Open ports mean open season for attackers: Lessons learned from Rapid7’s Project Sonar

Globally, millions of systems connected to the internet are exposing insecure services to anybody who cares to look for them. That’s the discovery of Project Sonar, a massive port-scanning operation by Rapid7 which set out to establish the overall threat exposure on the internet. It identified around 15 million computers that can be accessed over telnet, over 11 million ports to relational databases that are open, and around 4.5 million ports to printer services.

Let’s be clear – these are cybersecurity 101 mistakes. The vast majority of these wide-open doors to the Internet can easily be closed by something as fundamental and simple as placing a firewall at the perimeter edge. Any reasonably configured firewall blocks access to these ports.

However, it’s important to point out that the majority of these open doors are probably not on enterprise machines within large corporations, but rather they are likely to be computers owned by individuals or in small ‘mom-and-pop’ businesses, running basic Windows applications. These users probably don’t realize that connecting to the internet also means that the internet is connecting to them; they may not know (or care) that they are offering up an open door to potential attackers. Yet this presents a major security problem for all organizations.

Big or small, we’re all connected

Individual, poorly protected computers owned by consumers or small businesses can actually have a significant impact on larger organizations’ cybersecurity posture. This is because many cyberattacks are powered by botnet armies of compromised computers – including many belonging to individuals and small businesses – just take a look at this recent story in the New York Times. Cybercriminals aren’t interested in the data on those computers – they’re probably too small-scale to be profitable targets – but because they are relatively unprotected, they are can be easily infected by attackers to enable remote control of other computers.  And rarely, if ever, do their owners discover that their computers have been hijacked and used as a conduit for criminal purposes.

Of course, there will be many larger organizations and enterprises that have open ports on their systems too, simply because their firewalls are badly misconfigured, or they haven’t reviewed their firewall rulesets recently to check for possible points of exposure. So this should be a reminder for all enterprise organizations to run security risk assessments on their firewalls to ensure they haven’t inadvertently overlooked any open ports (and there are several free security tools available that can scan your machines or network and see how it appears to the public internet). More advanced automation products like AlgoSec’s Security Policy Management solution offers deeper inspection and analysis capabilities.

Likewise, it is important to think carefully about where on the network you place your security devices, particularly in organizations that have more complex cloud or hybrid environments. We have previously blogged about choosing between host-based and network-based firewalls. Ultimately we believe that the best protection is achieved by combining network-based protection with effective network segmentation, partitioning access to sensitive information so that only those applications, servers, and people who need access can get at it.  It’s all about presenting the smallest possible target to cybercriminals, and ensuring that should they manage to find a way into your network, they find it very difficult to move around and out of your network.

So, whether you’re a small business or an enterprise, it’s well worth examining what your network looks like to the outside world, because an open port is basically extending an open invitation to attackers.