Once upon a Tuesday: Longitudinal analysis of the vulnerability management of Dutch municipalities

Abstract

In recent years, more and more emphasis has been put on the importance of good preventative cyber security and vulnerability management techniques such as "Patch Tuesday".
Despite the increased importance, not all organisations have the same resources and knowledge when it comes to securing their networks against cyber adversaries.

This research tries to examine the vulnerability posture of Dutch municipal ICT networks.
To accomplish this a network ranges dataset was curated using open source intelligence techniques.
These networks, related to current and previous Dutch municipalities, have been used to collect network data scans and observe the changes in software products and versions.
Based on the data collected we can observe the software update moments for different organisations and analyse how often software products are kept up to date.
Using this network scan data and a subset of open-source products, we were able to construct a case study analysis about the general trends of vulnerability management and the influencing factors thereof.
This was done through timeline analysis, involving also software update releases, security advisories, and publicly disclosed vulnerability exploits.
Our findings show uncoordinated strategies within the different organisations and rare proactive security behaviour.

Another contribution of this study is in the sphere of reconnaissance and open source intelligence gathering, showing that publicly available information alone is a time-consuming procedure that renders very few useful data points.
These later findings have implications for both adversaries as well as security organisations, as reliable data could only be obtained through direct contact with the underlying municipality.