Educause Security Discussion mailing list archives
Re: Shodan value
From: Nicholas Garigliano <ngarigl8 () NAZ EDU>
Date: Fri, 21 Jul 2017 10:36:17 -0400
My thoughts on this subject. Please feel free to point out anything I have wrong or missed or am deluded on......
From an external perspective there are two major threats to consider:
1. Drive by attack based on the results of an automated info gathering process (service scan followed by vulnerability scan) against your IP space. Based on the results, it then attempts to pragmatically leverage known weaknesses that it discovers to gain access. 2. Directed attack against your IP space. The attacker is going after you specifically with the goal of gaining access to your internal network or for performing a DoS on your site/service or presence in general. Blocking Shodan is not really going to gain you much when considering either scenario. While it might make it more difficult, not having access to Shodan information isn't really going to deter any determined attacker. They have the same access to your IP space that Shodan has and it isn't difficult to gather that info. Shodan is just a search engine. Security through obscurity rarely gains you much. There is also the issue of maintaining an IP list for Shodan nodes in your firewall. You can actually use Shodan to your advantage to help you find flaws in your external configuration that you might miss. You can use their API to automate checking on a regular basis. A cool framework to work with along these lines is Recon-ng (https://bitbucket.org/LaNMaSteR53/recon-ng). Definitely worth spending some time with. Thanks, Nick Garigliano Network Security Engineer Enterprise & Network Solutions Nazareth College 585 389-2109 On Thu, Jul 20, 2017 at 11:53 AM, Andre DiMino <adimino () gwu edu> wrote:
We block Shodan as we prefer not to have any vulnerabilities or misconfigured hosts be publicly identified. We perform our own regular external (and internal) scans from pre-identified IP space. Andre' On Thu, Jul 20, 2017 at 10:54 AM, Reyor, William F. <wreyor () fairfield edu> wrote:We utilize the DHS NCCIC which provides more visibility then Shodan (full Nessus scan of all public ranges). And block Shodan. Thanks, Bill On Jul 20, 2017, at 10:49 AM, Ford, Bryan <bryan.ford () NDUS EDU<mailto:br yan.ford () NDUS EDU>> wrote: There been some discussion of the value of Shodan and should we block it or leave it open and monitor it. I see the value of it and wanted to know what other are doing with it. Thanks Bryan-- Andre' M. DiMino Principal Security Engineer The George Washington University Desk: (202) 994-6114 Cell: (202) 365-0548 adimino () gwu edu
Current thread:
- Shodan value Ford, Bryan (Jul 20)
- Re: Shodan value Reyor, William F. (Jul 20)
- Re: Shodan value Andre DiMino (Jul 20)
- Re: Shodan value Nicholas Garigliano (Jul 21)
- Re: Shodan value Andre DiMino (Jul 24)
- Re: Shodan value Andre DiMino (Jul 20)
- Re: Shodan value Rich Graves (Jul 20)
- Re: Shodan value Reyor, William F. (Jul 20)
- Re: Shodan value Valdis Kletnieks (Jul 20)
- Re: Shodan value Reyor, William F. (Jul 20)
- Re: Shodan value Reyor, William F. (Jul 20)
- <Possible follow-ups>
- Re: Shodan value Cameron Dixon (Jul 27)
- Re: Shodan value Kevin Wilcox (Jul 28)
- Re: Shodan value Ashley Penchion (Jul 28)
- Re: Shodan value Dixon, Cameron (Jul 31)
- Re: Shodan value Valdis Kletnieks (Jul 28)
- Re: Shodan value Kevin Wilcox (Jul 28)