- November 10, 2023: Linked to finding messages.
- August 16, 2023: New Grading & Finding Behavior sections.
- May 11, 2020: Updated description.
The Open Ports risk vector observes ports that are exposed to the Internet, known as “open ports.” While certain ports must be open to support normal business functions and few companies will actually have no ports open, the fewer ports that are exposed to the Internet, the fewer openings there are for attack.
A potential attacker can externally scan for open ports to determine which software or services to target. Open ports with outdated protocols or with protocol vulnerabilities provide potential entry points for attackers to access a company’s network.
Bitsight Blog, “Two Years Later, Still at Least Twice as Likely”: One of our research studies found that organizations with an F Open Port letter grade are >2× more likely to experience a breach than companies with an A.
Companies are not required to run open port services. The rating is positively impacted if there are no findings for this risk vector.
(Out of 70.5% in Diligence)
- Finding Messages
- IANA Service Name and Transport Protocol Port Number Registry – List of network ports.
- Network Packet – Embedded in every packet of network communication is the port number for that communication, which can be used to identify the port.
As one of the most heavily weighted risk vectors in the Diligence risk category, this should be one of the focuses of remediation and process improvement efforts.
- Block unwanted attempts to communicate over certain ports or ranges of ports not used by the company and close unnecessarily open ports.
- Audit the services running on a particular machine and ensure only vital services are running.
- Set up access to required services over a Virtual Private Network (VPN).
- Block specific or ranges of ports not used by the company in the company edge network infrastructure.
- Deactivate any instances of Remote Desktop Protocol (a known attack vector for ransomware) exposed outside of the firewall.
Automated: 30-60 Days
User-Requested: 4 Days