Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Shodan value

From: Cameron Dixon <cameron.dixon () HQ DHS GOV>
Date: Thu, 27 Jul 2017 23:53:22 -0600
Hello there, new listserv-er here. I'm the ops lead for the DHS NCATS scanning service mentioned previously-- a 
colleague of mine alerted me to this discussion, so I hope you'll forgive the interjection. Cyber Hygiene, our service 
that scans internet-facing systems, is (basically) available to all comers, and the 
https://github.com/dhs-ncats/services link outlines the contours of the service decently-- I'm also happy to answer any 
questions you might have.

One thing we encourage (particularly) our education sector stakeholders to think through is that Cyber Hygiene is 
optimized around the presumption that a host’s IP address generally stays the same over time. This may not be the case 
in some of your environments; e.g., you may assign public IP addresses to clients on your wireless network. Networks 
with high IP addressing volatility are probably not good subjects for our service, since it cannot be presumed that the 
host that gets scanned will be the same device at vulnerability notification, and it's our intention to help 
organizations find and fix *their* vulnerabilities. So, Cyber Hygiene is best suited to those environments where an 
enterprise maintains the network *and* manages the devices that use it.

Yes, it could be asserted by e.g., a university, that the vulnerabilities found on their network impact them regardless 
of whether they manage the devices on their network. A university could also attempt to claim some ‘ownership’ over 
user devices by stating that an acceptable use agreement was signed, binding their uses to some conditions. While both 
may be true, it is not reasonable that the Department of Homeland Security should be, or have the appearance of, 
scanning individual, independent citizens who didn't sign up to be scanned. 

...But I mostly joined to respond that there's nothing inherently scary about DHS or any federal agency using GitHub. 
We use (and create!) open source software like many of you; indeed, we're required to 
(https://code.gov/#/policy-guide/policy/open-source). Even a decent chunk of the Intelligence Community is on GitHub 
(https://government.github.com/community/#us-military-and-intelligence). While having a service catalog on GitHub isn't 
our first choice, I promise it's nicer than waiting for an email back from us!

Cheers.
Previous By Date Next
Previous By Thread Next

Current thread: