EDITOR’S QUESTION
Employee awareness is essential as people
will ultimately make mistakes. Training
should consist of various components
including running simulation exercises,
such as email phishing simulations
customised to various departments.
These exercises should be engaging,
measurable and ongoing endeavours, and
not treated as an annual ‘tick-the-box’.
HAIDER PASHA, REGIONAL
CHIEF SECURITY OFFICER (CSO),
EMERGING MARKETS, PALO
ALTO NETWORKS
s a protocol invented
over three decades ago,
Domain Name Service
(DNS) was not created
with cybersecurity in
mind. And since its
inception, we have seen a growing number
of attacks abusing its inherently trusting
nature, from DNS floods and hijacking to
tricking DNS registrars. Organisations need to have a clear
security policy that specifically looks at
DNS and address the risks.
According to Palo Alto Networks Unit
42 threat research team, almost 80% of
malware uses DNS to initiative command-
and-control connections. Some believe DNS security is the
responsibility of the security team
whereas others would rely on the
networking department.
Therefore, there are no quick fixes when
we try to secure DNS today and the risks
associated with it are practical as well as
reputational when a company’s website
goes down, especially if their business
depends on it. In either instance, the key challenge is
that these teams often don’t talk to each
other. Therefore, step one is to identify
who is responsible and make sure the
teams are communicating regularly via a
clear process.
A
32
Issue 09
In my view, you need three things to
achieve a well-defined DNS security policy
– governance, awareness and tools.
Governance begins by understanding who
in your organisation is responsible for DNS.
As for tools, there are two different kinds
to consider. There are the things you can
do with the investments you have already
made (focus on basics) and there are new
investments you may want to consider in
order to enhance protection for DNS.
Some examples of basic functionalities
include DNS server hardening, encrypted
communications (such as TLS) and two-
factor authentication. Your DNS server
should be dedicated to the DNS service and
not have other types of protocols that can
potentially open up ports on the server.
Another common practice includes
restricting DNS zone transfers and
consistent patch management as you
perform regular audits.
For enhanced DNS protection, consider
partnering with a provider that can help
predict and block malicious domains in
real-time.
At Palo Alto Networks, our DNS Service
uses Machine Learning to analyse and
block malicious queries, including the likes
of Domain Generated Algorithms (DGAs)
which is commonly used by malware.
Securing DNS is a vital part to keeping
your organisation safe. Once you’ve
followed the basics, make sure you have
assessed any remaining risks with the
right tools and awareness campaigns. ◊
www.intelligentdatacentres.com