A misconfiguration in the search tool on the city of Columbia, S.C. website had a security flaw that could have exposed database and SMPT server passwords.
Independent Researcher Arif Khan discovered the flaw in the fall and began trying to contact the city to disclose, tweeting in November, “Hi @CityofColumbia, A security issue has been detected in your website, can you contact me in private?”
When a user searched for something that the tool couldn’t find, it responded with a 404 error page – intended for developers – that revealed the passwords, according to a CNET report.
“The core cybersecurity challenge facing local governments is fundamentally one of resourcing and expertise,” said Tim Mackey, principal security strategist at Synopsis CyRC (Cybersecurity Research Center). “While enterprise and federal government budgets can support investment in cybersecurity initiatives, at the local level, budgets are often prioritized around community services such as those provided by emergency responders.”
That makes it “particularly difficult for a local government to respond quickly to a reported security issue or misconfiguration of their services,” he said.
But “despite limited budgets, procurement contracts should be written to include both the creation of threat models and the performance of periodic penetration testing of online services,” said Mackey. “If the contracts include performance clauses with penalties related to lax implementation security or misconfiguration of deployed services, then a shared level of responsibility can be created between provider and government.”
Mackey recommended local governments tapping “services such as the Multi-State Information Sharing and Analysis Center (MS-ISAC) offering which are funded in part from grants from the Department of Homeland Security,” which are designed to “bring the expertise to state, tribal and local governments which would otherwise be hard to procure.”