Page 41 - index
P. 41
In order to prevent a security breach by someone using the Shodan site CERT recommends
that people/companies follow these rules (Shodan).
Place all control system assets behind firewalls, separated from the business network
Deploy secure remote access method such VPN (virtual private network) for remote access
Remove, disable, or rename any default system accounts (where possible)
Implement account lockout policies to reduce the risk from brute forcing attempts
Implement polices requiring the use if strong passwords
Monitor the creation of administrator level accounts by third vendors
In order to see if a node is vulnerable over the internet, Shodan user can use three HTTP Status
Code in order to see the type of security the node offers. Code 200, means that no
authentication is necessary to access a device, while 401 requires people to provide some type
of authentication access for the node, and code 403 is strictly forbidden even if the right
authentication is provided, access will not be granted (Schearer).
“Shodan is a window into this world of connected devices, identifying devices like webcams,
traffic signals and even nuclear power plants on the internet. It can be used by security
researches to identify internet connected devices with security vulnerabilities and as a general
tool to understand the landscape of connected devices in order to provide a more secure
infrastructure. It is also the same kind of technology that malicious hackers use for the same
purpose, but with different intent” (Episode 10).
About the Author
Hello my name is Carl Miles Jr, a rising senior at East Carolina University,
who going for his Bachelor of Science in Information and Computer
Technology with a concentration in Information Security and a minor in
logistics. Currently I am a RA (Resident Advisor) at East Carolina University
and in the past I have provided tech support for East Carolina University.
Upon graduation I plan on applying for a position at cisco, or Google’s
residency program.
41 Cyber Warnings E-Magazine – April 2014 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
