CIS Control 9: Limitation and Control of Network Ports, Protocols, and Services
This article delves into CIS Control 9 and the five sub-controls associated with the third Foundational CIS Control.
Every source of security control guidance (see following examples) recommends the same thing: any network ports, protocols and running services increases the opportunity for a system to be compromised. As an analogy, think of the Star Wars® ‘Death Star’: It was designed to be impregnable, seemingly impossible to attack. But it still needed an engine, which in turn needed an exhaust port, which ultimately left it prone to a fatal strike. Therefore, in any scenario, be it for IT systems or planet-busting, intergalactic weapons of mass destruction, reducing the ‘attack surface’ is a critical security control.
The main reasons why monitoring open ports is ordained a key security control:
- The more open/accessible we make a system, the greater the attack surface (even for the Death Star). With new exploits being discovered every day, anything that reduces the potential for attack, the better
- Where a service is needed, and there is a choice of ports/protocols offered i.e. HTTP or HTTPS using TLS 1.2+, we want to use the secured variant
- By extension, we also want to ensure that the non-encrypted channel is never used and disable it
The Center for Internet Security provides this rationale for CIS Control 9: “Attackers search for remotely accessible network services that are vulnerable to exploitation. Common examples include poorly configured web servers, mail servers, file and print services, and DNS servers installed by default on a variety of different device types, often without a business need for the given service. Many software packages automatically install services and turn them on as part of the installation of the main software package without informing the user. Attackers scan for such services and attempt to exploit these services, often attempting to exploit default user IDs and passwords or widely available exploitation code”
But this security best practice is not unique to just the CIS Controls – every source of security control guidance, be it the CIS Controls, NERC CIP, NIST 800-53, or PCI-DSS V3.2.1, all recommend the same thing: any network port, protocol and running services increases the opportunity for a system to be compromised.
NNT recently hosted a webinar with the Center for Internet Security “Any Port in a Storm of Cyber Security Remains a Problem: CIS Control 9”. Learn how to detect open ports and protocols on your network and the steps to mitigate the threats by watching the webinar on-demand.
Now, let’s dive into the five sub-controls associated with this critical security control.
9.1: Associate Active Ports, Services, and Protocols to Asset Inventory
- Associate active ports, services, and protocols to the hardware assets in the asset inventory.
In this sub-control, organizations must identify all active ports and installed services (running or not) for each endpoint. In order to address this control, organizations must have already addressed sub-control 1.4: Maintain Detailed Asset Inventory and sub-control 1.5: Maintain Asset Inventory Information.
All ports, protocols and services within your environment must be properly defined, tracked and controlled. More importantly, any corrections needed to be made should be handled within a reasonable timeframe. By having knowledge of what is running on your network and eliminating unnecessary means of communication, organizations significantly reduce their attack surface and limit the number of entry points for attackers.
9.2: Ensure Only Approved Ports, Protocols, and Services Are Running
- Ensure that only network ports, protocols, and services listening on a system with validated business needs are running on each system.
Developing a baseline should be one of the first things you do. This sub-control encourages organizations to establish a secure baseline of what ports and services are supposed to be running on each device, which will allow you to compare future scans with your known, trusted baseline.
Using hardening guidelines like the CIS Benchmarks is a great place to start and can be deployed and monitored through configuration management tools like Change Tracker. Alternatively, using an automated scanning tool like Vulnerability Tracker will allow you to perform a baseline port scan of the hardened system.
Remember, there is no such thing as “100% secure”, and there are no truly “safe” ports, but the more you can minimize functionality, the more you can reduce the attack surface presented.
NNT recently developed an Open Ports Hardening Guide which includes a full listing of well-known and assigned ports and their uses.
>> Download NNT's Guide to Hardening Open Ports, Protocols and Services
>> You can also make use of the NNT Security Control Guide Hardening System Services here
9.3: Perform Regular Automated Port Scans
- Perform automated port scans on a regular basis against all systems and alert if unauthorized ports are detected on a system.
Now, with a secure baseline established, organizations are encouraged to perform regular automated port scans across the entire environment. The scan should note any discrepancies from the baseline and alert administrators to investigate the activity immediately. Conducting port scans on a regular basis will help organizations determine which services are listening on the network, which scans are open, and identify the version of the protocol and service listening on each port.
NNT Vulnerability Tracker can scan thousands of endpoint devices in a short period of time – to learn more, download our Vulnerability Tracker Solution Brief.
9.4: Apply Host-Based Firewalls or Port-Filtering
- Apply host-based firewalls or port-filtering tools on end systems, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed.
In this sub-control, organizations are encouraged to apply host-based firewalls to end systems. Applying only network-based firewalls is not enough because traffic on the same subnet can bypass network firewall configurations.
9.5: Implement Application Firewalls
- Place application firewalls in front of any critical servers to verify and validate the traffic going to the server. Any unauthorized traffic should be blocked and logged.
This sub-control advises organizations to use application firewalls and place them in front of any critical servers. In order for an organization to adequately mitigate risks, a layered perimeter of defenses including application-aware firewalls should be implemented to block unauthorized access.
Summary
Security hardening is always a balance between maximizing security and delivering the required functions for a platform. Put simply, the more functions provided by a platform, the greater the opportunity for attack, because any functionality has the potential to be misused and abused.
Open ports are significant within this because any network-based attack must utilize network-accessible services, so it’s a logical way to measure the attack surface of a platform. But the risk of such a linear interpretation of this objective is that other more straightforward hardening practices may be overlooked. NNT technology will provide you with not just simple to use tools for identifying and tracking changes to open ports, but as a matter of course encompass visibility of all other key vulnerability considerations. This includes the analysis of:
- Running services and their startup states
- Installed software and related known vulnerabilities
- Security-related configuration settings
- Any new and changed system files
NNT SecureOps® automates these functions for you within the context of your day-to-day IT Service Operations to maintain security and expose breach activity. Even in a dynamic enterprise where security threats would otherwise remain hidden, NNT can cut out the change noise to clearly identify security issues.
NNT Change Tracker Gen7 R2 provides an integrated Network Port Scanner to discover open ports across all devices within your network estate. Furthermore, Change Tracker will repeatedly re-scan the network and clearly highlight any adds, changes or moves.
NNT Vulnerability Tracker also provides an option for open port discovery on an automated basis and equally delivers other essential security controls relating to vulnerability management. Alternatively, organizations can download OpenVAS (Greenbone Community Edition) for a free network-wide port scan.
For more reading and opinion, read NNT CTO Mark Kedgley’s article with InfoSecurity Magazine Why Open Port Monitoring is Both an Essential and Flawed Security Control
Figure: System Entity Relationship Diagram
- CIS Control 1: Inventory and Control of Hardware Assets
- CIS Control 2: Inventory and Control of Software Assets
- CIS Control 3: Continuous Vulnerability Management
- CIS Control 4: Controlled Use of Administrative Privileges
- CIS Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
- CIS Control 6: Maintenance, Monitoring, and Analysis of Audit Logs
- CIS Control 7: Email and Web Browser Protections
- CIS Control 8: Malware Defenses
- CIS Control 9: Limitation and Control of Network Ports, Protocols, and Services
- CIS Control 10: Data Recovery Capabilities
- CIS Control 11: Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches
- CIS Control 12: Boundary Defense
- CIS Control 13: Data Protection
- CIS Control 14: Controlled Access Based on the Need to Know
- CIS Control 15: Wireless Access Control
- CIS Control 16: Account Monitoring and Control
- CIS Control 17: Implement a Security Awareness and Training Program
- CIS Control 18: Application Software Security
- CIS Control 19: Incident Response and Management
- CIS Control 20: Penetration Tests and Red Team Exercises
