Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
DHS Issues Emergency Directive on DNS Security
Oldest First  |  Newest First  |  Threaded View
dan91266
dan91266,
User Rank: Strategist
1/24/2019 | 11:37:10 AM
When is a vulnerability not a vulnerability?
This one just feels like Chicken Little to me. OMFG! If you're careless about your DNS registration, you can get Pwned.  Really? DHS has to tell us that in a way that makes people run around screaming the sky is falling?!  

This kind of security theater crap masquerading as vigilance gives us a bad name as a profession and contributes to alert fatigue.

 

How about this? If your DNS MX record or SOA record changes, and you don't notice, that might be a problem.

If you expose personal data from your DNS registrar and that person is also on Facebook and Linked In, you might have a problem.

If your DNS stops working right and you don't notice, you might have a problem. 

Yes indeed, you might a have a problem, but it's not the one DHS exposes in this overblown cry of "WOLF! WOLF!", the problem is you're doing security theater, not security.  

If your organization does security as a compliance checkbox for HIPAA or SOX, or just as a safe harbor for liability, you deserve to get Pwned by something as lame as social engineering your DNS registration. 

 

Meanwhile spare the rest of us warnings about the sky falling when it's just a fog bank.

 

 
Curt Franklin
Curt Franklin,
User Rank: Author
1/24/2019 | 1:01:50 PM
Re: When is a vulnerability not a vulnerability?
To be fair, this is a directive to government admins, not the general public. Virtually everything on the list of required actions is a common sense thing that anyone administering DNS should do -- this is just requiring that the government (which was, by and large, supposed to have already done these things) do them right dammit now.

The "news" piece of this is that something happened (we haven't been told precisely what) that spurred this rather unusual emergency directive from DHS. It's a chance for the rest of us to learn from their mistakes.
dan91266
dan91266,
User Rank: Strategist
1/24/2019 | 1:17:06 PM
Re: When is a vulnerability not a vulnerability?
I suppose there is some truth to that. However, I'm going to be harsh here; if you don't know these things you really have no business being a DNS administrator or in cybersecurity at all. These are things that you should know and should already be embodied in your standards, and if not followed the auditor should have pointed this out already. This just reeks of incompetence.
miletran168
miletran168,
User Rank: Apprentice
1/25/2019 | 10:20:28 PM
Re: When is a vulnerability not a vulnerability?
wow. so good. i think so
Dr.T
Dr.T,
User Rank: Ninja
1/27/2019 | 6:18:27 PM
Expired certificate
There is no excuse to let certificates be expired, those can be automated for extensions.
Dr.T
Dr.T,
User Rank: Ninja
1/27/2019 | 6:21:21 PM
Re: When is a vulnerability not a vulnerability?
DHS has to tell us that in a way that makes people run around screaming the sky is falling?! I hear you. At the sand time any vulnerability can easily turn itself to a big issue to many people.
Dr.T
Dr.T,
User Rank: Ninja
1/27/2019 | 6:22:21 PM
Re: When is a vulnerability not a vulnerability?
If your organization does security as a compliance checkbox for HIPAA or SOX Agree. This is one of the biggest problem I would consider, security for the shake of compliance.
Dr.T
Dr.T,
User Rank: Ninja
1/27/2019 | 6:24:07 PM
Re: When is a vulnerability not a vulnerability?
Virtually everything on the list of required actions is a common sense thing that anyone administering DNS should do Agee. Another thing they should all do not to let certification expire.
Dr.T
Dr.T,
User Rank: Ninja
1/27/2019 | 6:26:00 PM
Re: When is a vulnerability not a vulnerability?
These are things that you should know and should already be embodied in your standards, Agree with this. Some just do not play by the book.


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Incorporating a Prevention Mindset into Threat Detection and Response
Threat detection and response systems, by definition, are reactive because they have to wait for damage to be done before finding the attack. With a prevention-mindset, security teams can proactively anticipate the attacker's next move, rather than reacting to specific threats or trying to detect the latest techniques in real-time. The report covers areas enterprises should focus on: What positive response looks like. Improving security hygiene. Combining preventive actions with red team efforts.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-25878
PUBLISHED: 2022-05-27
The package protobufjs before 6.11.3 are vulnerable to Prototype Pollution which can allow an attacker to add/modify properties of the Object.prototype. This vulnerability can occur in multiple ways: 1. by providing untrusted user input to util.setProperty or to ReflectionObject.setParsedOption ...
CVE-2021-27780
PUBLISHED: 2022-05-27
The software may be vulnerable to both Un-Auth XML interaction and unauthenticated device enrollment.
CVE-2021-27781
PUBLISHED: 2022-05-27
The Master operator may be able to embed script tag in HTML with alert pop-up display cookie.
CVE-2022-1897
PUBLISHED: 2022-05-27
Out-of-bounds Write in GitHub repository vim/vim prior to 8.2.
CVE-2022-20666
PUBLISHED: 2022-05-27
Multiple vulnerabilities in the web-based management interface of Cisco Common Services Platform Collector (CSPC) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. These vulnerabilities are due to insufficient va...