Vulnerabilities in Dutch municipalities software mapped by DongIT
In February 2013, DongIT mapped as many software versions of web systems of all Dutch municipalities as possible using a script, which is linked to several open source tools. From all detected software versions, the vulnerabilities and corresponding impact classifications were mapped.
Analyses of up-to-date or non-vulnerable systems as apposed to systems with high and critical impact classifications, concludes that after all fuss since Lektober in 2011, many old software is still in use. These critical/high impact vulnerabilities affect both large and small municipalities. With a few software packages, such as Drupal, Joomla, phpMyAdmin, Apache and PHP, DongIT found mostly vulnerable software versions. 24% of all detected software used by municipalities can be exploited by vulnerabilities with a high of critical impact rate. The used software on these systems can be misused relatively easy by malevolent users.
Research shows that current efforts to secure municipal systems did not prove effective. People should be continuously aware of which systems are present and publicly accessible. Systems that do not have to be publicly accessible, should be isolated and secured. Focus should be on keeping the systems up to date. The document "ICT-Guidelines for Web applications" from the National Cyber Security Center, defines how an update proces should be executed. By performing a similar research periodically, the effectiveness of the used strategy can be examined.
The full report and written article in InGovernment can be downloaded below: