Open Ports Risk Vector: Core Overview

The Open Ports Risk Vector observes ports that are exposed to the internet, known as “open ports.” While certain ports must be open to support normal business functions and few companies will actually have no ports open, the fewer ports that are exposed to the Internet, the fewer openings there are for attack.

• Risk Category: Diligence
• Default Grade: A
• Current Rating Impact: 10%
• Finding Lifetime: 60 Days (The duration a finding impacts your grade if no changes occur).
• Scan Cadence: Automated every 30 days; Daily automated scans for EASM Enhanced customers, providing faster updates and continuous visibility into new exposures.
• Eligible for Instant Reply? Yes.

Research studies have found that organizations with an F Open Port letter grade are more than twice as likely to experience a breach than companies with an A grade

What are Open Ports?

Ports are virtual access points for software to communicate over a network and are a standard feature of every computer operating system. Software will often use ports on a computer to send information to other software on the same computer.

There are up to 65,535 ports in any operating system, with some reserved for system use. Most operating systems do not block a port by default, meaning their availability is typically controlled by a firewall—which can be a piece of software installed on the computer or network hardware

Certain ports must remain open to support normal business functions like email, secure web browsing, and finding computers or printers on a local network. While it is highly unlikely that a company will have no ports open, the fewer ports that are exposed to the Internet, the fewer opportunities there are for an attack.

Need to remediate a finding?

We recommend remediating and verifying externally before requesting a rescan.

1. Close or restrict the port if it is not required externally.
2. If the service must be publicly accessible, harden the configuration, enforce encryption where applicable, and ensure only necessary ports are open.
3. Verify externally that the port is closed or that the public service is appropriately configured.
4. Request a rescan to update the finding.

How is the Open Ports Risk Vector Assessed?

The risk vector accounts for 10% of the Diligence risk category's overall weight. Because companies are not required to run open port services, a default "insufficient data" status positively impacts the rating if there are no findings.

Finding Types:

• Detected Services: Assessed using information returned by the port itself. Bitsight analyzes the header returned from the server to look for attributes that identify the service. If a service is detected, it overrides the typical service running on that port for grading purposes.
• Typical Services: Assessed when no specific service is detected. Bitsight determines the most likely service running on a specific port number using resources like the IANA Service Name and Transport Protocol Port Number Registry.
• Potentially Vulnerable: These open ports are observed for informational purposes only and do not have a set impact on the Open Ports letter grade.
• Pending Classification: Assigned when a port is unassigned by IANA or associated with services that have fallen out of use, meaning Bitsight cannot confidently determine the service until a specific one is detected.

Grading Matrix: The overall letter grade is determined by assessing findings as GOOD, FAIR, WARN, BAD, or NEUTRAL

• GOOD: Secure services used for normal business functions, such as SSH
• WARN/BAD: Services that are rarely necessary for business functions or have known vulnerabilities
• NEUTRAL: Services used for normal business functions but that lack encryption or other security measures, such as HTTP

Other grading considerations to keep in mind:

• A rating drop due to a single Open Port finding is capped at a maximum of 80 points
• If the referenced IP of an Open Ports finding has an “end date,” it can no longer be rescanned and will no longer impact the grade when it completes its lifetime.
• If a port is verified to be opened and closed on the same day, it continues to impact the grade into the following day.
• Only Open Ports findings that were observed in the last 60 days are factored into the Open Ports letter grade. Since the infrastructure of a company is continuously updated, findings are set to expire if no Open Ports findings were observed within the past 60 days.

Where can I view my Open Port findings?

• SPM App:  Findings ➔ Findings Table
• CM App: Select a company from your Companies List. Go to  Vendor Risk ➔ Findings
• Insurance App: Select a company from your Companies List. Go to  Client Risk ➔ Findings
• Bitsight API: GET /v1/companies/entity_guid/findings?risk_vector=open_ports

Please note that:

• The Finding Details contains crucial fields for identifying the issue, such as the Destination Port (the port associated with the observed service), the Transport Method (TCP or UDP), and the Final Location (the URL where headers were observed).
• Pro-Tip for NAT/PAT: If you have several Network Address Translation (NAT) and Port Address Translation (PAT) zones, looking at the source port for the IP address can help identify the actual underlying hosts

Did this not fully answer your question?

• Learn more about Open Ports and the risks associated with them at the Bitsight blog.
• IANA Service Name and Transport Protocol Port Number Registry – List of network ports.
• To learn about specific finding messages, visit the following article: detected services, typical services, potentially vulnerable