Traditionally, conversations about security have taken the form of almost a ‘nice to have’, a box that needs ticking for compliance or to satisfy supply chain demands.
Things are changing though, and more organizations are realizing that securing your business isn’t just about keeping data and applications safe; but rather, that a well-thought-out cybersecurity posture can be a key driver, and even partner, in business success.
Security Isn’t A Zero Sum Game
It’s always better to have comprehensive protection, that’s a no-brainer, but building a modern security posture isn’t a matter of all or nothing. Let’s look at data security as an example. If you suffer a breach -- and it’s more likely than not that you will -- and you’ve not implemented any safeguards… that’s just plain negligent. However, if you’ve put in place checks and balances to help mitigate security incidents; well, that’s already more than what many other organizations are doing, and a great foundation to build on.
The key here is threat intelligence -- understanding the threats out there and knowing what tools you can implement to build barriers to attacks -- and knowing that any start is better than doing nothing at all.
Crafting A Modern Cybersecurity Posture: A Considered Approach
Ok, so there’s no shortage of security vendors and options out there. You’ve got your data security, application security, analytics, and reporting specialists… some rely on AI, some take the machine learning approach more seriously, others make use of crowdsourced security detection, and others combine them all. The cybersecurity landscape is evolving -- and rightly so -- to meet the growing complexity and diversity of threats facing organizations.
It’s important for businesses to take a step back, look at their trajectory, shifting priorities and unique challenges and decide which security solutions best suit their needs; and many overlook a key element essential for a modern cybersecurity posture, DNS security.
Established Tech, Growing Target
DNS plays a critical role in our digital culture. What began as a simple ‘phone book’ routing requests to websites; now touches almost every application and activity connected to the sprawl of clouds, data centers, content delivery networks (CDNs) and devices.
Authoritative DNS’ ubiquity and critical position in application infrastructure, however, makes it both a prime target for attackers and an opportunity to dodge downtime and defend against threats.
According to DarkReading, the average cost of a DNS attack globally surged 57% from 2017 to $715,000 in 2018. During that time, organizations faced an average of seven DNS attacks. These attacks can take on a host of forms, and serve different objectives. Some, such as DDoS are designed to make DNS unavailable. Others, like cache poisoning, misdirect users to malicious websites; while others are designed to use DNS as a vector for stealing private data.
DNSSEC Key to A Modern Cybersecurity Posture
In an earlier article, we spoke about the Department of Homeland Security (DHS) issuing an emergency directive to federal agencies and branches, instructing them to implement a number of security measures to prevent attacks on the DNS systems supporting those agencies' online operations.
Not long after, the Internet Corporation for Assigned Names and Numbers (ICANN) called for “full DNSSEC deployment” and released a checklist of recommended DNS security actions. ICANN is the body ultimately responsible for much of the governance of DNS and surrounding core internet technologies, most importantly the root DNS servers and TLDs.
The decision by DHS and ICANN's announcement, to be honest, aren’t all that surprising. DNS offers a very attractive attack target, here’s why:
- The DNS “attack surface” is broad. Attackers can compromise the DNS system via registrars, access to zone files, or through numerous means of hijacking and man-in-the-middle attacks.
- DNS is a rich target – a successful attack can deliver unrestricted access to networks and data as well as provide the potential for extreme disruption to critical systems.
- DNS is often poorly protected. Most organizations haven’t put a lot of work into securing their DNS.
Implementing DNSSEC Right Now
Next-generation DNS implements all the practices recommended by DHS and ICANN; and provides the administrative security controls recommended by DHS to prevent unauthorized access to the zone files and DNS control settings.
- Single sign-on
- Two-factor authentication
- Strong password enforcement
- Session time outs
- Activity logging, and
- Role-based access controls (RBAC)
Additionally, some DNS vendors offering DNSSEC have removed obvious barriers that prevent businesses from implementing what have been more complex, but necessary security measures. Organizations shouldn’t have to give up performance when enabling DNSSEC, that means not compromising on traffic management functionality, and no performance impact. If you’d like to take it a step further, look into dedicated DNS, a redundant DNS solution that also supports DNSSEC.
At the end of the day, all organizations -- especially those that capture or expose user/enterprise data through their applications -- are at risk from cyber attacks. Analyze your needs, your exposure to potential attacks and start crafting a modern cybersecurity posture that aligns with your business goals.