- August 16, 2023: New Grading & Finding Behavior sections.
- May 11, 2020: Updated description.
The Open Ports risk vector observes ports that are exposed to the Internet, known as “open ports.” While certain ports must be open to support normal business functions and few companies will actually have no ports open, the fewer ports that are exposed to the Internet, the fewer openings there are for attack.
Risks
A potential attacker can externally scan for open ports to determine which software or services to target. Open ports with outdated protocols or with protocol vulnerabilities provide potential entry points for attackers to access a company’s network.
Bitsight Blog, “Two Years Later, Still at Least Twice as Likely”: One of our research studies found that organizations with an “F” as their Bitsight Open Port letter grade are more than twice as likely to experience a breach than companies with an “A.”
Grading
See how the Open Ports risk vector is graded.
Concept | Behavior |
---|---|
Lifetime | 60 Days |
No Findings |
Companies are not required to run open port services. The rating is positively impacted if there are no findings for this risk vector. |
(Out of 70.5% in Diligence) |
10% |
Remediation
Review Open Port findings.
This is one of the most heavily weighted risk vectors in the Diligence risk category. This should be one of the focuses of a company’s remediation and process improvement efforts.
- Embedded in every packet of network communication is the port number for that communication, which can be used to identify and block unwanted attempts to communicate over certain ports or ranges of ports not used by the company. Refer to the following lists of open ports and close unnecessary open ports:
- Audit the services running on a particular machine and ensure only vital services are running.
- Set up access to required services over a Virtual Private Network (VPN).
- Block specific or ranges of ports not used by the company in the company edge network infrastructure. The port number is embedded in every packet of network communication, which can be used for port identification. View the full list of network ports in the IANA Service Name and Transport Protocol Port Number Registry.
Finding Behavior
Concept | Behavior |
---|---|
Refresh |
Automated: 30-60 Days User-Requested: 4 Days |
Remediated |
|