Report: Agency devices are easily discoverable, especially in DC


Washington, D.C., is third among the top cities with a significant number of poorly configured, exposed government cyber assets that are discoverable via publicly available internet-connected device/system search engine Shodan, according to research released by cybersecurity software company Trend Micro.

Examining the Shodan U.S. scan data for February 2016, the threat research team found unsecured cyber assets in critical sectors integral to the daily functioning of cities, as well as exposed industrial control systems used to control operations. Breaking the data down, the report states that Lafayette, Louisiana, and Saint Paul, Minnesota, sit above the District when attributing cyber assets to organizations identified with keywords such as “city of,” “county of,” “government,” “bureau of,” “executive office,” and so on.

Wireless access points, printers, firewalls and webcams make up the bulk of exposed devices, and Windows is the most commonly used operating system. The Microsoft Internet Information Server (IIS) Web server is preferred over Apache, and multiple unpatched servers were identified in organizations.

Trend Micro says the information is presented as a means to build public awareness of the potential for disruption of city functions and national security by proxy. Exposed doesn’t mean compromised, but it is safer to assume a breach is possible and therefore device and user configurations, data protection infrastructure and threat alert, containment and mitigation processes are critical.

The full reports on exposed cyber assets in the top 10 U.S. cities by population and by critical industries can be found on