RiskRecon enables organizations to monitor their cybersecurity risks through open-source intelligence techniques. In addition to the alphanumeric ratings, RiskRecon also identifies specific security issues. These issues are prioritized based on issue severity and asset value. The most severe issues found on the most valuable assets are categorized as “priority 1” issues. [For more details about how RiskRecon prioritizes issues for customers, please refer to Appendix C.]

Of the U.S. cities evaluated, RiskRecon identified more than 31,900 cybersecurity issues, of which 403 were considered “priority 1” issues meaning a critical severity issue on a high-value asset. The Application Security domain accounted for more than half of all identified issues, followed by the Web Encryption and System Hosting Domains. Furthermore, the 110 cities that received a RiskRecon rating of C or below accounted for more than half of all security issues identified and accounted for 80% of the “priority 1” security issues identified.

The most frequently observed security issue was missing security headers, accounting for 47% of all findings. Almost all the cities evaluated had at least one occurrence of missing security headers. Other common vulnerabilities included invalid or expired certificate subjects, missing domain hijacking flags, and the use of deprecated or missing encryption protocols. All “priority 1” issues identified involved either the Software Patching or Network Filtering domains. The most common “priority 1” issue found was the use of end-of-life software, which is software that is no longer supported by the vendor and cannot be patched against new or known security issues. The second most common “priority 1” issue was that a system (e.g., a database with sensitive data or a management server) was public-facing and exposed to the internet and should not have been, providing a common vector for cybercriminals to compromise systems and networks.

Of the end-of-life software identified, PHP, Apache, Nginx were the most common products that had reached their end of life and had known security vulnerabilities. These services are widely used in the administration of websites; when left unpatched, they can provide entry points into systems and networks. Additionally, a notable amount of email servers were found to be vulnerable to widespread critical vulnerabilities such as ProxyShell.

When looking at network filtering security issues, 33% of cities evaluated had databases such as MySQL exposed to the internet, leaving sensitive repositories of data potentially accessible to hackers. Another common finding was that more than 10% of cities had Windows computers with Remote Desktop Protocol (RDP) exposed to the internet. RDP has been a frequent target of cybercriminals, and once RDP is exploited, hackers have been known to traverse networks, exfiltrate data, and even deploy ransomware.

Lack of e-mail security was another frequent issue in cities. More than 62% of all cities evaluated were not always using e-mail authentication mechanisms such as Sender Policy Framework (SPF) or Domain Keys Identified Mail (DKIM). Domains that do not implement SPF or DKIM provide no way for other e-mail servers to authenticate the validity of e-mail messages. This provides an opening for fraudsters to send e-mails from unprotected domains, potentially deceiving citizens. Additionally, 14% of cities had domains that did not utilize e-mail encryption to protect the contents of e-mails while in transit.

Beyond the explicit vulnerability findings outlined in our research, cybercriminals often target organizations with poor cybersecurity practices. Criminals may target organizations through social engineering methods such as phishing, which remains an overwhelmingly successful and devastating infiltration method.

Stay tuned for more blogs discussing our exclusive research on the cybersecurity risk posture of city governments and download our full report here.