Knowledge is the key. Recently Leandro Gelasi pointed me to an interesting report: 2014 Italian Cyber Security Report about awareness, defense and organization in the Public Sector. That’s mostly a detailed analysis of a 61-questions survey took by 441 public bodies (national, regional, provincial and municipal).
A valuable work actually, worth reading, but I’m interested in numbers provided by external observers as well. Therefore I have been pushed to research numbers myself.
There is a clear and public consequence when security (ok, cyber security) is not a primary goal: your website may wind down or may be compromised or may be defaced. Zone-h is helping here by providing raw data for a subset of hosts.
Our study takes into account just what Zone-h recorded for italian municipalities official websites, provinces’, regions’ and government’s during the last 15 months (2014 and Jan-Mar 2015).
Out of 8,047 municipalities, 677 (8.41%) official websites were hacked during the last 15 months. According to Zone-h records, 37.96% are Linux boxes, 42.10% MS Windows 2003 server, 0.15% FreeBSD, 8.12% MS Windows 2008 server, 11.52% MS Windows XP (!?), 0.15% F5 Big-IP. (Raw data: italian_municipalities_websites_hacked_2014)
Currently in Italy there are 110 provinces, 18 (16.36%) of them had their official websites hacked during the last 15 months: 55.56% Linux, 27.78% MS Windows 2003 server, 5.56% MS Windows 2008 server, 5.56% MS Windows 2000 server, 5.56% Unknown OS. (Raw data: italian_provinces_websites_hacked_2014)
About the 20 italian regions, 5 of them (25%) had their official websites hacked during the last 15 months: 40% Linux, 40% MS Windows 2003 server, 20% Unknown OS. (Raw data: italian_regions_websites_hacked_2014)
Now, italian Government and departments: out of 25 domain names, 2 (8%) have been hit by a hacking action during the last 15 months. Both servers (hosting websites for some subdomain under giustizia.it and beniculturali.it domain names) are Linux based, Zone-h reports. (Raw data: italian_government_websites_hacked_2014)
At this point I would agree with the following quote from the Italian Cyber Security Report 2014:
The results clearly highlight that some public sector organizations at a national level are better prepared than local ones. in the latter the situation is extremely fragmented, presenting few cases of excellence and many critical cases. However, it is fundamental to highlight that the results reported in this document must not be interpreted as a guarantee that those public bodies with high scores are safe, quite the opposite. Having been exposed to major risks, they have undertaken for a longer time the path that smaller public operators will necessarily have to undertake. The sooner this step is taken, the fewer the risks will be for the citizen and for the country.