A port is a link between your computer and the computer of the person who is talking to your machine, your server.
Example 1: A client that is accessing your webpage is doing so over a port, common ports are port 80 or port 443, and usually, these ports are there to allow bi-directional computer traffic. However, having an open port means having an entry point into your server. Cybercriminals know this so they often use this to take advantage of that port to gain entry. This could allow attacks such as ransomware to gain entry into your system and attack your machines.
Example 2: Another attack that can occur via an open port is a DDoS (distributed denial of service) attack which could stop your systems from functioning by overwhelming the server, or could install the software. Hence, to gain a financial advantage. Such as Bitcoin mining, sending spam emails or using your machine to attack another machine.
Example 3: Open ports could also indicate an internal compromise. Has an employee clicked on a phishing email and downloaded malware by accident? Could this result in more malware downloading and exfiltrating data from your system? This type of attack will often occur by the attacker misusing or creating a new port to send that information out.
Prevention & Remediation Action Plan
- Use the AEGIS Early Warning System to monitor your ports continually and look for any new or suspicious ports that are currently running on your system;
- Have your IT team investigate all of those ports and have them determine if they are needed for legitimate business reasons;
- Have your IT team check that the ports that are open for legitimate business reasons are secured appropriately. If you use FTP make sure it has a username and a certificate-based authentication system. A password is not good enough on its own;
- Start logging your servers and look for anonymous transactions on ports.