The Domain Name System (DNS) is the cornerstone of communication for the internet. Navigating to the sites you access every day often starts with a DNS request. Cybercriminals recognize the value of DNS and may look for ways to abuse improperly secured DNS to compromise its uptime, integrity or overall response efficacy—which makes DNS an important area for enforcing security and protecting against threats.
To establish connectivity with other users and devices, almost anything that interfaces with the internet depends on the accuracy, integrity and availability of the Domain Name System (DNS). Most online transactions and data movement are critically dependent on DNS services.
As such, DNS is an important point of security enforcement and a potential point in the Cyber Kill Chain for many cyber-attacks. Organizations are beginning to recognize this and are using DNS security mechanisms as a first line of defense for preventing or mitigating online threats.
On Nov. 30 and Dec. 1, 2015, some of the Internet’s Domain Name System (DNS) root name servers received large amounts of anomalous traffic. Last week the root server operators published a report on the incident. In the interest of further transparency, I’d like to take this opportunity to share Verisign’s perspective, including how we identify, handle and react, as necessary, to events such as this.
The Domain Name System (DNS) offers ways to significantly strengthen the security of Internet applications via a new protocol called the DNS-based Authentication of Named Entities (DANE). One problem it helps to solve is how to easily find keys for end users and systems in a secure and scalable manner. It can also help to address well-known vulnerabilities in the public Certification Authority (CA) model. Applications today need to trust a large number of global CAs. There are no scoping or naming constraints for these CAs – each one can issue certificates for any server or client on the Internet, so the weakest CA can compromise the security of the whole system. As described later in this article, DANE can address this vulnerability.
With the biggest shopping season just around the corner, it is more important than ever that your website is available and consumers can find it. As companies add eye-catching images, social share buttons and attractive promotions to grab consumers’ attention, they may also inadvertently be slowing down their website.
For consumers who are increasingly impatient and expect a website to load within two seconds or less, the majority will quickly abandon a slow-loading page along with their shopping cart, resulting in lost revenue. With so many potential problems to slow down your site, the domain name system (DNS) doesn’t have to be one of them.
What is DNS?
DNS is the Internet’s equivalent to a phone book. It maintains a directory of domain names and translates them to their respective Internet Protocol (IP) addresses, enabling the end user to access a desired Web page. Any disruption to the DNS during the holiday season can be disastrous for retailers.
“DNS is the Achilles’ heel of the Web, often forgotten, and its impact on website performance is ignored until it breaks down,” explains Mehdi Daoudi, CEO of Web performance monitoring firm Catchpoint. However, it doesn’t have to be.
Security professionals agree that a strong security posture is one that is implemented in a layered approach. This layered approach is also referred to as “defense-in-depth.” A defense-in-depth strategy consists of applying security mechanisms across your organization to ensure sufficient coverage against the wide variety of cyber threats.
A comprehensive defense-in-depth strategy requires security mechanisms to be applied through the implementation of hardware, software and security policies. Hardware protection includes, but is not limited to, the implementation of next generation firewalls (NGFW), intrusion prevention systems/intrusion detection systems (IPS/IDS) and secure Web gateways (SWG). Software-based protection is done through anti-virus software deployments, automated patch management or tools for Internet monitoring. Finally, no defense-in-depth strategy would be complete without the implementation of strong security policies that prescribe processes for incident reporting, service and system audits, and security awareness training.
At Verisign we take our Internet stewardship mission very seriously, so when details emerged over the past week concerning the XcodeGhost infection, researchers at Verisign iDefense wanted to help advance community research efforts related to the XcodeGhost issue, and leveraging our unique capabilities, offer a level of public service to help readers determine their current and historical level of exposure to the infection.
First identified in recent days on the Chinese microblog site Sina Weibo, XcodeGhost is an infection of Xcode, the framework developers use to create apps for Apple’s iOS and OS X operating systems. Most developers download secure Xcode from Apple. However, some acquire unofficial versions from sites with faster download speeds.
Apps created with XcodeGhost contain instructions, unknown to both the app developers and the end users, that collect potentially sensitive information from the user’s device and send it to command-and-control (C2) servers managed by the XcodeGhost operator. This way, the XcodeGhost operators circumvented the security of Apple’s official Xcode distribution, and the security of Apple’s App Store.
The infection had widespread impact. As of September 25th, Palo Alto Networks and Fox-IT had identified more than 87 infected apps by name, and FireEye claimed to have identified more than 4,000 infected apps. This activity impacts millions of users both in China and elsewhere in the world. To understand key aspects of the infection, iDefense researchers leveraged authoritative DNS traffic patterns to the C2 domains.
Today’s new age of ubiquitous connectivity has created an insatiable and growing demand among employees and consumers to be online with familiar systems and tools at all times. Employees are no longer satisfied with the limited choices in devices and tools provided to them by their corporate IT organizations. They want to use what they want,when they want. They believe that choosing their own devices and tools provides them with the highest level of comfort and efficiency. This desire to use personal devices in work environments, referred to as “bring your own device (BYOD),” coupled with the growing cyber-attack surface, poses significant challenges to IT organizations. These challenges are leading such organizations to ask themselves – Are we ready to support BYOD?
Even though summer is just heating up, internet retailers already have visions of dollar signs dancing in their heads as they prepare for the onslaught of holiday web traffic that will soon ring in the 2015 holiday season. However, much of their focus is on marketing, and not the critical security measures they need to have in place to help keep their customers safe and satisfied as they shop online during the holidays.
As we have seen from the numerous security breaches and cyberattacks reported during last year’s holiday season, understanding the threat landscape and putting appropriate mitigation plans in place is critical to a business’s revenue and reputation. Just one hour of network downtime due to an outage or malicious attack can have far reaching consequences for a retailer, especially during the holidays.
Defending against cyber threats is not only critical, but increasingly difficult and expensive. Just a quick glance at today’s news headlines and it is clear that these threats present numerous challenges to Internet users and the organizations that both serve and employ them. For example, in 2014, McAfee Labs observed a 75 percent year-over-year increase in new malware equating to 387 new threats per minute. Further, the Ponemon Institute estimates the average data breach costs large organizations $3.8 million per event.
Most solutions either require extensive investment or do not meet an organization’s constantly evolving needs. Traditional, appliance-based security solutions can require organizations to shell out considerable amounts of money, both in up-front capital expenditure and in on-going maintenance fees. Conversely, many managed cloud-based offerings do not provide the critical capability to customize the solution based on an organization’s specific business environment and security needs. Finally, do-it-yourself (DIY) open-source solutions suffer from constant patching and maintenance problems.
Enter the Verisign DNS Firewall, an easy-to-configure, cost effective managed cloud-based service that offers robust protection from unwanted content, malware and advanced persistent threats (APTs), delivered with the ability to customize filtering to suit an organization’s unique needs.