Those ports are frequent targets as well, but the three that rank at the top based on research from Alert Logic are ports 22, 80, and 443. Port 22 is SSH (Secure Shell), port 80 is the standard port for HTTP (Hypertext Transfer Protocol) web traffic, and port 443 is HTTPS (Hypertext Transfer Protocol Secure)—the more secure web traffic protocol. What makes these ports juicy targets is that they are public facing by definition—which makes them an attractive target for gaining access to a network. They’re also often used for transmitting sensitive data.
That is true, but there is also a reason attackers tend to target the three ports they do. Most of the ports are unassigned and available for applications and services to use to communicate across the network, but a number of ports are reserved and designated for specific protocols or services. For example, FTP (File Transfer Protocol) uses ports 20 and 21, and SMTP (Simple Mail Transfer Protocol) uses port 25 by default.
That’s pretty good news. It should be much easier to defend a mere three ports from attacks than it would be to protect more than 130,000 ports, right?
Cybersecurity can be complex and challenging, but—in many ways—it can also be fairly simple if you know what to focus on. For example, there are 65,535 different TCP (Transmission Control Protocol) ports and another 65,535 UDP (User Datagram Protocol) ports—which seems like an overwhelming number of ports to monitor and protect. However, according to research in the Alert Logic Critical Watch Report: SMB Threatscape 2019, 65% of the attacks that target ports focus on just three ports.
“As basic guidance, security across all network ports should include defense-in-depth. Ports that are not in use should be closed and organizations should install a firewall on every host as well as monitor and filter port traffic. Regular port scans and penetration testing are also best practices to help ensure there are no unchecked vulnerabilities. In addition to these steps, patch and harden any device, software, or service connected to ports to further close off avenues of attack.”