We Can’t Say We Weren’t Warned
Earlier this year the Department of Homeland Security (DHS) issued an emergency directive to federal agencies and branches instructing them to implement a number of security measures to prevent attacks on the DNS systems supporting those agencies' online operations. DHS took this step because of the evidence they were finding of concerted attempts by foreign entities to hijack the domain accounts of federal agencies.
On February 21, the Internet Corporation for Assigned Names and Numbers (ICANN) called for “full DNSSEC deployment” and released a checklist of recommended DNS security actions. ICANN is the body ultimately responsible for much of the governance of DNS and surrounding core internet technologies, most importantly the root DNS servers and TLDs, so this is significant.
Why the sudden urgency around DNS security?
DNS offers a very attractive attack target for several reasons:
- The DNS “attack surface” is very broad. There are many ways for attackers to compromise the DNS system – via registrars, access to zone files, or via numerous means of hijacking and man-in-the-middle attacks.
- DNS is a very rich target – a successful attack can deliver unrestricted access to networks and data as well as provide potential for extreme disruption to critical systems.
- DNS is often poorly protected. Most enterprises, non-profits and governmental agencies have not put a lot of focus on securing DNS. This may be due to DNS not being very visible (“it just works”) and that relatively few people in an IT shop actually work with it.
When you put these factors together it adds up to a very favorable alignment of the stars for an attacker. That presumably is why DHS is seeing heightened activity in terms of attacks on DNS and why DHS and ICANN are sounding the alarm in no uncertain terms.
What’s the Hesitation Around Implementing DNSSEC?
As things stand, only a small percentage of enterprises have implemented DNSSEC.
One reason is that DNSSEC can be hard to implement and doing so typically “breaks” other features in DNS that companies rely on (like geo-routing and active failover). Additionally, DNSSEC can’t be used in conjunction with redundant (dual-provider) DNS. So for many companies, DNSSEC can be one step forward, two steps back in that they gain in data integrity, but lose out on uptime availability.
DNSSEC Part of Any Modern Enterprise Security Posture
Look at it this way, if an organization falls prey to an attack that DNSSEC could have prevented; the public will not understand the nuances that kept your brand from protecting users and their private data.
According to the 2018 Verizon Data Breach Investigations Report (DBIR), personal information as a preferred target for cyber attacks continues its upward trajectory.
The DBIR also highlights that, of the breaches surveyed, 21% resulted from “any incident in which a web application was the vector of attack. This includes exploits of code-level vulnerabilities in the application as well as thwarting authentication mechanisms.”
Another report, by cybersecurity firm FireEye in January, identified a wave of DNS hijackings that “affected dozens of domains belonging to government, telecommunications and internet infrastructure entities across the Middle East and North Africa, Europe and North America.”
What Can You Do Right Now?
Next-generation DNS implements all the practices recommended by DHS and ICANN; and provides the administrative security controls recommended by DHS to prevent unauthorized access to the zone files and DNS control settings. These include:
- Single sign-on
- Two-factor authentication
- Strong password enforcement
- Session time outs
- Activity logging, and
- Role-based access controls (RBAC)
At NS1, we’ve removed some of the obvious barriers that prevent customers from implementing what has been more complex, but necessary security measures. Customers don’t have to give up on anything when enabling DNSSEC on our platform; There’s no loss of traffic management functionality, no performance impact, and with Dedicated DNS we provide the industry’s only redundant DNS solution that supports DNSSEC with full traffic management.
So, we’ve been warned, but where do we go next? DNS ecosystem vendors who do not have turnkey DNSSEC capabilities that work with all other features of their platforms could see pressure from enterprises and other DNS players (recursive, IETF/ICANN, etc).
As an organization that thinks in decades, the immediacy of the language in the ICANN announcement is telling -- they believe it is critical for the ecosystem, industry, and consumers of domain infrastructure to take urgent action to ensure DNSSEC signing of all unsigned domains.
Any enterprises that are potential targets -- especially organizations that capture or expose user/enterprise data through their applications -- will see increasing pressure to implement security best-practices or risk compromise. Organizations should audit the ICANN checklist in partnership with their security teams and vendors.