Attack Surface Management – Risks of an Exposed Service / Port
Ports! Yes, Ports! They are the ones making it possible for you to read this blog, not only reading the blog but the whole existence or interchange of data over the Internet through ports. Even at the present moment on your device, multiple ports are being opened or closed to facilitate your usage of consuming the internet. The port numbers help computers easily differentiate between different kinds of traffic and what data to expect on a particular port.
Open ports help applications serve their purpose correctly. However, certain services running on ports exposed to the internet may pose security risks.
What are open ports, and how do they work?
All the communication over the internet happens via ports. Ports accept traffic that may be either TCP or UDP, which helps communication with the underlying server technologies. Open ports allow the conduct of remote services to users over the internet. So, to serve service to end-users, the port must be open to allow all incoming connections and thus serve back after processing users’ requests.
Open ports aren’t dangerous by default, but it depends on what kind of services run on them. Since a port is open and a service is listening to it, any user can send packets to it. So, it becomes mandatory to ensure that these services are correctly configured and don’t pose a known vulnerability.
How can I know my open ports?
If you have a relatively smaller external attack surface, it’s easy to map out or monitor the open ports. However, suppose you own too many assets or don’t even have an inventory of all your assets (since you are a big organisation with a widespread team). In that case, it becomes exhausting to regularly scan for open ports and find out the security risks associated with them.
The only way to discover open ports is to probe for them. Several tools help us in the attempt to find the status of a particular port. One such reliable port scanner is Nmap. But to find out open ports, you need to know all the assets you own. All these assets will then be fed to Nmap in the form of domains, IP addresses, or CIDR ranges.
What’s the risk of exposing a service to the internet?
In order to find a vulnerability in a particular system, the attacker first needs to fingerprint all the services running, the network protocols being used, and their versions of them. For this purpose, the attacker depends on port scanning. Open ports become dangerous when security vulnerabilities are found in legitimate services, or sensitive services are exposed without appropriate security measures, such as terminal services.
- Unnecessary Brute Force Attacks
A lot of times, exposed services allow legitimate users to authenticate. While this is obviously a method for legitimate users to access the system, it also poses risks as an attacker can launch a dedicated brute force attack (or maybe use default / weak credentials) to gain unauthorised access. In fact, in most network penetration tests and attacks, brute force and weak credentials are the most commonly used method of gaining access.
- Exploitable unpatched services
It is always advised to regularly check for updates and patches and apply them at the earliest. A delay would allow an attacker to perform unintended actions or ultimately compromise the service. As soon as a 0-day is released, bad actors start scanning the whole internet to look for vulnerable services. In such scenarios, if an attacker finds a vulnerable service, they further try to exploit it with the intent to gain some financial profit. This would pose various business and reputational risks for the organisation.
- Exploitable unsafe configurations
At times, services running on open ports would have poorly configured settings or run on default settings. Such applications prove to be a good target for attackers. Poorly configured policies, default credentials, bad access management, and easily guessable passwords pave an easy way for the attacker to make it into the service.
- Business Impact
Exposing ports to the internet increases the attack surface, increasing the probability of getting attacked. These attacks can have various adverse business impacts. Suppose the attacker can exploit a service and get away with customer data. In that case, this will lead to a data breach and reputational damage to the organisation amongst its clients and community. Some attacks can increase the consumption of resources resulting in incurred bill charges. Also, some attacks can affect how customers use the website, and an unfriendly user experience can lead to a loss of customer base. Thus, resulting in a financial loss due to the loss of customers.
- Denial of service attack
The services running on ports can still process incoming traffic, even if the requests are invalid. This can lead to a denial of service attack. Some services are pre-configured to withstand a certain amount of stress, but bombarding other services with a large number of packets can eventually make them go down. Having downtime for a particular application creates a business risk with lasting effects.
- Leaking information about the underlying service
The services listening on open can sometimes leak information about the software version or network architecture. At times, simply connecting to the open port can reveal its software version banner back to the user in response.
However, we also understand that without any exposed port, there will be no internet. There we need to make sure a port/service is exposed only when a service is required for running the business smoothly. Even in that case, it should be done in a measured way.
How to secure open ports?
Open ports do not pose a risk by default, but it’s always advised to close unnecessary ports to reduce the attack surface.
- 1) Install updates/patches regularly
It’s not the open ports but the underlying technology or infrastructure running on that port. Steps should be taken to ensure that software updates or patches should be installed as soon as they are published. This step protects the infrastructure from the people who are continuously scanning the internet in the wild, looking for services vulnerable to the latest CVEs.
- 2) Use a well-configured firewall
A firewall can detect a port scan being performed on a particular host and immediately block the attacker or filter the packets being sent. This proves helpful when an attacker is trying to gain more visibility of the organisation’s infrastructure to find its way into a system. Specifically for web applications, a Web Application Firewall (WAF) has the capability to differentiate between a standard request and a malicious one. Hence, even if services are exposed to the internet, the WAF sitting between will filter/block all the requests with malicious payloads. This proves to be an additive layer of protection to some extent, even when our underlying service contains vulnerabilities. Also, we can safely expose our internal network to the internet with the help of a well-configured firewall.
- 3) Scan network ports regularly
It is always preferred that you have an inventory of all the assets you own. At times due to integrations with various cloud providers, vast-spread global teams and large developers’ strength, it becomes inevitable to maintain such asset inventory. The in-house security team can use multiple software to scan for open ports across their infrastructure and look for weaknesses in underlying systems. Having periodical port scans reduces the chance of being exploited to some extent.
- 4) Implementation of CI/CD pipeline
Efforts should be made that each new host that goes up to the internet must pass through a CI/CD pipeline. Here checks should be made, with the help of scanners, that the new service will be exposed to the public and doesn’t contain any vulnerable services, misconfigurations etc. This will not only help in reducing the attacks but will also help in good asset management.
- 5) Implement a continuous monitoring solution
When you are a big organisation with thousands of developers and spinning services becoming easier day by day due to cloud advancements, many hosts get exposed to the public daily. Although all these deployments may be going through CI/CD pipeline checks, the developer can make changes to the environment even after the final deployment. During such conditions, it’s always better to set up a continuous monitoring solution, which scans and suggests whether the new change poses a security risk or not.
Are your open ports/services exposed?
Don’t worry; we have got your back! At RedHunt Labs, we help you gain visibility of your organisation’s publicly exposed assets (including Modern Assets of dynamic cloud environments), including open ports and services, making it easier to manage your assets.
Our state-of-art product NVADR helps you not only track your organisation’s external attack surface, including untracked assets, and exposed services, but also continuously lookout for leaked sensitive information, security issues, etc., and thus identify security risks before attackers do.
If you would like to check out your organisation’s Attack Surface, don’t hesitate to get in touch with us to schedule your free trial today.