DNS Security – What Every CIO Should Do
Domain name system security is entering mainstream thinking. The recent signing of the DNS root zone with DNSSEC garnered media attention at every level from the specialist technology press and top-selling national newspapers all the way down to local small-town outlets. Meanwhile, governments worldwide, aware of how much of their national economies depend on a smoothly running Internet, are becoming increasingly interested in ensuring its critical infrastructure is as secure and reliable as it can possibly be; at the United Nations Internet Governance Forum earlier this month, in which I participated, one of the predominant themes was the ongoing security and stability of the Internet.
This level of interest is not always reflected in thinking among corporate CIOs, however. The security of an organization’s critical DNS is still often overlooked, despite the obvious fact that it is arguably one of the most vital pieces of infrastructure, the piece that ties all the other pieces together. Companies may spend millions creating and promoting their brand in the offline world, forgetting that on the Internet their domain name is their brand. It’s often the case that it is only after a company’s DNS has come under attack, or after it has suffered downtime with a non-malicious cause, that CIOs start thinking about DNS strategically.
There are a number of ways an organization’s domain name and associated DNS infrastructure can be compromised. A domain can be stolen outright. It can also have its performance impaired by denial-of-service attacks, or traffic to the address can be stolen via man-in-the-middle vulnerabilities. Like all digital assets that rely upon software, it is only as secure as the platform on which it functions. These platforms are vulnerable to code exploits and poor configuration choices. Finally, it also runs the risk of being compromised by human error.
Employee education can mitigate risk. When a domain name is hijacked, it’s usually at least partly due to human error. Many times employees fall for sophisticated (or otherwise) social engineering attacks designed to uncover passwords and other confidential information. Phishing attacks, keystroke loggers and other types of malware all have the potential to compromise sensitive information that can lead to the loss of a domain name, or ensure that your employee’s computer is subsumed into a botnet. The most recent case of this is the “Here you Have” virus that is reported to have accounted for more than 42 billion individual spam messages. Even non-malicious software applications, such as peer-to-peer file-sharing clients, can represent a data leakage risk if poorly configured.
Employees in positions of authority over critical resources need to be made aware of these risks. Clicking on links to suspicious websites, downloading attachments from unknown sources, and installing unauthorized applications, should all be actively discouraged within a security-conscious enterprise. This advice may seem old, but it is surprising just how many breaches are still caused by oversights by employees who should know better. Only last year a government defense contractor reportedly inadvertently leaked the blueprints to Marine One, the President’s helicopter, to Iran, due to P2P file-sharing software installed on a laptop. Training is of course only one of several corporate policies that organizations need to establish in order to mitigate the risks, or effects, of a security breach or period of downtime.
Arguably the greatest threat today to the security of a domain name – and the associated brand – is distributed denial of service attacks. The DDoS problem is increasing in large part due to the growing “provisioning gap” between attackers and defenders. As botnet operators and their tools become more sophisticated, and the amount of bandwidth available to them increases in-step with the roll-out of high-speed residential broadband, it becomes increasingly difficult to defend against their attacks. The costs associated with quickly building out a powerful botnet are negligible compared to the costs required to adequately provision a defense.
This is a real concern. A DDoS attack of sufficient ferocity on DNS servers can not only substantially disrupt a company’s ability to do business online – hurting revenue and brand equity – it can also severely impact employee productivity. The latter concern will only grow as more and more organizations begin to rely on cloud-hosted productivity tools and business applications, which are of course accessed using DNS.
Can You Survive a Massive Cyber-Attack?
Organizations also need to provision for how they will handle the eventuality of a DDoS attack. Policies should be created dealing with how responses are escalated, how to most effectively cooperate with providers to have the attack blocked, and how to most efficiently employ failover systems. In many cases, there will be crossover with disaster recovery plans designed for non-DDoS scenarios, such as power outages or natural disasters.
Information security policies also need to address the vulnerability profiles of Internet-facing infrastructure. Popular DNS software makes fertile hunting ground for bug-hunters, leading to the necessity for regular upgrades. Name servers should be incorporated into existing patching regimes with just as high a priority as any other critical system. Due to the fact that poorly configured DNS software also represents a vulnerability, CIOs should ensure that their name servers a are configured according to current best security practices – for example by ensuring authoritative name servers do not also act as recursive servers.
In summary, improving security is not always a purely technological problem; often, the impact of security events can be mitigated, or the risk of them occurring at least reduced, by addressing the people and policy parts of the equation. When it comes to critical infrastructure such as DNS, the first step for CIOs is recognizing the fact that a company’s domain name is not only the online ambassador for its brand, but also the glue that holds the whole Internet-based business together. From there, the appropriate strategic decisions will surely follow.
Tags: DNS Security, Domain Name Security, Securing DNS, Security Infrastructure, DDoS Attacks, CIO
