And Other Scary Stats
(Disclaimer – It is not the intent of this post to point out a particular BAS software vendor. The intent is to show that we, the system integrator, still have work ahead of us to do our part)
The information I list below I got by running a report on Shodan today (8/13/2015). And it didn’t cost a dime and I didn’t have to use any query language… just plain ole English.
I opened the site (https://www.shodan.io/) and in the search bar I typed “niagara”.
Next I clicked the United States.
At this point I clicked “Create Report” to save this search in case I want to review the data later on.
Notice in the image above the number of exposed Niagara systems in the United States is 27,182. I ran a report last week and the number was 15,948. The numbers should be heading down, not up.
This number represents (if you divide it by the number states) an average of 543.64 Niagara systems per state that are exposed to the world with the only thing between them and a hack is a username and password in the Niagara station.
The top five cities are listed on the left from the search results.
The next thing listed is equally disturbing. Not only are the systems exposed on the web with only a username and password to protect the system, most are riding on top of an operating system that is no longer supported by Microsoft. Almost twice as many systems are running Windows XP than Windows 7 or 8. Support ended for XP April 8, 2014.
The next most common operating system listed is Windows 7 or 8 (lumped together). Mainstream support for Windows 7 ended January 13, 2015. Windows 8.# still has support for a few years yet. This report does not distinguish between the two.
The image below shows the AX versions that are running. This statistic is both encouraging and discouraging.
Apparently AX versions have been upgraded to more secure versions, but based on the statistics listed above, they were left exposed on the web and on an operating system that is no longer supported.
We all know this is something that we cannot change overnight, and at the end of the day we cannot force the end user to spend the money and make the changes necessary to make their systems safer. However, we need to architect new systems securely and make the necessary recommendation to our customers on how to secure their legacy systems.
If you would like more information on any of my other post, email me at firstname.lastname@example.org.