Vulnerabilities still leave DNS—and businesses—wide open to attack

Encryption and other protection measures actually may make security more difficult

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

It is easy to instant­ly cre­ate a new domain on which to base a Web page, thanks to a core com­po­nent of the Inter­net, called the Domain Name Ser­vice, aka DNS.

For that rea­son, DNS is more pop­u­lar with cyber attack­ers than ever. Cisco’s 2016 Secu­ri­ty Report, made pub­lic Tues­day, finds that 91.3 per­cent of all mal­ware val­i­dat­ed as “known bad” took advan­tage of how DNS works in order to spread.

Even worse, Cis­co found that many of what it dubs “rogue DNS resolvers” are being rou­tine­ly acti­vat­ed by IT staffers, appar­ent­ly with­out them know­ing it. The func­tion of a DNS resolver is to send you to the cor­rect numer­i­cal IP address asso­ci­at­ed with a tex­tu­al domain name. A rogue DNS resolver delib­er­ate­ly sends you to the wrong site, often a look-alike site sup­port­ing a mali­cious scam.

Upcom­ing webi­nar: Out­sourc­ing your cyber­se­cu­ri­ty program—managing ven­dor relationships

Bad guys are using rogue resolvers and hasti­ly cre­at­ed domain names to aid and abet the com­mand and con­trol of bot­nets; to estab­lish down­load sites for mal­ware; and to host pages boo­by-trapped to deliv­er phish­ing attacks and malware.

DNS has not tra­di­tion­al­ly been a tight­ly con­trolled resource in an orga­ni­za­tion,” says Jason Brvenik, a prin­ci­pal engi­neer with­in Cisco’s secu­ri­ty busi­ness group. “Mal­ware uses DNS because it’s ubiq­ui­tous and it’s convenient.”

Relat­ed: SMBs dan­ger­ous­ly exposed to DNS attacks

Cyber attacks piv­ot­ing off DNS manip­u­la­tion have increased in pop­u­lar­i­ty because crim­i­nals are able to cre­ate fresh domains very rapid­ly, and use them for only a brief time. Google and the antivirus com­pa­nies are on the look­out for mali­cious Web pages and quick­ly quar­an­tine them. But once a bad domain gets on a black­list, the bad guys sim­ply shift to a new­ly cre­at­ed replacement.

So while iden­ti­fy­ing a bad domain is com­par­a­tive­ly sim­ple, main­tain­ing a cur­rent list of all of the way­ward names out there is very difficult.

Craig Williams, a senior technical leader at Cisco Systems Inc.
Craig Williams, a senior tech­ni­cal leader at Cis­co Sys­tems Inc.

It’s not an easy thing to get right,” said Craig Williams, a senior tech­ni­cal leader at Cis­co. “Cre­at­ing and main­tain­ing the list is the chal­lenge, but I do think peo­ple are now tak­ing this seriously.”

Com­pli­cat­ing mat­ters is the fact that DNS has come to be used for a lot more than basic rout­ing to the cor­rect Web page. For instance, online adver­tis­ers have come to use DNS to send cus­tomers to Web pages pro­mot­ing a prod­uct or ser­vice, some­times repeatedly—to the point of trap­ping the Web surfer.

The DNS res­o­lu­tion path is hot­ly con­test­ed,” says Paul Vix­ie, CEO of Far­sight Secu­ri­ty. “ISPs all over the world inter­fere with cor­rect DNS respons­es flow­ing toward their access cus­tomers, either for data min­ing pur­pos­es, or to do ad inser­tion, or to do ad substitution.”

Williams agreed and goes a step fur­ther. Cisco’s threat report out­lines how exces­sive use of encryp­tion can foul trans­paren­cy and make secu­ri­ty harder.

You should nev­er encrypt things like ads and the body of news sto­ries. It just blinds you to things, com­plete­ly blinds you,” Williams says. Because mun­dane sto­ry text is being encrypt­ed, IT gate­keep­ers are no longer sus­pi­cious when they see an ad com­ing through encrypted.

More on emerg­ing best practices:
Pro­tect­Wise cloud ‘cam­era’ detects net­work data breaches
SMBs should start with sim­ple solu­tions to man­age secu­ri­ty risks

Cyber insur­ance ris­es to meet increas­ing secu­ri­ty challenges

 

 


Posted in Cybersecurity, Data Security, Featured Story