Re: Shodan value

[Andre DiMino <adimino () GWU EDU>]

All good points Nick, and I generally agree.

However in our case, we have two /16's across many schools, faculty, staff,
and students.
Our network's constituencies are constantly changing.
Hosts are spun up, taken down, new OSes and applications are deployed and
left unpatched.
The vulnerabilities revealed on the visible hosts may change hour to hour.

It's an ongoing challenge to stay ahead of this network entropy.
So when Shodan offers a quick and easy way for potential attackers to
highlight our more egregious vulnerabilities, it escalates our existing
challenge.

I agree that Shodan is a great resource and that there are many very good
tools provided.
In fact, we have used Shodan Scanhub for private aggregation and
correlation of our own scans.

Thanks!
Andre'



On Fri, Jul 21, 2017 at 10:36 AM, Nicholas Garigliano <ngarigl8 () naz edu>
wrote:

> My thoughts on this subject.  Please feel free to point out anything I
> have wrong or missed or am deluded on......
>
> From an external perspective there are two major threats to consider:
>
> 1. Drive by attack based on the results of an automated info gathering
> process (service scan followed by vulnerability scan) against your IP
> space.  Based on the results, it then attempts to pragmatically leverage
> known weaknesses that it discovers to gain access.
>
> 2.  Directed attack against your IP space.  The attacker is going after
> you specifically with the goal of gaining access to your internal network
> or for performing a DoS on your site/service or presence in general.
>
> Blocking Shodan is not really going to gain you much when considering
> either scenario.  While it might make it more difficult, not having access
> to Shodan information isn't really going to deter any determined
> attacker.  They have the same access to your IP space that Shodan has and
> it isn't difficult to gather that info.   Shodan is just a search
> engine.  Security through obscurity rarely gains you much.  There is also
> the issue of maintaining an IP list for Shodan nodes in your firewall.
>
> You can actually use Shodan to your advantage to help you find flaws in
> your external configuration that you might miss.   You can use their API to
> automate checking on a regular basis.  A cool framework to work with along
> these lines is Recon-ng  (https://bitbucket.org/LaNMaSteR53/recon-ng).
> Definitely worth spending some time with.
>
> Thanks,
>
> Nick Garigliano
> Network Security Engineer
> Enterprise & Network Solutions
> Nazareth College
> 585 389-2109 <(585)%20389-2109>
>
> On Thu, Jul 20, 2017 at 11:53 AM, Andre DiMino <adimino () gwu edu> wrote:
>
> > We block Shodan as we prefer not to have any vulnerabilities or
> > misconfigured hosts be publicly identified.
> >
> > We perform our own regular external (and internal) scans from
> > pre-identified IP space.
> >
> > Andre'
> >
> > On Thu, Jul 20, 2017 at 10:54 AM, Reyor, William F. <wreyor () fairfield edu
> > > wrote:
> >
> > > We utilize the DHS NCCIC which provides more visibility then Shodan
> > > (full Nessus scan of all public ranges). And block Shodan.
> > >
> > > Thanks,
> > > Bill
> > >
> > > On Jul 20, 2017, at 10:49 AM, Ford, Bryan <bryan.ford () NDUS EDU<mailto:br
> > > yan.ford () NDUS EDU>> wrote:
> > >
> > > There been some discussion of the value of Shodan and should we block it
> > > or leave it open and monitor it.  I see the value of it and
> > > wanted to know what other are doing with it.
> > >
> > > Thanks
> > >
> > > Bryan
> >
> >
> >
> > --
> > Andre' M. DiMino
> > Principal Security Engineer
> > The George Washington University
> > Desk: (202) 994-6114
> > Cell: (202) 365-0548
> > adimino () gwu edu


-- 
Andre' M. DiMino
Principal Security Engineer
The George Washington University
Desk: (202) 994-6114
Cell: (202) 365-0548
adimino () gwu edu