Intelligent CISO Issue 16 - Page 29

? RICHARD MEEUS, SECURITY, TECHNOLOGY AND STRATEGY DIRECTOR, AKAMAI T he Domain Name Service (DNS) has been around for so long that it is almost taken for granted. However, without it, much, if not all, of the world’s Internet experience would be dead in the water. DNS servers against, for example, your web server. This involves swamping your site with unwanted traffic that needs to be handled by your Internet connections, routers and firewalls that ultimately are overwhelmed and forcing you offline – not just your websites, but any other associated Internet traffic, from emails to VPNs. It’s ubiquitousness means that it can be easily leveraged for malicious intent if not checked and protected. But DNS is not just restricted to being utilised for large, headline grabbing DDOS attacks. The infamous DDOS attack against a major DNS provider in 2016 that forced many organisations completely or partially offline highlighted how vulnerable and integral, in equal measure, DNS is to how the world operates online. It is also leveraged for data exfiltration, being used as a carrier to piggyback data from within compromised networks to Command and Control servers located on the other side of the planet. Not only is DNS frequently the target, it is also the delivery vector for many types of attacks. As DNS uses UDP (connectionless) it is an easy and effective way to bounce and amplify attack traffic off many Internet-based www.intelligentciso.com | Issue 16 As DNS is often unchecked, especially leaving an organisation, this is a simple but effective way to syphon off critical data without being detected. Lastly there is the integrity of the DNS itself. Consumers blindly query these editor’s question As DNS is often unchecked, especially leaving an organisation, this is a simple but effective way to syphon off critical data without being detected. servers for the IP address for their favourite sites and assume that the answer is going to be correct. Man-in-the-middle attacks – where the DNS request is intercepted between the client and the DNS server, and supplying false IP addresses and routing traffic to rogue and malicious sites – is an example of an attack where the DNS’ integrity can be compromised. Features such as DNSSEC allow the user to receive a digitally signed record from the DNS server ensuring them that the data is valid. DNS is key to the interaction with the Internet and unless your records are resilient, redundant and secured there will always be a risk of compromise. In addition, just as many organisations check traffic entering their network, they should equally apply the same level of integrity to DNS queries leaving their network. 29