informa
/
Risk
Commentary

DNS Woes: How Worried Should You Be? Pretty Dang Worried!

Yesterday's news that the first DNS attack strategies are circulating was no surprise: once a vulnerability -- large, small or in-between -- is discovered, the exploit code follows like rats nipping at the heels of the Pied Piper. The question is, how worried should you be about this particular vulnerability? Pretty worried, is my take.
Yesterday's news that the first DNS attack strategies are circulating was no surprise: once a vulnerability -- large, small or in-between -- is discovered, the exploit code follows like rats nipping at the heels of the Pied Piper. The question is, how worried should you be about this particular vulnerability? Pretty worried, is my take.Dan Kaminsky, who revealed the flaw in the Domain Name System (DNS)that accurately routes traffic on the Internet, took a deep breath and posted a long, thoughtful and essentially jargon-free guide to DNS operations and the DNS flaw.

Kaminsky notes that he wrote the entry, at least in part, as a document to be shared with management, the sort of thing to pass along to those whom you want (or wish) to know more about what it is you're up against in keeping systems safe and effective and functional.

As Kaminsky points out, as everybody has been pointing out (bMighty included), the industry's patch response to the problem has put the tools out there to begin dealing with the potential attacks, if not, alas, to thoroughly address the fundamental weaknesses in the naming system.

The problem, and the reason I'm arguing that the DNS situation is a cause for real and ongoing worry, is that we've seen again and again that a large percentage of businesses and a far larger percentage of users take a laissez faire (at best!) approach to patch management, even for well-known and already under-attack vulnerabilities.

Never was any excuse for such laxness and there is a lot less excuse now. If you're running DNS servers, patch them; make sure that your Windows machines have the Windows DNS patch installed.

And once you've done that -- and run a DNS test; there's a DNS tester on Kaminsky's page -- keep worrying.

Because you don't have any guarantee that the DNS server next door or down the block or halfway around the world has patched its holes. You can, in fact, be pretty confident (if that's the word) that plenty of them haven't.

Check out, for instance, this story about the slow ISP response to patching the DNS flaw.

And if some of the biggest businesses are dragging their patch management feet, think about how things are going at smaller, underfunded and overworked companies.

DNS flaws and available but uninstalled patches: What, me worry?

You bet.

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5