⇤ How is the Diligence Risk Category Calculated?
The Open Ports risk vector assessment is based on the number of findings an organization has and the security measures in place around those open ports. While very few companies will actually have no ports open, the fewer ports that are exposed to the Internet, the fewer opportunities there are for attack.
When a port is found to be fixed to a certain network protocol or software (such as port 143 for IMAP services), it’s attributed to typical service activity on that port unless the cause can be determined as something else. If a service is detected, this will override the typical service running on that port for grading purposes.
There are different grades for when there is typical service and detected service port activity:
- We assess detected services.
- If no service is detected on the port, we assess typical services.
- Some ports are potentially vulnerable, where the level of risk varies. Potentially vulnerable open ports do not have a set impact on the Open Ports letter grade.
Other grading considerations:
- Only Open Ports findings that were observed in the last 60 days are factored into the Open Ports letter grade. Since the infrastructure of a company is continuously updated, findings are set to expire if no Open Ports findings were observed within the past 60 days.
- If a port is verified to be opened and closed on the same day, it continues to impact the grade into the following day.
Example: A port is observed to be open on January 1 at 8:00, and then closed shortly after at 11:00. The finding's impact on the grade is removed on January 2, rather than removed on the same day of the observation.
- If the referenced IP of an Open Ports finding has an “end date,” it can no longer be refreshed and will no longer impact the grade when it completes its lifetime.
- Rating drops that are due to only a single Open Port finding are limited to a maximum drop of 80 points.
Concept | Behavior |
---|---|
A default risk vector grade is assigned. |
Companies are not required to run open port services. The rating is positively impacted if there are no findings for this risk vector. |
The number of days a finding impacts the risk vector grade, assuming nothing changes in the future and the finding is not updated with new information. Learn why findings have a decay and lifetime period. |
Duration: 60 Days |
Percentage (out of 70.5% in Diligence): 10% |
Finding Grading
The Open Ports risk vector letter grade is determined by assessing the number of specific findings that are evaluated as GOOD, FAIR, WARN, BAD, or NEUTRAL:
- If the service is secure and used for normal business functions, such as SSH, the port is classified as GOOD.
Example: Port 23 is typically used for Telnet. It’s graded as BAD. However, if SSH running on port 23 is detected instead, that port would be marked as GOOD.
- Services that are rarely necessary for business functions or that have known vulnerabilities are classified as WARN or BAD, depending on the security risk of leaving them open.
- If the service is used for normal business functions, but does not use encryption or other security measures, such as HTTP, the port is classified as NEUTRAL.
- FAIR findings for this risk vector have a negative impact on the rating.
See finding messages.
- March 25, 2024: “No findings/low findings” changed to “insufficient data.”
- December 12, 2023: Linked to no findings definition.
- December 4, 2023: Finding lifetime definition link changed to Finding Lifetime section.
Feedback
0 comments
Please sign in to leave a comment.