From my previous discussions on the three P’s – Passwords, Patching and Ports, let’s talk finally about Ports.
The Third P – Ports: Open TCP and UDP ports, especially open ports that are not required for business purposes, continue to be something of a struggle for organizations. External networks have improved over the last few years, but we continue to find unsecure protocols such as telnet and ftp that are open from the Internet. Internal networks continue to have a large number of open ports that are also not necessarily being used for business purposes. They are just open. Open ports are where many of the problems reside and exist. Without open ports, many of the vulnerabilities would not be present.
Companies need to conduct semi-annual password reviews and audits to determine the strength of passwords being used against what is defined within their password policy. The findings should identify and enforce that weak passwords are not allowed. Having a formal patching process is not enough. Remediation, understanding and removing false positives, and adding in exceptions to this process are important in the streamlining of this patch process. Formal processes and system configuration guidelines need to be defined to support and maintain what ports should be enabled and open on all of these devices. These devices need to include all of those connected to the LAN or external facing networks. Open ports that are not required for business purposes need to be disabled. This would eliminate many of the vulnerabilities that are identified during an assessment. For example, all too often default Apache ports and installs are discovered on systems that do not require or use this application. Many high ports (above port 1024) are open and also offer potential access due to open ports and default installations that reside on these systems. These open ports are dangerous to the organization and need to be disabled.
So if the three Ps are keeping you up at night, follow this prescription for better sleep! In summary, don’t forget about focusing on the information security basics: passwords, patching and ports. Focusing on these information security basics will help prevent many unnecessary security vulnerabilities, easy access to sensitive information, and potential exploit attack vectors for hackers who are constantly harvesting the Internet for easy targets.
Tim is a Senior Security Consultant at Zensar