Segmentation and the cities

I remember when cities being hit with cyberattacks were big news stories. Sadly, they are so frequent now as to be left out of the headline crawl. It’s hard to secure a city network, and the attackers know it.

There is, however, a foundational piece of work that can help cities in a big way. The good news is that most of them already have the gear in place to make this possible. Let’s talk about segmentation.

When we started networking back in the day, all we were concerned about was getting everything to talk to everything else. We built out flat networks, wide open plains where everyone’s business was obvious to everyone else. Attackers love those kinds of networks. If they can penetrate just one city department, they’ll have access to all the other departments.

Segmentation is the act of forcing traffic from one part of an organization heading to another to pass through a Check Point. Or a Cisco. Or a Palo Alto. Or a Fortinet or Juniper or some kind of perimeter firewall that will limit the traffic passing between departments. Does everyone in the water department need to have access to all the data in the city planning department? No? Then have a firewall block the access attempts that shouldn’t be permitted.


Segmentation is also in the administrative rights we assign some accounts. These accounts are needed to perform several critical functions, so they’re not going away. But back to the example previously explored… does an admin-level account for the water department also need admin-level rights in the city planning department? We can create accounts that have limited authority. That way, if they are compromised, the blast radius is limited to where that account has authority, no further. Tools like CyberArk can help us get the job of segmenting our identity accomplished.

Getting back to the network, while we’re asking about what traffic should and should not be allowed, it’s vital to know what traffic is actually happening. The best tool I’ve seen for getting that information and making it quickly actionable is Forescout’s eyeSegment tool. Hands down, it’s the one I’d want at the start of my network segmentation journey and the tool I’d use in the long haul to keep everyone on the right track.

Given that many cities already have these products in place, they have the puzzle pieces ready to go. They just need the political and executive will to assemble them.

How PAM Can Protect Feds From Third Party/Service Account Cyber Attacks

How PAM Can Protect Feds From Third Party/Service Account Cyber Attacks

Share This