What Is Port Scanning and Why Is It Important?
It’s common for organisations to have services exposed to the internet. This could include a web server hosting our company website, email servers for our corporate email, or VPN gateways enabling remote workers secure access to the corporate network. We will typically want to use port scanning as a way to discover and audit these exposures – but what exactly is port scanning?
For a service to be accessible over the internet, there will be an associated IP address and port that facilitate this access. We will delve a little deeper into the technical side of things in a future article, but for now let's use a phone call as an analogy to help understand the function of services, IP addresses, and ports. If we want to reach a particular person (service) we need to dial the appropriate phone number (IP address) followed by the extension (port number). And so, a port scan would be like calling all possible extensions and seeing if someone picks up. That is, given an IP address, we want to try and connect to a range of possible port numbers and see if we get a response back. Depending on the response, we can (usually, but not always) determine if there is a service available via that port.
So why is this useful? Well, for attackers, it’s commonly a way to discover services that they may be able to leverage (or, exploit) in order to gain unauthorised access to a system. Attackers are constantly scanning the internet for this reason, and so it’s normal to see logs for such scan attempts on a daily basis. In contrast, for defenders, port scanning is an invaluable tool within their toolset to assess which services - and therefore, assets - they are exposing to the internet. For the purposes of this article, we’ll focus on why port scanning is important for defenders rather than attackers or those with malicious intent. It should be noted that while we’re focusing on external (internet-facing) scanning, these same concepts and techniques can also be applied to internal non-internet-facing systems as well.
Now that we have a general understanding of what port scanning is and its function, let’s detail some of the main reasons why it’s important to perform port scans of our internet-facing assets.
Discovering Exposed Assets and Services
Before we can secure our assets, we need to know about them. This can be a challenge for both small and large organisations. Within a small organisation where responsibilities are shared and the cybersecurity function is perhaps less developed, it’s easy to lose track of the assets and services we’re exposing. We might not even notice unless we’re performing periodic audits. In contrast, a large organisation may have hundreds or thousands of assets, and hence the surface of attack can be pretty huge and therefore difficult to manage without some form of automation. This is why we might want to employ various tools or solutions to help support our existing processes and controls. Ultimately, we don’t want to be in a position where we - unknowingly - have a service that may pose a risk to our organisation being out on display on the internet.
Tracking Changes Over Time
The assets and services we expose to the internet aren’t static, they change over time. This is especially true in large organisations where changes to networked assets such as servers, routers, firewalls and other systems occur frequently. These types of changes can lead to a new service popping up, or an asset that wasn’t previously accessible via the internet now being accessible. Therefore, it’s important that we perform periodic scanning of our estate in order to have an up-to-date view of its current state. We also want to track these changes over time for reasons such as auditing.
Catching Mistakes Early
In complex environments with multiple entry points into our networks, security appliances performing filtering, address translation, port forwarding, etc, mistakes happen. For example, while modifying our security appliance rulesets, we could open up access to assets or services that we did not intend to allow access to. As auditing large rulesets involves a lot of manual review, a mistake such as this may go undetected for some time. So, while port scanning should not be the primary mechanism used to prevent these types of mistakes, it can serve as an additional check alongside our existing processes and controls. Scanning our assets on a daily basis increases the likelihood of us identifying such a mistake and taking action before an attacker does.
Conclusion
This is not by any means an exhaustive list of why port scanning is important, but these reasons alone should be enough to convince us of the value of performing regular port scanning of our assets. It’s not a silver bullet, nor a technique that we should rely on on its own, but it is one tool within our toolset that when used effectively can help keep our organisation secure. Future articles will further elaborate on the topics discussed here, as well as go into some of the specifics surrounding the various tools and techniques commonly used to secure our internet-facing assets.