Security Performance Management
Continuous Monitoring
Cyber Insurance
National Cybersecurity

Articles in this section

See more

Open Ports Risk Vector

Avatar
Ingrid
Follow
  • August 16, 2023: New Grading & Finding Behavior sections.
  • May 11, 2020: Updated description.

⇤ Diligence Risk Category

The Open Ports risk vector observes ports that are exposed to the Internet, known as “open ports.” While certain ports must be open to support normal business functions and few companies will actually have no ports open, the fewer ports that are exposed to the Internet, the fewer openings there are for attack.

See data collection methods.

Risks

A potential attacker can externally scan for open ports to determine which software or services to target. Open ports with outdated protocols or with protocol vulnerabilities provide potential entry points for attackers to access a company’s network.

Bitsight Blog, “Two Years Later, Still at Least Twice as Likely”: One of our research studies found that organizations with an “F” as their Bitsight Open Port letter grade are more than twice as likely to experience a breach than companies with an “A.”

Grading

See how the Open Ports risk vector is graded.

Concept Behavior
Lifetime 60 Days
No Findings

– “A” Letter Grade

Companies are not required to run open port services. The rating is positively impacted if there are no findings for this risk vector.

Weight

(Out of 70.5% in Diligence)

 10%

Remediation

Review Open Port findings.

This is one of the most heavily weighted risk vectors in the Diligence risk category. This should be one of the focuses of a company’s remediation and process improvement efforts.

  • Embedded in every packet of network communication is the port number for that communication, which can be used to identify and block unwanted attempts to communicate over certain ports or ranges of ports not used by the company. Refer to the following lists of open ports and close unnecessary open ports:
  • Audit the services running on a particular machine and ensure only vital services are running.
  • Set up access to required services over a Virtual Private Network (VPN).
  • Block specific or ranges of ports not used by the company in the company edge network infrastructure. The port number is embedded in every packet of network communication, which can be used for port identification. View the full list of network ports in the IANA Service Name and Transport Protocol Port Number Registry.

Finding Behavior

Concept Behavior
Refresh

Automated: 30-60 Days

User-Requested: 4 Days
Remediated
  • New findings immediately impact the grade.
  • Updated findings impact the grade upon the detection of a closed port.
    • Closed TCP ports are immediately detected and marked as closed within 10 days.
    • Closed UDP ports are undetectable and marked as “closed” after the finding completes its lifetime (60 days).
  • If an Open Port finding is verified to be opened and closed on the same day, it continues to impact the grade into the following day.
  • If the referenced IP of an Open Port finding has an end date, it can no longer be refreshed and will no longer impact the grade when it completes its lifetime.

Related articles