Here's a question to think about: how many of you regularly help your local small businesses or volunteer organizations by offering even the most basic open source intelligence (OSINT) vulnerability assessments?
If you are concerned about protecting your neighborhood, as it were, I recommend you occasionally do just that. Run a few simple checks on websites operated by your local elementary school or college alma mater. Maybe visit your state legislators' personal domains, their current official website, or their old campaign sites from three years ago. One never knows when PII may go astray.
For the past month, on and off, I've been running quick, simple assessments on local business websites and those of a few established universities. They were chosen because I utilize other businesses that work with them, and because they published (non-security) research I am interested in. These are sites which I expected would follow at least the most basic security protocols and recommendations due to the nature of the data they collect and/or provide.
We're talking real basic vuln assessments here, folks. Nothing fancy or intrusive, just simple OSINT gathering done with tools every site admin has available if they learn basic cybersecurity: Shodan, Netcraft, and VirusTotal. No Google hacking or anything that requires focused thought or intent. My goal was to simple verify that local businesses and their partners operated minimally secure websites.
What did I find? Low hanging fruit.
After the first set of unexpected results, I brewed a cup of hot chamomile mint tea and savored a square or two of my favorite chocolate bar before checking with Mitre's CVE about the twenty four (yes, 24) warnings turned up by Shodan. I did some research, took screenshots, sent off an advisory note to the site owner, and the next time I checked: the webserver software had been updated and the CVEs were gone. Or at least, these basic tools no longer brought them up.
Then a second site returned five more CVE warnings.
I wonder how we, as cyber security professionals, can best help small businesses and others understand that yes, they too can be targeted by black hat online assailants - possibly moreso than large businesses with dedicated IT departments, up-to-date servers, SOCs and agile cyber security teams. Clearly, many orgs and their sysadmins are still unaware that they need to up their online cybersec game to protect their clients' and partners' data.
How far back did these warnings go? When was the earliest these long-patched vulnerabilities were first discovered? 2009. And yet... those webservers were still running outdated, unpatched software hosting known (and serious) security flaws.
Have you successfully educated local small business owners and other non-clients, about insecure websites you've discovered as a researcher? How long did it take before the sites were no longer (obviously) vulnerable in a casual OSINT search? Please share your ideas in the comments. Any other thoughts on this issue? Please share those as well.