Cybersecurity can be complex and challenging, but—in many ways—it can also be fairly simple if you know what to focus on. For example, there are 65,535 different TCP (Transmission Control Protocol) ports and another 65,535 UDP (User Datagram Protocol) ports—which seems like an overwhelming number of ports to monitor and protect. However, according to research in the Alert Logic Critical Watch Report: SMB Threatscape 2019, 65% of the attacks that target ports focus on just three ports.
Popular TCP Ports for Cyber Attacks
That’s pretty good news. It should be much easier to defend a mere three ports from attacks than it would be to protect more than 130,000 ports, right?
That is true, but there is also a reason attackers tend to target the three ports they do. Most of the ports are unassigned and available for applications and services to use to communicate across the network, but a number of ports are reserved and designated for specific protocols or services. For example, FTP (File Transfer Protocol) uses ports 20 and 21, and SMTP (Simple Mail Transfer Protocol) uses port 25 by default.
Those ports are frequent targets as well, but the three that rank at the top based on research from Alert Logic are ports 22, 80, and 443. Port 22 is SSH (Secure Shell), port 80 is the standard port for HTTP (Hypertext Transfer Protocol) web traffic, and port 443 is HTTPS (Hypertext Transfer Protocol Secure)—the more secure web traffic protocol. What makes these ports juicy targets is that they are public facing by definition—which makes them an attractive target for gaining access to a network. They’re also often used for transmitting sensitive data.
Switching Things Up with a New Port
Most cyber attacks are automated to some extent. Cybercriminals rely on port scanners to scour the internet and identify ports that are exposed to the public internet that could be a viable vector for an attack. Much of cybersecurity is a game of cat-and-mouse as well, though. Attackers pay attention to the trends and techniques used for cybersecurity and develop new tools and strategies to avoid or bypass those defenses.
Alert Logic researchers identified one example of this evolving threat landscape—noting that the recent Microsoft BlueKeep exploits target the fourth most popular port—RDP (Remote Desktop Port) on TCP port 3389.
Alert Logic Critical Watch Report: SMB Threatscape 2019
The report from Alert Logic provides some best practice recommendations to help organizations strengthen their cybersecurity posture:
“As basic guidance, security across all network ports should include defense-in-depth. Ports that are not in use should be closed and organizations should install a firewall on every host as well as monitor and filter port traffic. Regular port scans and penetration testing are also best practices to help ensure there are no unchecked vulnerabilities. In addition to these steps, patch and harden any device, software, or service connected to ports to further close off avenues of attack.”
For more details about how attackers target these popular, public-facing TCP ports, and other key takeaways related to the small and medium business attack surface and how to defend effectively against an expanding threat landscape, check out the complete Alert Logic Critical Watch Report: SMB Threatscape 2019.