Subcontrol 9.2

[adammontville]

Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.

Measures

M1 = List of authorized port
M2 = List of open port(WMI)
MM1 = # of port in (M2 - M1)
M3 = List of authorized protocol
M4 = List of used protocol(log analysis)
MM2 = # of port in (M4 - M3)
M5 = List of authorized service
M6 = List of running service(WMI)
MM3 = # of port in (M6 - M5)

Metrics

Port- False positive rate = MM1 / (total port - count(M1))
Protocol- False positive rate = MM1 / (total protocol - count(M3))
Service- False positive rate = MM3 / (total service - count(M5))

[adammontville]

Comment for Controls Team: Seems like ports and protocols go hand in hand. Segregating them seems counter-intuitive. Also, services may be installed and not running - the conservative approach ensures that only authorized services are installed, even if not running. Clarification here would be good.

Inputs:

• List of authorized ports with validated business need
• List of authorized protocols with validated business need
• List of authorized services with validated business need
• Endpoint inventory

Operations:

• For each endpoint perform the following to build sets of information:
  • Scan for open ports
  • For each open port
  • Test protocol running on that port
  • Enumerate installed services
• Enumerate discovered ports
• Enumerate discovered services
• Determine set of unauthorized ports
• Determine set of unauthorized services

Measures:

• M1 - set of open ports
• M2 - set of unauthorized ports
• M3 - set of discovered services
• M4 - set of unauthorized services
• M5 - set of unexpected protocols discovered on open ports

Metrics:

• M2 / M1 - Ratio of unauthorized ports to open ports
• M4 / M3 - Ratio of unauthorized services to discovered services
• M5 / M1 - Ratio of unexpected protocols discovered on open ports to total number of open ports