Vulnerability Management

Report finds millions of firewall ports left open unnecessarily


According to a research paper by Rapid7, titled National Exposure Index: Inferring Internet Security Posture by Country through Port Scanning, around 15 million ports offer unencrypted Telnet nodes, 11.2 million appearing to offer direct access to relational databases, and 4.5 million apparent printer services.

Around 4.7 million systems expose one of the most commonly attacked ports used by Microsoft systems, 445/TCP. The research also found that SSH (secure shell) adoption over telnet (cleartext shell) is gaining ground over telnet, with over 50 percent of regions offering more SSH servers than telnet servers. 

Non-web-based access to email (via cleartext POP or IMAP protocols) is still the norm versus the exception in virtually every country, according to the report's authors. They said that there was a correlation between the GDP of a nation, overall internet “presence” in terms of services offered, and the exposure of insecure, cleartext services. 

The report also correlated the relationship between countries GDP and their use of the internet and level of exposure. While there was a correlation between GDP and connections, there was not a direct correlation.

Talking to at InfoSec 2016 in London today, Tod Beardsley, senior security research manager at Rapid7 said, “We found some weird things on the national level, too. For instance, about 75 percent of the servers offering SMB/CIFS services - a (usually) Microsoft service for file sharing and remote administration for Windows machines -  reside in just six countries: the United States, China, Hong Kong, Belgium, Australia and Poland,” said

He added that there is a fundamental gap in awareness of the services deployed on the public side of firewalls the world over.

“This gap, in turn, makes it hard to truly understand what the internet is. So, the paper and the associated data we collected (and will continue to collect) can help us all get an understanding of what makes up one of the most significant technologies in use on Planet Earth,” he said. 

Beardsley added, “No one else is doing  this. There has been port scanning for specific areas such as Shodan, but not a survey of the whole internet.”

Professor Steven Furnell, senior member of the IEEE and head of the Centre for Security, Communications & Network Research at Plymouth University, told SC that open services exposed to the internet is really is a classic administration problem, and one that seems to have persisted despite being a recognised source of vulnerability.   

“Unnecessary ports should certainly be blocked, and similarly any unnecessary services ought to be disabled on servers.  It is worrying to think that the issue is being missed, and the exposures could be caused by several reasons.  One might be lax administration, another might be unawareness, and others might be based on assumptions that problems will be trapped by other safeguards,” he said.

Nimmy Reichenberg, vice president of Strategy for AlgoSec, told that the key to solving this is a business-driven approach to security management, which emphasises automation of security processes to ensure that changes and updates don't introduce errors.

“Unsurprisingly 75 per cent of organisations surveyed said that automation will eliminate mistakes that create access points for hackers, reduce errors and help process security policy changes faster. Automation of security processes is a necessity in order manage security effectively, and ensure businesses don't inadvertently give access to hackers through a simple firewall misconfiguration,” he said.

Beardsley added that the intention is to do more, more often, and build up trends over time.  He denied that the information would be particularly useful to attackers, saying that bad actors already had port scanning to target for their own specific things, but hoped the information would ,  “Enable better decision making – we knew there were a lot of Telnets out there, but didn't know it was 17 million.  Plus CISOs at organisations can look and see how their organisation stacks up.  On  a national level policy makers will now be armed with the data to make informed decisions.  Decision-makers can use the information to decide what kind of internet we want, what we have, and so better engineer the internet.” 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.