If you think you’re having a bad day, you should see what happened to a group of Greek merchants crossing the Black Sea, 2,400 years ago. Providing a stark perspective on the vastness of history, their ship has just been discovered under 2km of water.
Around 60 shipwrecks have been found by the joint UK-Bulgarian Marine Archaeology Project, providing a seabed-museum to reveal how civilization has changed, even though the hazards posed to those networking trade between the ports of Europe have remained constant.
In the cyber-security world, it’s not so much the network as the ports themselves that pose the threat. In fact, every source of security control guidance including NIST, PCI DSS, NERC CIP and the foundational CIS Controls recommend the same thing: every network ports, protocol and service increases the opportunity for a system to be compromised.
As an analogy, think of the Star Wars® ‘Death Star’: Designed to be impregnable, seemingly impossible to attack. But it still needed an engine, which in turn needed an exhaust port, which ultimately left it prone to a fatal strike.
Therefore, in any scenario, be it for IT systems or planet-busting, intergalactic WMDs, reducing the ‘attack surface’ is a critical security control.
To provide a typical scenario, configuration services for a host will be presented via a Web interface or command line. Interaction via the network must use the assigned protocol to connect to the designated port, in this example, the HTTPS protocol via port 443 and the SSH protocol via port 22.
From this example you can see that each protocol has a default port assigned and in fact NNT have provided a useful guide listing the most relevant Well-Known Ports.
The port number is another level of addressing enabling connections to an IP Address to be directed to the underlying service.
This entwined relationship between service, protocol and port is important to understand – you can’t have one without the others. In other words, remove the service, you eliminate the protocol and close the port. In this way, the opportunities for an attacker are diminished.
- The more open/accessible we make a system, the greater the attack surface (even for the Death Star). With new exploits being discovered every day, reducing the potential for attack is key
- For essential services, if there is a choice of ports/protocols offered we want to use the secured variant e.g. HTTPS
- By extension, the non-encrypted channel must be disabled
To understand the Attack Surface presented by any system, two main approaches exist, External and Direct.
The External Option uses a network-based port-scan to discover ports/protocols presented. It’s like a sonar scan of the network, with test connections sprayed out to all accessible IP addresses while listening for any responses. Knowing which ports are available tells you which protocols and therefore services are likely to be in use.
By contrast, the Direct Approach uses commands to list open ports e.g. netstat. It’s a good solution but requires direct access to each device and knowledge of the right commands.
Even then, how do you then determine which service is behind the port, and crucially, whether it needs to remain in place or not? The association between ports and protocols is officially designated by the Internet Assigned Numbers Authority. The NNT Security Control Guide: Hardening Open Network Ports/Protocols/Services takes things further, indicating those ports/services considered to be ‘Expected and Acceptable’ and any that are ‘Not Acceptable’, also specifying preferable alternatives to use e.g. SSH, not Telnet.
Ultimately, as with any configuration hardening project, only you can decide which services – and therefore which ports and protocols - are essential for your organizations’ business services.
CIS Control 9 “Ensure only ports, protocols, and services listening on a system with validated business needs, are running”
Just as there is no such thing as ‘100% secure’, there are no truly ‘safe’ ports, but the more you minimize functionality, the more you reduce the attack surface presented.
Help is at hand - NNT in conjunction with the Center for Internet Security (CIS) provide extensive resources to help you with wider configuration hardening. The CIS Benchmark secure configuration guides specify a huge range of configuration settings recommended to improve security, including which default services should be disabled on a platform. The risk presented by any remaining open ports can be further mitigated by use of firewall technology either at the network, host or application level.
Who knows what the world will look like, or what the problems will be in another 2,400 years? For now, we need to keep battening down the hatches and shutting down those non-essential services.
Learn more about CIS Control 9 by watching our recent webinar - Any Port in the Form of Cybersecurity Remains a Problem: CIS Control 9
Share this post