its practices, Juarez says.

“It puts us in a really strong position with our board of supervisors,” he says. 

“We are an agency that takes the right proactive approach, not only for the programs that we develop but also from a cybersecurity and data management perspective,” he adds

Photography by Matthew Furman