Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

DNS Firewalls Could Prevent Billions in Losses to Cybercrime

New analysis shows widespread DNS protection could save organizations as much as $200 billion in losses every year.

DNS protection could prevent approximately one-third of the total losses due to cybercrime – which translates into billions of dollars potentially saved.

According to "The Economic Value of DNS Security," a new report published by the Global Cyber Alliance (GCA), DNS firewalls could annually prevent between $19 billion and $37 billion in losses in the US and between $150 billion and $200 billion in losses globally. GCA used data about cybercrime losses from the Council of Economic Advisors and the Center for Strategic and Internation Studies as the basis for its GCA's estimates of how much DNS protection, such as a DNS firewall, could save the economy.

"The benefit from using a DNS firewall or protective DNS so exceeds the cost that it's something everyone should look at," says Philip Reitinger, GCA president and CEO. In many cases, he says, the DNS protection service or DNS firewall will be available at no cost to purchase or license.

But could any cost, no matter how small, be offset by the difficulty in deploying or managing the protection? Not likely. "In most cases, it will be extremely easy to do. There's no new software here," Reitinger says. When it comes to protecting endpoints, it could be as simple as changing the address used for DNS resolution in the computer's network settings. And for some companies, the adoption will be only slightly more difficult.

The only real difficulty, Reitinger says, comes if the firewall begins generating false-positives, blocking traffic to destinations that serve a legitimate business purpose. Should that happen, firewall rules will need to be manually overridden. "If you see people trying to going out to various services, you get to write the rules that allow or block the destination in spite of the firewall," he says.

One legitimate point of concern is the data on DNS traffic that the protection provider might collect, Reitinger adds. Knowing about an organization's traffic patterns provides a great deal of information about the organization itself, he says. In this case, asking serious questions of the provider before signing a contract or changing a resolution server address can prevent privacy concerns in the future.

Related Content:

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
martinchristensen576
100%
0%
martinchristensen576,
User Rank: Apprentice
6/18/2019 | 4:59:42 AM
Re: Pending Review
I would really like to know as well! Seems to be a good idea to get a DNS Firewall!
JensJensen457
100%
0%
JensJensen457,
User Rank: Apprentice
6/18/2019 | 4:46:37 AM
Setting up a DNS Firewall
Does anyone know how to set up a DNS Firewall on my own website?
sgreene02101
50%
50%
sgreene02101,
User Rank: Apprentice
6/17/2019 | 9:52:50 AM
Re: The DNS is the Typhoid Mary of the Internet
Strongly agree with above post by Gsidman. I would like to echo the author's sentiments - the hardware and labor cost inputs required to implement a simple but effective system are so vastly outweighed by the benefits. Seems to me that that vast majority of intrusions/theft/ransom/dos attacks as well as infrastructure vulnerabilities could be eliminated by such a simple fix. Neither hard nor expensive (relatively speaking) and should be number 1 or 2 on the top of every IT, facility or municipality manager's list.
gsidman
50%
50%
gsidman,
User Rank: Apprentice
6/14/2019 | 1:17:23 PM
The DNS is the Typhoid Mary of the Internet
Firewalling DNS calls gets half way to solving the major problems with the DNS.  While doing so is a good first step, it does not cure the main exposure the DNS provides to the bad guys. The next step is to move the DNS into an encrypted policy engine where sources are verified before routing is even allowed. In the medical, industrial and other dedicated IoT spaces, the IP addresses are dedicated and persistent, making the DNS an unecessary and dangerous component of routing. While the DNS may always be with us for the public side of the Internet (email, the web, social media, etc.), its use on the commercial and industrial side is no longer viable.  The sooner we elevate the discussion around the wisdom of not using the DNS in the wrong places, the sooner we will get to a more secure Internet.
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
The Flaw in Vulnerability Management: It's Time to Get Real
Jim Souders, Chief Executive Officer at Adaptiva,  8/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5034
PUBLISHED: 2019-08-20
An exploitable information disclosure vulnerability exists in the Weave Legacy Pairing functionality of Nest Cam IQ Indoor version 4620002. A set of specially crafted weave packets can cause an out of bounds read, resulting in information disclosure. An attacker can send packets to trigger this vuln...
CVE-2019-5035
PUBLISHED: 2019-08-20
An exploitable information disclosure vulnerability exists in the Weave PASE pairing functionality of the Nest Cam IQ Indoor, version 4620002. A set of specially crafted weave packets can brute force a pairing code, resulting in greater Weave access and potentially full device control. An attacker c...
CVE-2019-5036
PUBLISHED: 2019-08-20
An exploitable denial-of-service vulnerability exists in the Weave error reporting functionality of the Nest Cam IQ Indoor, version 4620002. A specially crafted weave packets can cause an arbitrary Weave Exchange Session to close, resulting in a denial of service. An attacker can send a specially cr...
CVE-2019-8103
PUBLISHED: 2019-08-20
Adobe Acrobat and Reader versions, 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2017.011.30142 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have an out-of-bounds read vulnerability. Successful exploitation ...
CVE-2019-8104
PUBLISHED: 2019-08-20
Adobe Acrobat and Reader versions, 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2017.011.30142 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have an out-of-bounds read vulnerability. Successful exploitation ...