Open Ports Risk Vector

Open Ports is a Diligence risk vector. It observes ports that are exposed to the internet, known as “open ports.” While certain ports must be open to support normal business functions and few companies will actually have no ports open, the fewer ports that are exposed to the Internet, the fewer openings there are for attack.

See data collection methods.

Risks

A potential attacker can externally scan for open ports to determine which software or services to target. Open ports with outdated protocols or with protocol vulnerabilities provide potential entry points for attackers to access a company’s network.

Grading

See how the Open Ports risk vector is graded.

Lifetime

Lifetime is the number of days a finding impacts the risk vector grade, assuming nothing changes in the future and the finding is not updated with new information. This is defined by the number of days a finding will impact the risk vector grade. Learn why findings have a decay and lifetime period.

Duration: 60 Days

Insufficient Data

A default risk vector grade is assigned if there's no data or data is insufficient.

Default:

Companies are not required to run open port services. The rating is positively impacted if there are no findings for this risk vector.

Weight

The Open Ports risk vector contributes to the weight of the Diligence risk category, which aggregates the weights of all risk vectors in the category to 70.5% towards Bitsight Security Ratings.

Weight: 10%

Remediation

Resources

• Findings
• Finding messages (detected services, typical services, potentially vulnerable).
• IANA Service Name and Transport Protocol Port Number Registry – List of network ports.
• Network Packet – Embedded in every packet of network communication is the port number for that communication, which can be used to identify the port.

Recommendations

As one of the most heavily weighted risk vectors in the Diligence risk category, this should be one of the focuses of remediation and process improvement efforts.

• Block unwanted attempts to communicate over certain ports or ranges of ports not used by the company and close unnecessarily open ports.
• Audit the services running on a particular machine and ensure only vital services are running.
• Set up access to required services over a Virtual Private Network (VPN).
• Block specific or ranges of ports not used by the company in the company edge network infrastructure.
• Deactivate any instances of Remote Desktop Protocol (a known attack vector for ransomware) exposed outside of the firewall.

Rescan Base Duration

The Bitsight platform regularly checks for new observations. Findings are rescanned as these observations change, e.g., newly observed Diligence findings or an existing finding was remediated.

Automated Scan: 30 days

Priority Scanning: Daily automated scans for EASM Enhanced customers, providing faster updates and continuous visibility into new exposures.

User-Requested Rescan: Instant reply. See timeline for details.

Finding Behavior

The behavior of findings based on remediation and rescan statuses:

• TCP Ports Remediated
• Not Remediated

TCP Ports Remediated

• Closed TCP ports are immediately detected and marked as closed within 3 days.
• The remediated finding stops impacting the grade.
  • If a user-requested rescan is initiated, the rescan status is Assumed Remediated.
  • If a user-requested rescan is initiated, it can take up to 2 days for the finding to stop impacting the grade. The rescan status is Remediated.
• No new finding is created.

Not Remediated

• Closed UDP ports are undetectable. These ports are marked as closed 60 days after the finding’s last seen date.
• If the port is verified to be opened and closed on the same day. It continues to impact the grade into the following day.
• If the referenced IP address has an end date, the finding can no longer be rescanned. It impacts the grade until it completes its lifetime.
• If a user-requested rescan is initiated and the issue persists, the rescan status is Not Remediated and the finding continues to impact the grade until it completes its lifetime.