Municipalities are increasingly becoming victims of cyberattacks. The responsible administrators do their best to protect the systems and data. But due to a lack of time, personnel and financial capacities, they are in many cases outgunned by the technologically highly equipped hackers. Our statistics on the IT security situation of 422 municipalities in Hesse, which can be viewed externally, show just how precarious the situation is. The data determined as part of the study is based on automatically collected, publicly accessible information. This means that no invasive vulnerability scans were carried out and no access barriers were overcome.
With the statistics, we want to draw attention and offer our help to IT managers. The municipalities can contact us at any time for a free insight into their own security situation.
Photo by Andras Vas on Unsplash
Rework required
The results are in line with what IT security experts have been warning about for a long time: The gaps are plentiful and the situation is tense.
Folgende Bereiche wurden auf sicherheitskritische Funde überprüft.
Sending mail - using SPF entries According to our research, 24% of the reviewed municipalities do not adequately protect their authorities from mail forgery or identity theft because they do not use Sender Policy Framework (SPF) records. Without an SPF record, mail recipients cannot verify that an email sender is even authorized to use a particular mail address (such as that of a government agency). This then makes it easy for attackers to send phishing emails to employees and others in the name of the municipality in question. For this reason, IT managers should definitely check the DNS configuration with their domain providers.
Encryption of data transmission - certificates Many also still have problems with the security of data exchange. The audit of encryption quality revealed that 74% of the municipalities partly use data transfer protocols with inadequate encryption (old encryption versions such as SSLv2, SSLv3, TLS1 and TLS_1.1) on their websites and for e-mails. To adequately protect against data theft, the certificates used should be checked and web and mail server settings updated with regard to the configurations and versions used.
Accessible database systems - network Accessibility alone is a problem - no in-depth tests were carried out. The fact is: 31 percent do not adequately protect all database systems against cyberattacks.
Applications - Obsolete software Are there outdated applications with security vulnerabilities? The systems reveal their software versions via publicly communicated "banners". Vulnerabilities can be derived from these versions. The audit revealed that 23 percent of municipalities in Hesse use at least one application with an unpatched security vulnerability.
Data protection compliance The situation was much better in terms of data protection. Only 12 percent of the communities tested used tracking cookies that were set without the visitors' consent.
The statistics have led to many articles in various media, the correct wording of which we have no influence on. For this reason, we would like to refer you to Benjamin Stiebel from Behördenspiegel, who has summarized the results very well in a short report. Read the article in Behördenspiegel. Read article at Behördenspiegel
Request your personal Live-Demo now
Identify and reduce your cyber risks through a comparable and understandable overview of your IT security. Let our experts advise you and find out how LocateRisk can help you solve your cyber risks.
Learn more, book a demo, or just have a quick chat? Alex is happy to help!
Your personal consultant AlexanderFeldmann Consulting
We use cookies to optimize our website and our service.
Functional
Always active
Technical storage or access is strictly necessary for the lawful purpose of enabling the use of a particular service expressly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a message over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that have not been requested by the subscriber or user.
Statistics
The technical storage or access, which is carried out exclusively for statistical purposes.Technical storage or access used solely for anonymous statistical purposes. Without a subpoena, the voluntary consent of your Internet service provider, or additional records from third parties, information stored or accessed for this purpose alone generally cannot be used to identify you.
Marketing
Technical storage or access is necessary to create user profiles, to send advertisements, or to track the user on a website or across multiple websites for similar marketing purposes.
English 
Deutsch 
Français