Security Experts:

Port Scanning Project Shows Scale of Exposed Systems

Port Scanning Project Infers Security Posture by Country

Rapid7 has turned the power of its Project Sonar infrastructure to examine a fundamental question: just what is the exposure of the Internet in different national regions? While anyone will tell you that the Internet is not secure, few are able to quantify how, what or where. Rapid7's report aims to change that.

"In terms of exposure," Tod Beardsley, senior security research manager at Rapid7 said in conversation with SecurityWeek, "I couldn't even tell you the top ten listening ports on the Internet. I could probably guess the first two – but there simply isn't any easily available data on what is exposed through which ports around the world."

The Internet, he said, is too important to the world's business and culture not to have this sort of data available to security researchers, academics, governments and the security industry. The result is a new foundational paper published today: Rapid7's National Exposure Index – Inferring Internet Security Posture by Country through Port Scanning. It is a port scan and exposure index of the entire Internet.

It already has value – but this is expected to be the first of regular scans. "We have the infrastructure in place," said Beardsley. "I can't yet say how often we will run scans, but I expect it to be between monthly and annually." As the data builds into a Big Data source of global internet exposure, large scale national projects can be used to improve national security by understanding what to target.

It is not a vulnerability scan – it is more like a potential vulnerability scan on a massive scale. It demonstrates to what degree any particular country is potentially vulnerable through exposing critical or important assets to the internet – or simply quantifying the degree to which 'that shouldn't have internet exposure.'

Since different services use different ports, a considerable amount of information can be gathered and surmised in some detail. Nevertheless it is not simple. For example, it can detect what is usually cleartext email through the use of ports 25 (SMTP), 110 (POP3) and 143 (IMAP). It can also detect email wrapped in SSL (encrypted) on ports 995 and 993. But it cannot tell whether email over ports 25 or 587 are effectively encrypted via STARTTLS since STARTTLS is quietly dropped if the receiver does not understand it. "In the end," says the report, "only a properly SSL-wrapped SMTP service on port 465 could be considered reliably encrypted."

Nevertheless, the data available in this very first 'foundational' analysis that primarily sets the base-line for future analyses is still valuable. It can be used, for example, for individual governments to gauge the overall security posture of their countries. Having gathered all the data, says the report, "we can measure the overall exposure of individual nations when it comes to offering insecure services."

This is important. Rapid7 also looked at the SANS Internet Storm Center "and averaged the number of targets on any given day. While not comprehensive, this shows there is at least active probing occurring on all of the ports used in our Sonar study." It is important, therefore, that those engaged in protecting the internet should have a clear idea of the size of the problem.

In 2020 Japan will be hosting the Olympics. Such events always attract considerable cyber criminal activity, and the Japanese government will already be making cyber security plans. The Rapid7 index shows that it has some work to do: it is currently the 34th in exposure rankings for the top fifty nations. The UK fares little better. Back in the year 2000 Tony Blair insisted he would make Britain the best place in the world for e-commerce. In 2016, it still ranks a lowly 27th over internet exposure. The least exposed nation is Vietnam. Switzerland and Germany lie third and fourth, with the USA at 36th. Belgium is fiftieth of the top fifty nations.

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.