Silver Bullets, Cyber Resilience, Hackers and DNS
Date: 31 July 2018
The large array of solutions that promise to mitigate cyber threats can often confuse even the most astute buyers. Buzzwords like next-generation, Machine Learning and Artificial Intelligence tend to take the focus away from the fundamentals.
In this two-blog series, I take a mostly, non-technical look at the technology at the heart and soul of the Internet - the modest DNS or Domain Name Service - and examine why, instead of only focussing on the "coolest of toys" in cybersecurity, investing in DNS may offer far better value.
We created a DNS mind-map just for you! Download our free visual guide to the key attributes of what is DNS and how the humble, often referred to as primitive technology, can help you build a cyber-resilient business. It's available here.
In this blog, I explain the humble and ever-pervasive DNS and start to expand on the value proposition of implementing DNS, correctly, I must stress, to the business.
- Short overview of the landscape!
- Why cyber criminals succeed
- The Consequences of Ignoring the Basics
- ABC of DNS
- Criminals and DNS
- Useful links & more information
Who should read this?
- Management such as CIO, CISO, CRO, IT Directors and anyone in charge of reducing an organisation's cyber risk.
- If you are a CISSP, studying for the CISSP, CISM, CISA or if you are an IT or security engineer.
- Auditors and folks in the governance, risk and compliance domains will find this information insightful.
It's a fact that cyber-attacks are only going to increase in both frequency and their negative impact on business. Consequently, it's a fallacy to label cyber threats and cybersecurity issues as technical nuisances. While there are examples galore of this, let's quickly examine two:
- Equifax’s former Chair and CEO, Richard Smith, knows too well the consequences of not prioritising cyber risk. He was dragged in front of the US Digital Commerce and Consumer Protection Subcommittee on Capitol Hill to explain how cyber criminals managed to steal over 147 million records of personal information.
- Closer to UK and Europe is the now-infamous TalkTalk hack, characterised by the car-crash series of interviews of their then-CEO, Dido Harding. Dido, inadvertently manufactured one of the most case-study-friendly-fodder, for business colleges and cyber practitioners, on “How NOT to Respond to a Data Breach”.
Consequently, it should come as no surprise that senior executives and board members everywhere are starting to demand visibility of cyber risks on their conventionally cyber-void risk dashboards. No business wants to become the next to fall from grace.
The common reason-for-compromise in most successful data breaches can be traced to a simple problem-lack of foundational controls.
Why? If not for straight-forward negligence, the basics are often ignored in favour of more glamorous and futuristic technologies and systems. When technology is not the key focus, organisations end up spending effort and time on chasing and obtaining industry certifications like the ISO 27001:2013 and others.
For example: Ukraine's electricity grid was attacked when winter's wrath was at its peak, in December. It is still considered as one of the most advanced and complex attacks as it caused actual physical damage. The damage to the hardware was irreversible! I urge you to read that again. The damage to the physical hardware was irreversible.
For cyber criminals to succeed in this attack, the following had to happen:
- An employee had to open a phishing email. The criminals scoped out the employees on social media and other platforms before sending them the emails.
- The target victims had to willingly open Microsoft Word documents with infected Macros.
- The malicious malware had to call back home for “instructions” and this call back required DNS – a ubiquitous technology almost as old as the Internet. (More on this further down)
Warning! Don't be fooled by the words "basic" and "fundamentals" - None of these words implies that getting the basics is easy. There would be a significant reduction in cyber controls if fundamental security controls were easy to implement. We cover this topic and much more in our "Blueprint for Cyber Resilience" workshop here.
When discussing basic technology controls most readers would probably think of the universally-used terms, Anti-Virus and Firewalls.
DNS is a crucial technology that glues together the whole of cyberspace. Every bit of other technologies out there, including but not limited to smart phones, tablets, smart watches, smart cars, webcams, smart TVs and more, wholly rely on DNS to function.
|Google's Human Friendly Address||Google's Real Address (IP Address)|
However, our relentless search for new or “sexier” technologies and tools has meant that DNS has been left alone, toiling in the basement, forever only fulfilling its conceptual capability, that of translating a domain name, such as Google.com, to an incomprehensible number or IP address.
A well-configured DNS serves as an early and reliable indicator of malicious activity from inside or outside of your organisation. Furthermore, it can be used to stop this activity at an early stage.
Given that almost everything and everyone, including criminals, rely on its capabilities to translate a domain name to a complicated number, DNS provides deep visibility into known and unknown activities within an organisation.
Cyber criminals use DNS too. How? They use DNS:
- To create fake domains for commercial fraud and for carrying out advanced attacks.
- To automatically hijack Internet browsing traffic to, say Google.com and serve a malicious but similar-looking Google page.
- To launch crippling Denial of Service (or DoS) attacks, causing a website to become unavailable.
- To stealthily steal data using DNS technology.
Put another way, if criminals rely on DNS to succeed, the converse must be true too. DNS is an effective and robust first-line-of-defence tool and should be used to detect and protect against various types of cyber attacks.
On March 23, 2018, I (Amar Singh, CEO of Cyber Management Alliance Ltd) was joined by Nominet’s Adam Gladsden and Cyber Management Alliance’s own ethical hacker on a Webinar titled, “First – Fix the Plumbing - What’s broken in cyberspace and How to Fix it”.
We discussed in more detail the importance of DNS to a business and how easy it was for malicious hackers to hack DNS. Click here to watch the webinar.
If it works, why fix it?
That is one of the inherent problems with DNS. It just works. When you type in cm-alliance.com or google.com, you don't have to know the real IP address. DNS just does all the hard work for you.
However, there is more, much more that a well-configured DNS can do, including:
- Fighting Cyber-attacks: Yes! A properly configured and managed DNS can offer a significant reduction in and exposure to cyber threats like ransomware and malware.
- Serving up domain names: The very existence of a 'www' domain name relies on an effective and efficient DNS infrastructure.
- Speedier browsing; Apart from a good broadband connection, DNS is the next most important ingredient in ensuring you have a great experience of surfing websites. Often, at home and at hotels or airports, it’s the DNS that slows the web browsing experience.
- Digital Web Resilience: DNS empowers organisations to build in web resilience and speed so that their website is always available at the best possible speeds to visitors around the world.
Though many do not understand and appreciate its significance, when it comes to cybersecurity and cyber resilience we must give the humble DNS its deserved importance in building a cyber-resilient business. Technical or not, senior executives in charge of managing cyber risk must discuss DNS with their internal technical teams or third parties.
Remember, I am writing a follow-up blog on DNS. Bookmark this page now.
Start Your Response Planning Now!
In addition, if you are running a business, of any size, consider getting all the middle to senior management trained on how to plan and prepare for a cyber-attack. All layers of management must have basic security awareness and the knowledge required to make their organisations more cyber-resilient.
Remember, a cyber-attack could easily lead to a data breach which could put you at odds with the GDPR on several fronts.
To begin planning your incident response, you can download our Cyber Incident Planning & Response mind-map here. We also created an Action Checklist to help you on your journey. You can download the checklist here.
Much more on that page.