As technology advances, protocols can fall out of date and are often found to be vulnerable to attack. These vulnerable protocols and unnecessary ports and services can be used as an open door by an attacker.
Your organisation’s network will also change which will render some open ports and services unnecessary. It is important to make sure these vulnerable protocols are updated and unnecessary ports and services are disabled.
As a result of implementing this control, organisations:
- understand why specific services and protocols are used in the environment
- have disabled all unused and outdated services and protocols.
Although the goal of this control is straightforward, the actual effort required to effectively implement it can be high and depends on the size of your environment.
- All unnecessary and unused services and ports are disabled.
- All outdated and vulnerable protocols are disabled.
- You have a complete view of which protocols and services are used in your environment and why they are necessary.
- You have a process to disable unnecessary services and ports when systems are removed from your environment.
- You have a standard build-hardening process, which includes disabling unnecessary or outdated services, ports, and protocols for each new device.
- You are aware of changes to the services, ports, and protocols in use because there is monitoring in place that detects changes.
- You have a plan to proactively disable outdated protocols when new protocols are released that can be supported in your environment.
Key unused services and protocols takeaways
- Understanding what services and protocols are actually needed, can be hard work and finding the answer may be time consuming, especially if your systems are dated and the team supporting them have changed often. If your organisation doesn’t know what a particular service or protocol does, it must be tested and analysed. The results from the review of your environment should be black and white “Yes, we need it”, or “No, we don’t need it” answers. Don’t take “I don’t know” for an answer.
- It can be hard to balance the risk between services or protocols you need, that are also outdated and/or vulnerable. This requires a risk discussion between IT and the business to understand what effort is needed to remove the risk or need from the environment.
Legacy systems covers outdated and/or vulnerable systems.
- After you understand what services should be running and what protocols should be used, you can start incorporating standards and automation to manage this control. For example you can create standard build images for your servers to only allow necessary ports and disable all unnecessary services and protocols. You may be able to set automated monitoring to alert when configurations in your environment are changed.