Report: Cities leaving their cyber assets exposed
- By Matt Leonard
- Feb 15, 2017
Cities trying to tighten security should take a good look at their unsecured connected devices.
Scans of February 2016 data on internet-connected devices found that Lafayette, La.; Saint Paul, Minn.; and Washington, D.C., had the most exposed cyber assets. Those connected devices were vulnerable to cyber attack because they were poorly configured, unpatched or had remote access enabled.
The goal of the analysis, conducted by Trend Micro and released on Feb. 15, “is to build public awareness about exposed cyber assets and highlight problems and issues associated with their exposure.” It focuses on the industries involved in critical infrastructure, including emergency, healthcare, utilities, financial services and education. It also ranks cities by the total number of exposed assets across industries.
Firewalls were the most commonly exposed government devices at 48 percent of total devices. That was followed by wireless access points, specialized devices, webcams, routers and other assets.
The researchers were able to find these devices through Shodan, a search engine that finds internet connected devices by scouring the web to find undiscovered devices to add to its search results. It can find office printers, streetlights in a traffic network or security cameras in a local utility.
“With the proliferation of cyberterrorism by rogue nations and terrorist groups, exposed cyber assets pose serious threats to both national security and the daily functioning of cities,” the report read.
A potentially worrying trend found in the report is the continued use of Windows XP. Windows 7 and 8, along with newer versions of Linux, made up the majority of exposed operating systems across all sectors, but Windows XP still made up almost 9 percent of exposed government systems. Windows XP, now more than 15 years old has not had support from Microsoft since 2014.
Similar results were found for emergency services, with Houston and Lafayette having the highest number of exposed assets. Philadelphia and Seattle topped the list of cities having the most exposed education-related devices. And when it comes to utilities, authorities in smaller cities had more unsecured devices than did larger municipalities.
The report ends with some suggestions for securing networks and data, but acknowledges that “no defense is impregnable against determined adversaries.”
That’s especially true if device owners fail to secure their assets. “Organizations, especially those considered to be part of critical infrastructure sectors, must always operate on the assumption that they have already been compromised and take steps to both detect and defend against threat actors,” the report concluded.
Read the full report here.
This article was changed Feb. 16 to update the reference to Lafayette. The report originally referred to Lafayette, Ind., but it was changed to Lafayette, La.
Matt Leonard is a former reporter for GCN.