9.3: Perform Regular Automated Port Scans

Perform automated port scans on a regular basis against all systems and alert if unauthorized ports are detected on a system.

Asset Type	Security Function	Implementation Groups
Devices	Detect	2, 3

Dependencies

Enumerate endpoints and identify port scanning software
Calculate measures M1 - M6 for each port scanning software, tracking endpoints covered
Enumerate set of endpoints covered by port scanning software
Compare enumeration of covered endpoints against the list of all endpoints to identify those endpoints that are not covered

M1 (the average of port scans) = SUM from i=1..N ( t(i+1) - t(i) ) / N
M2 (Regularity Measure of Port Scan) = (SUM from i=1..N ( (t(i+1) - t(i) - M1)^2 / N ) / M
M3 (Threshold-based Regularity Measure of Port Scan) = (SUM from i=1..N ( ( t(i+1) - t(i) - T )^2 / N ) / M
M4 (The Probability of detecting an anomaly in port scans) = D / L
M5 = Count of alerts received due to unauthorized ports
M6 = Count of unauthorized ports
M7 = List of endpoints covered by port scanning tools
M8 = List of endpoints not covered by port scanning tools
M9 = Count of endpoints covered by port scanning tools
M10 = Count of endpoints

Metric	Quality of review is high if and only if the review is highly regular and the potential for detecting anomalies (at least one per review) is also high.
Calculation	`(1 - M2) * M4` or (if M3) `(1 - M3) * M4`

Metric	Ratio of unauthorized ports reported
Calculation	`M5 / M6`

Metric	Ratio of covered endpoints to the total number of endpoints
Calculation	`M9 / M10`