Dark Reading is part of the Informa Tech Division of Informa PLC
This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.
Everything You Need to Know About DNS AttacksIt's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask.
Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted.
Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Incident Readiness and Building Response Playbook
In this special report, learn the Xs and Os of any good security incident readiness and response playbook.
Tweet This
1 Comments
User Rank: Ninja
12/3/2014 | 1:51:35 PM
No, it's impossible and therein lies the problem. Because CEO's and other c-level individuals are so busy (eyes rolling), they want everything to be quick and fast, hence the "Executive Summary". I do understand and do not expect them to understand all of the specifics of Heartbleed, POODLE or why MS14-068 is more important for a Domain Controller than it is for his laptop, but I do expect her\him to expect more than a summarized "Good - Fair - Bad - High - Medium -Low - Red - Yellow - Green" description of serious problems that will\may eventually affect the business, sorry but everything cannot be explained in the time that it takes to ride an elevator.
I believe that C-Level individuals responsible for security or expressing that information to those who are higher up should schedule time with security people so that they can get a (working) understanding of why Drupal announced in October that a Core - SQL Injection vulnerability was so dangerous and that web admins should update NOW and why they (Drupal) came back in November and warned that if your site wasn't patched within a specific period of time... (HOURS) of that initial warning, your site was most likely compromised. How do explain that along with 30 - 40 other issues on a dashboard or an executive summary? You can't, I have a hard enough time trying to get the folks who should understand these problems to understand why these are problems.
Believe me, I do understand the need for brevity but I think dashboards and summaries should be more for that manager who understands what he's reading and knows how to research it and ask questions. Here's a suggestion that I tried before, I suggested a "ride-along", the next time that a Vulnerability assessment or PENTEST is scheduled, invite those c-level people to observe and ask questions, that's powerful stuff.
I guess what I'm really saying is that these folks should be as engaged in the stuff that they don't fully understand as the details of running the rest of the business, we're not trying to make them security experts... just better informed.