Do you regularly check that only intended services are exposed to the internet (open ports / listening services)?
Demonstrate that the organization performs regular scans of internet-facing assets to detect open ports and listening services, maintains a documented baseline of authorized exposures, and remediates unauthorized services within defined timeframes.
Description
What this control does
This control ensures that organizations maintain visibility into internet-exposed services by regularly scanning external-facing IP addresses to identify open ports and active listening services, comparing findings against an authorized baseline, and remediating unauthorized exposures. The process involves automated scanning tools, manual verification, and documented change control workflows to prevent unintended attack surface expansion. Regular checks reduce the window of opportunity for attackers to discover and exploit services that were inadvertently exposed through misconfigurations, shadow IT deployments, or incomplete decommissioning processes.
Control objective
What auditing this proves
Demonstrate that the organization performs regular scans of internet-facing assets to detect open ports and listening services, maintains a documented baseline of authorized exposures, and remediates unauthorized services within defined timeframes.
Associated risks
Risks this control addresses
- Unauthorized services exposed to the internet providing entry points for network exploitation and lateral movement
- Legacy or forgotten services remaining accessible after projects conclude, containing unpatched vulnerabilities
- Administrative interfaces (SSH, RDP, database management) exposed without proper access controls or multi-factor authentication
- Shadow IT deployments bypassing security review creating unmonitored attack vectors
- Development or test environments inadvertently exposed containing debug interfaces, weak credentials, or sensitive data
- Port sprawl and service confusion enabling attackers to identify technology stacks and target known vulnerabilities
- Misconfigured cloud security groups or firewall rules allowing broader access than intended for business services
Testing procedure
How an auditor verifies this control
- Obtain the organization's internet-facing IP address inventory and documented baseline of authorized internet-exposed services including hostnames, IP addresses, ports, protocols, and business justifications.
- Review the documented policy or procedure governing frequency, scope, tooling, and remediation requirements for external port scanning activities.
- Obtain evidence of scheduled scanning activities over the most recent 90-day period, including scan reports, timestamps, scanner configurations, and scan targets.
- Select a representative sample of external IP addresses from the inventory and independently perform port scans using standard tools (e.g., nmap, Nessus, or commercial external attack surface management platforms) to validate current exposed services.
- Compare independent scan results against the organization's most recent authorized baseline to identify any discrepancies, unauthorized services, or unrecognized open ports.
- Review the organization's issue tracking system for tickets generated from port scanning findings, examining detection dates, severity classifications, assigned owners, and closure evidence.
- Verify that remediation timelines align with documented policy requirements, selecting a sample of closed findings to confirm services were actually disabled or properly authorized and documented.
- Interview the team responsible for scanning activities to confirm escalation procedures, exception approval workflows, and coordination with change management for authorized service deployments.