The next control in the top 20 is Critical Security Control number 9, Limitation of Network Ports, Protocols and Services. At every level of your infrastructure there are risks, vulnerabilities and doors that can allow an attacker to gain access. Just because you do not currently use it doesn’t mean they are safe. Your network, like your systems, should be treated as least privilege and disable what you don’t need or use. Although there are firewalls, intrusion detection systems, malware scanners working around the clock an open port or enabled protocol can bypass all that.
Here’s what the control says –
Manage (track/control/correct) the ongoing operational use of ports, protocols and services on networked devices in order to minimize windows of vulnerability available to attackers.
In all my security engagements I try to get a deep audit of the firewalls into my engagements. The firewalls are the starting points to control network ports and protocols. This is because there are a fewer number of firewalls than servers and there generally is one team managing them than many teams having servers. Through that firewall review identify and document every protocol allowed through and find a business justification for it. Especially for FTP, Telnet, SSH, and any other unsecure transport protocols. Another forbidden practice I enforce is having firewall rules set to allow all protocols. No. Just no. Spend the extra time and find out what that IP needs, what ports is running off of and what protocols it will use then set those. Allow All is a lazy approach that opens more risks than most are aware of.
The perimeter isn’t the only location to control the network and how it works. The firewalls are generally protecting you from the outside. Your internal devices and servers can be configured to only function on certain protocols and ports as well. Either through 3rd party endpoint security software such as local firewalls or on the network card configurations directly you can only have your Active Directory talk how it needs to and block everything else. HTTP/HTTPS should not be enabled on your primary AD for example.
How It Could Be Exploited
Every door left open for use can be kicked down by an attacker. Millions of bots are scanning the Internet, every IP address they can find, looking for responses on common ports and protocols. When found the attackers then use techniques to attempt to break through using default accounts, known vulnerabilities that may have not been patched yet or setup sniffers to watch traffic come and go.
The best practice in securing any system is if you do not need it, disable, block and shut it off… at every level you can.
End of line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.