Reduce attack surface - Get "stuff off search"
Page Article
Assess Your Public Asset Risk Profile
For each system, service, and port that is exposed, ask the following questions:
- Why does this system and service need to be running? Equipment often enables capabilities by default that are not necessary in normal operations.
- What is the business need requiring this system, service, and port to be exposed to the Internet? Administrative tools may be inadvertently configured to connect on an Internet-accessible interface.
- Can this system, service, or port reside behind a VPN? VPNs add strong authentication mechanisms and remove a direct link to potential adversaries.
- Can the service offer strong, multi-factor authentication? Contact your vendor to explore options.
- When was the last time this system or service was fully updated? There may be a valid business justification for why a system was not updated; otherwise, follow your change management process and update your systems on schedule.
- When was the last time this system or service was hardened? Contact your vendor for best practices and support.
A key capability of these tools is identifying exposed assets to enable owners and operators of Industrial Control Systems (ICS), IoT, and IIoT devices to reduce their attack surface by enumerating and detailing any number of Internet-connected targets. By pulling back banners of Internet-connected devices, end users can use any combination of search filters to narrow search results to specifically query for potentially vulnerable devices.
Shodan is a web-based search platform for internet-connected devices. A key capability of Shodan is its use as an attack surface reduction tool, with the ability to read any number of Internet-connected targets, including ICS and IIoT. By pulling back banners of Internet-connected devices, Shodan can find any combination of search filters to narrow search results to specifically target potentially vulnerable devices.
Key features:
- Identify Internet-connected devices, Internet of Things/Industrial Internet of Things (IoT/IIoT), and industrial control systems (ICS).
- Potential exploits.
- Default passwords.
- Integrations with vulnerability tools, logging aggregators, and ticketing systems allow Shodan to be seamlessly integrated into an enterprise.
Censys is a web-based risk management tool that helps identify publicly accessible assets - even if they can't be scanned by a vulnerability management tool. A key capability of Censys.io is its use as an attack surface reduction tool, with the ability to recognize any number of Internet connected targets, including ICS and IIoT. With the ability to assess and index IP addresses, parse TLS certificates, and track domains, Censys.io provides a 360-degree depiction of an organization's Internet attack surface. Censys.io has also been positioned as a platform capable of providing visibility into an organization's Internet remote workforce.
Key features:
- Home network risk identifier (HNRI), allowing employers to anonymously monitor staff's home network infrastructure for vulnerabilities that may pose a risk to the company.
- Exposed routers.
- Default credentials.
- Popular vectors for ransomware.
Thingful is a search engine for the Internet of Things (IoT). Thingful can also be used in automatic discovery of IoT data pathways, and thereby support attack surface reduction activities; however, that capability is not its primary purpose. Thingful's main use cases are focused on the manipulation of IoT data in ways that unlock value and visibility within an identified dataset. Specifically, the ability to organize, access, respond and unlock IoT data streams into useful "data pipes" for consumption is key to Thingful's business model.
Key features:
- Searchable index of public and private connected objects and sensors around the world.
- Monitors IoT networks and infrastructures including energy, radiation, weather, and air quality devices.
- Reports seismographs, iBeacons, vehicles, ships, aircraft and animal trackers. The tool assists with response by enabling end users to create watchlists and publications on public/private IoT resources.