Re: Shodan value

[Nicholas Garigliano <ngarigl8 () NAZ EDU>]

My thoughts on this subject.  Please feel free to point out anything I have
wrong or missed or am deluded on......

> From an external perspective there are two major threats to consider:

1. Drive by attack based on the results of an automated info gathering
process (service scan followed by vulnerability scan) against your IP
space.  Based on the results, it then attempts to pragmatically leverage
known weaknesses that it discovers to gain access.

2.  Directed attack against your IP space.  The attacker is going after you
specifically with the goal of gaining access to your internal network or
for performing a DoS on your site/service or presence in general.

Blocking Shodan is not really going to gain you much when considering
either scenario.  While it might make it more difficult, not having access
to Shodan information isn't really going to deter any determined attacker.
They have the same access to your IP space that Shodan has and it isn't
difficult to gather that info.   Shodan is just a search engine.  Security
through obscurity rarely gains you much.  There is also the issue of
maintaining an IP list for Shodan nodes in your firewall.

You can actually use Shodan to your advantage to help you find flaws in
your external configuration that you might miss.   You can use their API to
automate checking on a regular basis.  A cool framework to work with along
these lines is Recon-ng  (https://bitbucket.org/LaNMaSteR53/recon-ng).
Definitely worth spending some time with.

Thanks,

Nick Garigliano
Network Security Engineer
Enterprise & Network Solutions
Nazareth College
585 389-2109

On Thu, Jul 20, 2017 at 11:53 AM, Andre DiMino <adimino () gwu edu> wrote:

> We block Shodan as we prefer not to have any vulnerabilities or
> misconfigured hosts be publicly identified.
>
> We perform our own regular external (and internal) scans from
> pre-identified IP space.
>
> Andre'
>
> On Thu, Jul 20, 2017 at 10:54 AM, Reyor, William F. <wreyor () fairfield edu>
> wrote:
>
> > We utilize the DHS NCCIC which provides more visibility then Shodan (full
> > Nessus scan of all public ranges). And block Shodan.
> >
> > Thanks,
> > Bill
> >
> > On Jul 20, 2017, at 10:49 AM, Ford, Bryan <bryan.ford () NDUS EDU<mailto:br
> > yan.ford () NDUS EDU>> wrote:
> >
> > There been some discussion of the value of Shodan and should we block it
> > or leave it open and monitor it.  I see the value of it and
> > wanted to know what other are doing with it.
> >
> > Thanks
> >
> > Bryan
>
>
>
> --
> Andre' M. DiMino
> Principal Security Engineer
> The George Washington University
> Desk: (202) 994-6114
> Cell: (202) 365-0548
> adimino () gwu edu