Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

3 DNS Risk Reduction Strategies

Department of Homeland Security cybersecurity guidance identifies the three most common risks associated with the Internet's address infrastructure and provides methods for mitigating them.

Inside DHS' Classified Cyber-Coordination Headquarters
(click image for larger view)
Slideshow: Inside DHS' Classified Cyber-Coordination Headquarters
The Department of Homeland Security (DHS) has released new cybersecurity guidance for how to thwart attacks on the Internet's domain name system (DNS), a common target of attack for hackers.

The report--based on collaboration with private-sector companies that provide DNS services and prepared with the Information Technology Sector Coordinating Council (IT SCC)--identifies the three most common risks associated with the Internet's address infrastructure and provides methods for mitigating them.

The report is not only aimed at helping protect the Internet from attacks, but also at "ensuring that our cyber networks can bounce back quickly if an attack or disaster does strike," according to a post about the report on the DHS blog.

The report is based on a risk-based assessment done in August 2009, after which the DHS and ITSCC worked with a number of private-sector partners to compile information for the report. The DHS collaborates often with the private sector on cybersecurity matters.

The report is aimed at a number of Internet stakeholders, including Internet standards organizations; government agencies that are large-scale users of DNS; companies that are involved in operating DNS services or providing Internet security services; and government and private organizations that develop and establish Internet governing policies.

The DNS infrastructure is a core aspect of the Internet that translates an Internet protocol address into the email address or URL that people use to access it online. Hackers targeting the DNS can conduct a denial of service (DoS) attack that completely blocks access to a website, which can result in financial losses--especially for companies like banks and payment gateways that are often the target.

A large-scale DoS attack in fact is one of three main risks identified by the DHS in the report, and for which it provides mitigation strategies. The others are information disclosure and loss of privacy and policy failure leading to the breakdown of a single, interoperable Internet.

Across the board, the report recommends conducting education and training and adopting standards to help mitigate all three risks, and also provides advice for how to manage each one in turn.

To address the risk of a DoS attack, the report advises performing a gap analysis to identify the major infrastructure entities that need to coordinate in the event of an attack, as well as adopting standards and best practices for the security of networks.

The DHS also recommends the development of a DNS dashboard to provide global real-time monitoring not only of the holistic health of the DNS, but also to assess health from a user perspective.

To mitigate DNS risks associated with information disclosure and privacy issues, the DHS advises restricting the DNS transaction known as a zone transfer--a method administrators employ for replicating DNS databases across a set of DNS servers--to only known and trusted partners.

The report also recommends that stakeholders implement DNS data and configuration practices, since poor configuration can lead to the disclosure of sensitive information that can be used to stage a cyber attack, according to the report.

The DHS makes the most recommendations in the report for managing the risk of DNS attacks that might hamper the global flow of information on the Internet.

Among them is the implementation of internationalized domain names (IDNs) in the DNS root, a process that has already begun under the management of the Internet Corporation for Assigned Names and Numbers (ICANN), according to the report. ICANN so far has approved 13 country and territory applications in the evaluation phase.

Other recommendations include using global forums to discuss DNS security issues; using the results of internationally supported studies to improve DNS structure; increasing information sharing across the DNS community; and establishing norms of behavior for cyberspace.

What industry can teach government about IT innovation and efficiency. Also in the new, all-digital issue of InformationWeek Government: Federal agencies have to shift from annual IT security assessments to continuous monitoring of their risks. Download it now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...