- April 19, 2023: 2023 RAU risk category weight adjustment.
- October 20, 2021: Ratings Algorithm Update 2021.
- October 12, 2021: Terminology, “grace period” changed to “finding behavior.”
⇤ How is the Diligence Risk Category Calculated?
The Open Ports risk vector assessment is based on the number of findings an organization has and the security measures in place around those open ports. While very few companies will actually have no ports open, the fewer ports that are exposed to the Internet, the fewer opportunities there are for attack.
When a port is found to be fixed to a certain network protocol or software (such as port 143 for IMAP services), it’s attributed to typical service activity on that port unless the cause can be determined as something else. If a service is detected, this will override the typical service running on that port for grading purposes.
There are different grades for when there is typical service and detected service port activity:
- We assess detected services.
- If no service is detected on the port, we assess typical services.
- Some ports are potentially vulnerable, where the level of risk varies. Potentially vulnerable open ports do not have a set impact on the Open Ports letter grade.
See finding messages.
Other grading considerations:
- Only Open Ports findings that were observed in the last 60 days are factored into the Open Ports letter grade. Since the infrastructure of a company is continuously updated, findings are set to expire if no Open Ports findings were observed within the past 60 days.
- If a port is verified to be opened and closed on the same day, it continues to impact the grade into the following day.
Example: A port is observed to be open on January 1 at 8:00, and then closed shortly after at 11:00. The finding's impact on the grade is removed on January 2, rather than removed on the same day of the observation.
- If the referenced IP of an Open Ports finding has an “end date,” it can no longer be refreshed and will no longer impact the grade when it completes its lifetime.
- Rating drops that are due to only a single Open Port finding are limited to a maximum drop of 80 points.
| Field | Description | Details & Values | |
|---|---|---|---|
| Finding Behavior | How findings behave, depending on the action taken. |
|
|
| Lifetime | The number of days a finding will impact the risk vector grade, assuming nothing changes in the future and the finding is not updated with new information. Learn why findings have a decay and lifetime period. | 60 Days | |
| No Findings | The letter grade if there are no findings for this risk vector. |
Companies are not required to run open port services. Therefore, the rating is positively impacted if there are no findings for this risk vector. |
|
| Refresh | The Bitsight platform regularly checks for new observations. Bitsight findings are updated as these observations change, e.g., newly observed Diligence findings or an existing finding was remediated. | ||
| Automated Refresh Duration | The duration of a regularly scheduled finding refresh, as the Bitsight platform checks for new observations. | 30-60 Days | |
| User-Requested Refresh Duration | The duration of a user-requested refresh, which initiates a refresh of eligible findings upon request. This is recommended when a change in the finding is expected, such as when a finding has been remediated. | 2-3 Days | |
| Weight | Out of 70.5% in Diligence. | 10% | |
Evaluation
The Open Ports risk vector letter grade is determined by assessing the number of specific findings that are evaluated as GOOD, FAIR, WARN, BAD, or NEUTRAL:
- If the service is secure and used for normal business functions, such as SSH, the port is classified as “GOOD.”
Example: Port 23 is typically used for Telnet. It’s graded as “BAD.” However, if SSH running on port 23 is detected instead, that port would be marked as “GOOD.”
- Services that are rarely necessary for business functions or that have known vulnerabilities are classified as “WARN” or “BAD,” depending on the security risk of leaving them open.
- If the service is used for normal business functions, but does not use encryption or other security measures, such as HTTP, the port is classified as “NEUTRAL.”