Two analyses of exposed infrastructure in America's most populous cities and mission-critical sectors reveal a 'shocking' number of misconfigured devices.
Editor's Note: This story was updated on Feb. 21, 2017, to include a comment from Lafayette, Louisiana.
Through analysis of data collected through Shodan web searches in February 2016, Trend Micro examined the exposed cyber-assets that can disrupt city operations — and it found a lot.
In a report released Wednesday — called U.S. Cities Exposed: Industries and ICS — researchers say Lafayette, Louisiana, had the most exposed assets of any government organization, followed by St. Paul, Minnesota, and Washington, D.C. Excluding vulnerabilities found via cloud providers, which were not included in the research, Lafayette was found to have more than 11,000 exposed assets.
Editor's Note: Trend Micro confirmed to StateScoop that Lafayette, Indiana, was mistakenly named in the report, but the actual city is Lafayette, Louisiana.
Cities with the highest number of exposed cyber assets in the government sector (Trend Micro)
Firewalls, wireless access points, and devices like routers, webcams and printers comprised the bulk of the entry points found across all sectors. The report noted that exposure "does not translate" into compromise, but rather, it indicates poorly configured devices and networks that are more likely to draw attention from attackers.
"Exposed systems are not necessarily a bad thing, it just means by virtue of being exposed they may be subject to cyber attacks," said Numaan Huq, Trend Micro senior threat researcher, in an email to StateScoop. "We can’t say exactly why these cities have more exposed devices."
An analysis of emergency services revealed that Houston had the most vulnerabilities, double that of Lafayette, which ranked second in that sector. Relatively few vulnerabilities were found in the health care sector, and exposure in the utilities sector was concentrated in small cities and towns. In the financial sector, New York City had the highest number of exposed assets. Exposure was high in education, with Philadelphia topping the list with more than 65,000 vulnerabilities, followed by Seattle, Chicago, Los Angeles and Ann Arbor, Michigan.
A related report released Wednesday — called U.S. Cities Exposed — looked at exposed assets in all sectors across the 10 most populous American cities. Los Angeles edged out Houston for the top spot, but exposure quantity didn't always correlate with population. For instance, New York City, population 8.4 million, was found to have just over 1 million exposed assets, compared to Houston's 3.9 million exposed assets in a population of just 2.2 million.
Firewalls and webcams were the main exposed assets found in this study.
Number of exposed cyber assets in the 10 largest U.S. cities by population (Trend Micro)
The takeaway of this research, Huq said, is that certain classes of cyber-assets, like databases and file servers, should never be directly connected to the internet.
"If these are compromised, they become the point of potentially detrimental data breaches," Huq said. "The sheer number of databases and servers exposed was shocking and concerning. The key next step for businesses is to evaluate their network to decide whether devices actually need to be open to the internet. Taking inventory of networks is essential, because you can’t know what to protect if you don’t know what is exposed."
A spokesperson from Lafayette, Louisiana, noted that the exposed devices attributed to the government by this study were in fact privately-owned devices connected to a city-run internet service. Trend Micro confirmed this statement.