Bad actors are constantly trying to find ways to penetrate our networks. Recent attacks at LabCorp and the City of Atlanta demonstrate, however, that we are putting the welcome mat out for hackers by leaving key network ports open. This article discusses the severity of this problem, and what we can do to reduce or eliminate it. Credit: Thinkstock Those of us in healthcare are reeling from the recent ransomware attack at LabCorp. The company, one of the largest medical testing companies in the world, confirmed that a known group of bad actors penetrated their network late on a Friday night via an exposed RDP port, and infected more than 30,000 systems with SamSam ransomware. LabCorp deserves some kudos, given reports that they had the attack contained in less than 50 minutes, which is quite amazing, if true. Kudos notwithstanding, however, why did they allow their network to be penetrated in the first place?If the attach had been due to a zero day vulnerability, or some brand new technique, I would cut them more slack. Instead, this was a well-known ransomware infection technique. Anyone remember the City of Atlanta attack, which was nearly identical to the LabCorp infection?The basic problem here is a known, very common, attack scenario, which could have easily been prevented by LabCorp, the City of Atlanta, or any of the many other victims, by closing or properly securing any RDP ports exposed to the Internet. It seems that many have fallen victim to open RDP ports, however, since the BitCoin income wallet for the SamSam bad actors has exceeded $6 million to date.While we don’t yet have all of the details, I find it unlikely that they had never heard of SamSam ransomware, or how infections with it happen. Given how fast their Security Operations Center responded, they clearly care about security. I am quite confident they have good firewalls capable of blocking RDP traffic. That only leaves two alternatives: they didn’t know about the open port, or they knew and allowed it. I find no comfort in either of those explanations. It is imperative that any organization know what ports and services are open on their network perimeter. There is no valid reason not to know this. Scanning an address space for open ports could be easily handled by a second-year college student.This incident should serve as a good reminder to you to check your network. Once you know what is open on the network, it is also critical that you not assume you are good today because you were last week. It is all too easy to open a port on the network. This is usually done as a “temporary” measure by a well-intentioned person who plans to close it again shortly, but never quite gets around to it. The real issue here is the lack of ongoing diligence about ways a bad actor can penetrate a network perimeter. Having a good, ongoing monitoring program has a number of challenges, including:It is too easy to open a new portIn many cases, far too many people at a company have firewall access. Even when access is properly restricted, many network teams don’t require formal approvals before openingNetwork changes can result in a device being outside of the firewallIn the normal course of network maintenance, it is not uncommon for a device that was inside the firewall to suddenly be exposed via a network change. At times this is accidental, but other times it is well intentioned.Despite these challenges, it is essential to stay on top of open network ports. If you don’t, sooner or later, a bad actor will find one and use it to launch a successful attack. If you are not convinced, consider the fact that with tools such as Zmap and Masscan, it is possible using an network connection and PC to scan the entire 3.7 million IPv4 routable address space in less than 24 hours. With faster speeds and multiple systems being used, a bad actor could, in theory, track your open ports from day to day, looking for changes they can use for their purposes.Managing open ports is much easier for you than the bad guys, because you have many fewer addresses to monitor. The secret, however, is to do the work needed to monitor your network ports, frequently. The following are some suggestions:Document your networkIt is important to keep records of your network configuration, firewall settings, and open addresses and ports. Such a record facilitates tracking of configuration changes from week to week. Further, this documentation his a requirement of various compliance standards, including PCI DSS (sections 1.1.2 and 1.1.3). Restrict and control changesLimit changes to the smallest number of individuals possible, and do not give others the privilege to make such changes. Use a formal change management process to track, approve, and document changes.Scan and scan againTools are readily available to allow you to scan your public address range for open ports, so there is no reason not to do this regularly. You can use an open-source tool such as NMAP for this purpose, or a paid service like Qualys.Perform regular penetration testsA penetration test involves having someone, usually an outside expert, attempt to find openings on your network. Such a test is usually valuable, since the tester has the same knowledge (or lack thereof) about your network as a bad actor would. The penetration tester identifies gaps in your network, so you can close them before someone can take advantage of them. I have seen a good penetration tester find a small opening in a network, and pivot through various systems, until they ended up with administrative privileges. A good penetration tester can be of tremendous value in keeping your network secure.Monitor your log entriesAn outsider unfamiliar with your network often uses a trial and error process to look for gaps that can be exploited. If you maintain good logs which you can easily monitor, you can often spot and block penetration attempts while they are happening. A good Security and Incident Management System (SIEM) can help automate this process, and can generate alerts when such attempts are spotting, saving personnel time. Bottom line — Many of us in the information security industry spend our days finding ways to keep the bad guys out. Unfortunately, some organizations choose to lay out the welcome mat for them and will usually pay the price. It’s time to pull up the mat and replace it with solid and consistent cyber security practices. Related content opinion 5 steps to simple role-based access control RBAC is the idea of assigning system access to users based on their role in an organization. It's important to remember that not every employee needs a starring role. By Robert Covington Jan 02, 2019 6 mins Regulation Access Control Internet Security opinion Cyber security relics: 4 older technologies still plaguing the infosec world Understanding the issues of the past can help us be better equipped to deal with seemingly new issues in the present. By Robert Covington Nov 02, 2018 4 mins Social Engineering Android Vulnerabilities opinion 5 cyber security basics you can't afford to ignore Don't underestimate the impact of good cyber security housekeeping for preventing a successful attack. By Robert Covington Sep 20, 2018 5 mins Asset Management Software Network Security Security opinion Cybersecurity operations: Don't wait for the alert An SOC is a useful part of our cybersecurity arsenal, but its main benefit will be in helping to minimize damage from an issue that has already happened. A strong investigative team, on the other hand, can help to identify and resolve issues before t By Robert Covington Jul 16, 2018 5 mins Application Security Cloud Security Data and Information Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe