Maksim Kabakou - Fotolia
Security Think Tank: Top three DNS-related security risks
What are the main security risks associated with the domain name system and how are these best mitigated?
The domain name system (DNS) is used by every business on the internet. It is a business’s digital identity and, as such, probably the most crucial component of their security profile. Consequently, DNS threats are on rise. The following are three of the most prevalent DNS risks worth prioritising on your security list of things to do:
Domain names are commercially bought and sold through a registrar company and this may make them vulnerable to fraud. If a hacker compromises the DNS commercial account you hold with your registrar, they can take control of the domain, transfer ownership and point it to servers under their control. This is done by breaking account passwords or socially engineering the registrar’s support personnel.
To minimise this risk, enforce strong account password management and select a registrar that offers enhanced account security options, such as multi-factor authentication or dedicated account managers. It is a premium service, but well worth the security spend.
The next best thing to registrar hijacking is typosquatting. If you can’t break it, fake it. Typosquatting is the practice of registering a fake domain name that is almost identical to the real (target) business domain name. Hackers do this to misdirect web traffic and to set up a wide variety of phishing attacks.
Best practice against this threat is to regularly monitor newly registered domain names for those that are unmistakably similar to your business. You may also want to consider hiring companies that offer digital brand management and protection services to do this for you.
DNS data is used to send mails and to find websites across the internet and is cached on servers to reduce loads and improve performance. However, the DNS data cached on these servers may be vulnerable to “poisoning” attacks.
Hackers exploit poor configuration of DNS servers to inject fraudulent address information that can reroute users to a fake website under their control. Even the user’s browser would not know the site was not legitimate.
Read more about DNS security
- Security Think Tank: Know the business risks of using the internet
Currently, the only real solution to this risk is a protocol known as DNSSEC. Adding a DNSSEC digital signature to a domain name will enable browsers and ISP servers to validate the DNS data it receives, essentially putting an end to cache poisoning attacks. Ask your ISP for DNSSEC.
DNS-based attacks are not going away. Because DNS is an essential part of the internet communications framework, it will always be considered an effective attack vehicle. Time to move it up your list.
Richard Hollis is an ISACA expert and author on IT security and risk, and CEO of Risk Factory. ...........................................................................