When did you last scan your external attack surface (exposed ports, RDP, services, leaked credentials)?
Demonstrate that the organization systematically scans its external attack surface within defined intervals to identify exposed ports, remote access services, vulnerable endpoints, and leaked credentials, and that findings are documented and acted upon.
Description
What this control does
This control requires organizations to conduct regular, automated or manual scanning of their internet-facing assets to identify exposed services, open ports, remote access endpoints (such as RDP), misconfigured services, and leaked or compromised credentials available in public breach databases or dark web repositories. The scan results establish a baseline of the external attack surface and identify high-risk exposures before attackers exploit them. Timely scanning—ideally continuous or at minimum monthly—enables security teams to detect and remediate vulnerabilities, misconfigurations, and credential exposures that could lead to unauthorized access.
Control objective
What auditing this proves
Demonstrate that the organization systematically scans its external attack surface within defined intervals to identify exposed ports, remote access services, vulnerable endpoints, and leaked credentials, and that findings are documented and acted upon.
Associated risks
Risks this control addresses
- Attackers identify and exploit exposed RDP or SSH services with weak or default credentials to gain initial access
- Threat actors enumerate open ports and services to map the attack surface and target vulnerable or unpatched software
- Leaked or compromised employee credentials found in breach databases enable unauthorized access to corporate systems
- Misconfigured cloud storage, APIs, or administrative interfaces remain publicly accessible without detection
- Shadow IT or orphaned infrastructure exposes unmonitored entry points that bypass traditional perimeter defenses
- Prolonged intervals between scans allow new vulnerabilities or misconfigurations to persist undetected, increasing dwell time for attackers
- Lack of credential monitoring permits attackers to leverage valid credentials sold or shared on dark web forums
Testing procedure
How an auditor verifies this control
- Obtain and review the organization's external attack surface scanning policy, including defined scan frequency, scope of assets, and responsible parties.
- Request the most recent external scan reports covering the last 90 days, including port scans, service enumeration, and credential leak monitoring results.
- Verify that scanning tools or services (commercial or open-source) are configured to target all known external IP ranges, domains, and cloud-hosted assets.
- Confirm that scans specifically identify high-risk services such as RDP (port 3389), SSH (port 22), Telnet, SMB, and any exposed administrative interfaces.
- Review evidence of credential monitoring through breach databases (e.g., Have I Been Pwned API, dark web monitoring services) and verify the last scan date.
- Select a sample of critical or high-severity findings from recent scans and trace remediation actions through ticketing systems or change records.
- Interview the security operations or vulnerability management team to confirm scan frequency, escalation procedures, and integration with asset inventory.
- Validate that scanning cadence meets or exceeds the organization's defined policy (e.g., continuous, weekly, or monthly) and that no gaps exceed the tolerance threshold.