Intelligent CISO Issue 16 - Page 30

editor’s question HAIDER PASHA, REGIONAL CHIEF SECURITY OFFICER (CSO), EMERGING MARKETS, PALO ALTO NETWORKS A s a protocol invented over three decades ago, Domain Name Service (DNS) was not created with cybersecurity in mind. And since its inception, we have seen a growing number of attacks abusing its inherently trusting nature, from DNS floods and hijacking to tricking DNS registrars. According to Palo Alto Networks Unit 42 threat research team, almost 80% of malware uses DNS to initiate command- and-control connections. Therefore, there are no quick fixes when we try to secure DNS today and the risks associated with it are practical as well as reputational when a company’s website goes down, especially if their business depends on it. Organisations need to have a clear security policy that specifically looks 30 at DNS and addresses the risks. In my view, you need three things to achieve a well-defined DNS security policy: governance, awareness and tools. Governance begins by understanding who in your organisation is responsible for DNS. Some believe DNS security is the responsibility of the security team whereas others would rely on the networking department. In either instance, the key challenge is that these teams often don’t talk to each other. Therefore, step one is to identify who is responsible and make sure the teams are communicating regularly via a clear process. Employee awareness is essential as people will ultimately make mistakes. Training should consist of various components including running simulation exercises, such as email phishing simulations customised to various departments. These exercises should be engaging, measurable and ongoing endeavours, and not treated as an annual ‘tick- the-box’. As for tools, there are two different kinds to consider. There are the things you can do with the investments you have already made (focus on basics) and there are new investments you may want to consider in order to enhance protection for DNS. In my view, you need three things to achieve a well- defined DNS security policy – governance, awareness and tools. Some examples of basic functionalities include DNS server hardening, encrypted communications (such as TLS) and two-factor authentication. Your DNS server should be dedicated to the DNS service and not have other types of protocols that can potentially open up ports on the server. Another common practice includes restricting DNS zone transfers and consistent patch management as you perform regular audits. For enhanced DNS protection, consider partnering with a provider that can help predict and block malicious domains in real-time. At Palo Alto Networks, our DNS Service uses Machine Learning to analyse and block malicious queries, including the likes of Domain Generated Algorithms (DGAs) which is commonly used by malware. Securing DNS is a vital part to keeping your organisation safe. Once you’ve followed the basics, make sure you have assessed any remaining risks with the right tools and awareness campaigns. u Issue 16 | www.intelligentciso.com