editor’s question
HAIDER PASHA,
REGIONAL
CHIEF SECURITY
OFFICER (CSO),
EMERGING
MARKETS, PALO
ALTO NETWORKS
A
s a protocol
invented over
three decades
ago, Domain
Name Service
(DNS) was not
created with
cybersecurity in mind. And since its
inception, we have seen a growing
number of attacks abusing its inherently
trusting nature, from DNS floods and
hijacking to tricking DNS registrars.
According to Palo Alto Networks Unit
42 threat research team, almost 80% of
malware uses DNS to initiate command-
and-control connections.
Therefore, there are no quick fixes when
we try to secure DNS today and the
risks associated with it are practical as
well as reputational when a company’s
website goes down, especially if their
business depends on it.
Organisations need to have a clear
security policy that specifically looks
30
at DNS and addresses the risks. In my
view, you need three things to achieve
a well-defined DNS security policy:
governance, awareness and tools.
Governance begins by understanding
who in your organisation is responsible
for DNS. Some believe DNS security
is the responsibility of the security
team whereas others would rely on the
networking department.
In either instance, the key challenge is
that these teams often don’t talk to each
other. Therefore, step one is to identify
who is responsible and make sure the
teams are communicating regularly via a
clear process.
Employee awareness is essential as
people will ultimately make mistakes.
Training should consist of various
components including running
simulation exercises, such as email
phishing simulations customised to
various departments.
These exercises should be engaging,
measurable and ongoing endeavours,
and not treated as an annual ‘tick-
the-box’.
As for tools, there are two different kinds
to consider. There are the things you can
do with the investments you have already
made (focus on basics) and there
are new investments you may want to
consider in order to enhance protection
for DNS.
In my view, you
need three things
to achieve a well-
defined DNS security
policy – governance,
awareness and tools.
Some examples of basic functionalities
include DNS server hardening,
encrypted communications (such as
TLS) and two-factor authentication. Your
DNS server should be dedicated to the
DNS service and not have other types
of protocols that can potentially open up
ports on the server.
Another common practice includes
restricting DNS zone transfers and
consistent patch management as you
perform regular audits.
For enhanced DNS protection, consider
partnering with a provider that can help
predict and block malicious domains in
real-time.
At Palo Alto Networks, our DNS
Service uses Machine Learning to
analyse and block malicious queries,
including the likes of Domain Generated
Algorithms (DGAs) which is commonly
used by malware.
Securing DNS is a vital part to keeping
your organisation safe. Once you’ve
followed the basics, make sure you have
assessed any remaining risks with the
right tools and awareness campaigns. u
Issue 16
|
www.intelligentciso.com