What are the main security risks associated with DNS and how are these best mitigated?
If we are talking DNS (domain name system), then we are talking risk. Using the internet to do business is a risk, an acceptable one for most, but still a risk. And the assumptions we make about business resilience when using cloud services, and the internet in general, create more risk and erode resilience.
To do business resilience well, you need to understand risk management. To do risk management, you need quality risk assessments. To do a quality risk assessment, you need to truly understand threat and vulnerability.
Most organisations start in the middle of the process, with predictably poor results. Knowing the risks involved when using the internet for business is really basic, but many organisations still struggle with the basics.
The attack on US DNS services firm Dyn was a serious, wide-scale attack and there is every reason to think that attacks like this will be something we all have to deal with in one way or another in future. How we mitigate the risk will hinge on how well organisations understand the risk and what plans they have in place to ensure the impact is minimised.
The internet of things (IoT) has opened up a world of opportunity to exploit poorly secured “things” on the internet, from cameras to fridges, all available to be hoisted into service for a large-scale distributed denial of service (DDoS) attack of this nature.
But as we add more and more things to the internet without fully understanding the risks, both immediate and abstract, we are adding to our own vulnerability and, in effect, becoming the architects of our own crisis.
So businesses are vulnerable to the flawed assumption that the internet is resilient and that cloud is somehow better than on-site and is resilient. But anything you put on the internet is vulnerable. DNS is routing everything and there is risk around the use of anything internet-based, including virtual private networks (VPNs) and voice-over-IP (VoIP), which, of course, all use DNS – but organisations are struggling to understand this.
Mitigating risk can be done effectively only if your risk assessment is not flawed and so your risk treatment and management is actually effective. If you understand the real risk, then you can build a contingency plan, include it in your business continuity plan and test it regularly to make sure it works when push comes to shove.
This means knowing you have an alternative to VoIP (the clue being in the IP bit) that you know works and can be invoked without too much trouble and will enable business as usual. You have to be prepared for it as an inevitability, so you may also need to think about what your ISP provides you in the way of DNS servers. Many provide two, but perhaps you need to consider a bank of diverse DNS servers that you can invoke manually if required.
When it comes to DNS, resilience is as much about business continuity and disaster recovery (and what you learn in the process) as it is about cyber security.