Center for Cyber Intelligence
Small Business Security Solutions
0
CCI-GoogleSitesBanner-v1.png

Center for Cyber Intelligence

Blog

Explore expert insights on cybersecurity trends, best practices, and compliance strategies. Led by industry veterans, our posts offer in-depth analyses and practical guidance to help professionals and small businesses fortify their cyber defenses. We openly welcome submissions for guest blogger articles. Interested in submitting? Submit your topic here to let us know.

 

Essential Guide to Using Shodan for Small Business Vulnerability Assessments & Network Monitoring

Introduction to Shodan

The business world is increasingly digitized, with more devices connected to the Internet daily. With the increase in internet-connected devices, small businesses are becoming increasingly exposed to new technological opportunities, but often at the expense of increased cybersecurity risk. Shodan is a powerful tool that can be incredibly valuable for small business owners who want to control their cybersecurity posture and proactively identify potential issues with their internet-facing environment.

Unlike traditional search engines that index web content, Shodan scans the Internet for information about devices and services, including banners and metadata that can provide insights into the security posture of these assets. Small business owners can use this tool to identify internet-connected devices, ranging from seemingly simple "Internet of Things" (IoT) devices to sophisticated server systems, as well as identify services running on those devices, open ports, determine which assets are publicly accessible and potentially vulnerable, and even track changes in exposure over time.

What Shodan Can Do:

  • Identify Devices: Locate routers, servers, and IoT devices online.

  • Detect Services: Enumerate services running on open ports.

  • Assess Exposure: Help determine which assets are publicly accessible and potentially vulnerable.

  • Monitor Changes: Track changes in exposure over time.

Guide to Using Shodan for Your Small Business

Setting Up Your Account

Visit Shodan and sign up for an account. Consider purchasing a membership for advanced features and increased query limits. The membership is a one-time payment of $49 for a lifetime account upgrade - no subscription required! Some of the benefits of a Shodan Membership include:

  • Monitoring & Alerting: Monitor the devices you expose to the Internet. Set up notifications, launch scans, and gain complete visibility into what you connect. The membership lets you monitor up to 16 IPs to ensure your home or small business network isn't exposed to the Internet.

  • Command-Line Interface: The official Shodan CLI allows you to automate your workflow or efficiently get the necessary information without visiting the website. With a Shodan membership, you can access almost every aspect of the Shodan platform from the CLI - no coding is required!

  • Search Images: Shodan collects screenshots for many different services. As a member, you can access a new search interface that makes browsing those screenshots much more straightforward. Additionally, Shodan performs OCR on those images so that you can also search for the text inside the photos.

  • Integrations: The improved API plan for members makes plugins for tools such as Metasploit, Recon-ng, and Maltego more powerful. You'll have the entire database of Shodan a fingertip away from your favorite programs.

Identify Your IP Space

Before we start, let’s cover some quick basics about the differences between what may be considered a typical home network vs. a small business network.

  • Home Networks are typically simpler, consisting of a few devices connected to the Internet through a single residential router. These networks often lack sophisticated security measures and are primarily used for personal activities.

  • Small Business / Home Office Networks are often more complex. They may include additional hardware and software layers to support business activities. These networks usually resemble small enterprise environments with multiple internet-facing devices. Ideally, this environment features enhanced security measures, various subnets, and specialized networking equipment to securely handle personal and business data.

Let’s dive in! Begin with identifying your endpoint IP address or range:

  • Endpoint IP Identification: Start by identifying the external IP address of the device you're currently using. You can easily find this by visiting websites like WhatIsMyIP.com or by searching "what is my IP" in a search engine.

  • Determine Your Network Range:

  • Router and Firewall IPs: Typically, the external IP address you identify from your endpoint will be assigned to your network's edge device, such as a router or firewall. This device manages both inbound and outbound traffic for your network. For small networks, this may be the only internet-facing device you have. For more complex environments, there may be several.

  • Consult ISP or Network Administrator: For more precise information on your full IP range, consult your Internet Service Provider (ISP). Businesses may have multiple IP addresses or ranges assigned.

Utilize Shodan to Scan Your IP Range

  • Conduct a Basic Shodan Search: If you have multiple IP addresses or an IP range assigned through your ISP, enter your IP range in Shodan using the syntax below. This will list all devices in your subnet visible on the Internet.

    • net:YOUR.IP.RANGE/24


Analyzing Your Results

Understanding your search results and identifying potential risks is crucial - particularly if you have limited IT or security experience. This section guide will help you interpret what you find in Shodan searches and highlight why some findings might be concerning.

  1. Identify Devices and Services

    • Standard Services: When you run a Shodan search, you'll see various services listed under each device. Focus on common ones like:

      • HTTP (Port 80): This is the standard port for web servers. If this appears without HTTPS, it suggests that the data sent to and from this service is unencrypted, which is not secure.

      • HTTPS (Port 443): The secure version of HTTP, indicating encryption is used. This is expected for any web service handling sensitive data.

      • FTP (Port 21) is used for file transfers. It is insecure as it transmits data, including passwords, in plain text. FTP should never be used, especially for internet-facing devices.

      • SSH (Port 22) allows secure remote access to devices. While safe, unexpected SSH services might indicate unauthorized access points.

    • Unexpected Services: Discovering services you do not recognize or have no recollection of setting up might indicate misconfigurations or unauthorized installations. For example, an open Telnet port (Port 23) is typically considered insecure and should be investigated.

  2. Check Banners

    Banners are the information services displayed when someone connects to them, often including the type of service, software version, and other vital details.

    • Check for Outdated Software: Banners showing older software versions can indicate security risks, as these may contain known vulnerabilities that attackers can exploit.

    • Check for Possible Misconfigurations: Sometimes, banners might reveal default configurations that haven't been changed (e.g., default usernames or service settings), which are easy and prevalent targets for attackers.

  3. Review Certificates

  • SSL/TLS Certificates: These certificates are used by HTTPS services to ensure secure communication. Shodan can show you if a certificate is:

    • Expired: An expired certificate can cause browsers to warn visitors that your site is insecure, which may harm your business reputation.

    • Misconfigured: Certificates should be issued using the correct domain name and a secure configuration. Any discrepancies indicate potential security weaknesses and represent threats to your business.

Common Red Flags and Their Implications

  • Open Ports: Each port on a network can serve as a door or a gateway that allows specific types of network traffic in and out. An "open port" means that the port is configured to accept connections, which can be necessary or potentially dangerous. Having numerous open ports can unnecessarily increase your business’s attack surface, providing more opportunities for malicious actors to attempt to access your network.

    • Example: A small retail business might use port 443 for secure online transactions but finds that other ports, like FTP (21) or Telnet (23), are open. These protocols are not secure and should be closed to prevent data theft or unauthorized access.

    • Action Steps: Use a tool like Shodan to scan your IP address and identify open ports. Review whether each open port is necessary for your operations and close those that aren't. Ensure that necessary ports are protected with strong security measures, like firewalls and intrusion detection systems.

  • Default Settings & Passwords: Many network devices and software are installed with default settings and passwords, which are widely known and easily accessible online. Operating with default settings and passwords is akin to leaving the key in the lock of your front door. It's an invitation for attackers to enter easily.

    • Example: A small consultancy firm sets up a new router but doesn’t change the default admin password. An attacker uses this default password to gain access and redirect internet traffic through malicious servers.

    • Action Steps: Always change default usernames and passwords during the initial setup of new devices or software. Use strong, unique passwords for different devices and services. Consider using a password manager to keep track of them securely.

  • Exposed Sensitive Services: Sensitive services, such as databases, management interfaces, or API endpoints, are critical to the operation of a business but can expose significant vulnerabilities if accessible via the public internet. If these services are exposed and accessible, they can be targeted for data breaches, leading to significant financial and reputational damage.

    • Example: A small healthcare provider uses a database to store patient records. If this database is inadvertently exposed online without proper security controls, it could be accessed or hacked, leading to a breach of sensitive patient information.

      Action Steps: Ensure that sensitive services are inaccessible from the public internet. Use network security measures such as VPNs for remote access, firewalls to block unauthorized access and robust authentication mechanisms. Regularly audit your network using tools like Shodan to check for exposures.

Example of Shodan Monitor Dashboard

Setting up Shodan Monitor:

Shodan offers a monitoring service, Shodan Monitor, that allows members to continuously monitor their internet-facing assets. This service is designed to help you maintain ongoing awareness of your network's security status by sending notifications when various security-related issues are identified. Remember that you can monitor only up to 16 assets with a standard membership. This cap includes IPs, domains, and entities identified through search queries. If the number of monitored assets exceeds the limit due to dynamic updates (e.g., new subdomains or IPs discovered), your monitor may temporarily pause or return an error. Managing and prioritizing the assets you wish to monitor actively is crucial.

  1. Access Shodan Monitor: Navigate to Shodan Monitor.

  2. Add Monitoring Targets:

    • IP Addresses/Network Ranges: Add specific IPs or entire network ranges representing your internet-facing infrastructure.

    • Domains: Enter your business domain to monitor the primary domain, associated IP, and related subdomains automatically.

    • Configure Search Queries: Set up custom search queries that reflect your specific security concerns (e.g., searching for outdated software or unauthorized open ports).

Wrapping Up: Best Practices for Security Hygiene

Some strategies to consider based on the findings you may encounter on Shodan - If any of these items are outside your expertise, engaging with professional services, such as those offered by CCI, to audit and fortify your network is always an option!

  • Verification and Reduction: Assess the necessity of each service and port discovered on your devices. To minimize exposure, unnecessary services and ports should be disabled. Strive to limit the number of devices and services accessible via the Internet.

  • Securing Configurations: Default credentials must be replaced with strong, unique passwords, and configurations should be hardened against attacks.

  • Routine Audits: Perform regular security audits and penetration tests to gauge the strength of your defenses.

  • Updates and Security: Keep all software current and apply secure configurations.

    • Prioritization of Findings: Tackle critical and high-severity vulnerabilities promptly, considering their potential impact and exposure.

    • Patch Management: Apply patches expediently for any services flagged as outdated or vulnerable.

  • Consistent Monitoring: Use Shodan Monitor to periodically monitor your network's exposure to quickly identify new or altered vulnerabilities.

  • Network Configuration Management: In relevant environments, evaluate and adjust firewall rules and network segmentation to reduce business exposure.

Final Thoughts

This guide is intended as an introductory resource. Shodan can be an extremely valuable tool, and this guide only scratches the surface of its capabilities. The help documentation provides more information on how to use Shodan.

While Shodan can provide invaluable insights into a small business's online presence and potential vulnerabilities, if you need additional support, consider contacting cybersecurity professionals to conduct a deeper analysis of your environment and develop defensive strategies for your specific use cases. 

At the Center for Cyber Intelligence, we have over 15 years of cybersecurity expertise and a commitment to providing accessible, clear guidance to make cybersecurity achievable for small businesses like yours. Don't wait until it's too late—secure your business today and gain peace of mind knowing that a partnership with CCI will fast-track you to protecting the company you worked so hard to build.

Chris CooleyComment