At Bedel Security, we work with many financial institutions on their Cybersecurity Assessment Toolkit (CAT) or Automated Cybersecurity Examination Tool (ACET). There are certain statements in the toolkits that are usually the last to be implemented to get to the next maturity level of the tool. The statement that keeps many institutions from achieving Evolving Maturity is “Domain Name System Security Extensions (DNSSEC) is deployed across the enterprise”. This leaves many wondering what DNSSEC is.
To understand what DNSSEC is, you first need to understand what DNS is. Think of DNS as the phone book for the Internet, but instead of translating names to phone numbers DNS translates web site name URLs (like www.bedelsecurity.com) into IP addresses (like 104.17.127.180). This is important because, just as the phone system works using phone numbers instead of names, the Internet works based on IP addresses instead of URLs. When you type a URL into your browser, it reaches out to a DNS server and asks it what the IP address is. The DNS server responds with the IP address, and your computer then communicates with that IP address.
While it is easy to explain how DNS works over the Internet when accessing websites (because everyone uses the Internet), most non-technical staff do not realize that the same technology is used on an internal network to translate server names, PC names, and printer names into IP addresses. The internal network also works based on IP addresses just as the Internet does! So, to communicate with the file server named “FileServer1” on a network, DNS is used to translate the server name to an IP address on the internal network.
The problem is that DNS is a very old technology that has no security in it. This means that an attacker can intercept the DNS request and respond with an IP address belonging to a malicious system. From then on, every time a user thinks they are sending files to a file server or to a website, they are actually sending them to the attacker. This tactic is fairly common among attackers as well as by penetration testers hired by institutions to try to hack into their network.
This is where DNSSEC enters into the picture. DNSSEC (Domain Name System Security Extensions) is a technology that requires DNS data (the IP address) from a DNS server to be digitally signed for that data to be accepted. The digital signature ensures that the IP address came from the server that the request was sent to. The digital signature also verifies that the IP address was not changed after the DNS server sent it. When configured properly, it eliminates the risk of an attacker being able to maliciously respond to a DNS request sent to a DNS server.
The problem with DNSSEC is that less than 20% of the DNS servers on the Internet support it today. This means that institutions cannot configure their external DNS to accept only DNSSEC-compliant lookups. They can only configure their systems to use DNSSEC wherever it is available. Many more DNS providers need to be brought up to speed on why DNSSEC is important for it to be a truly effective control on the Internet. We urge institutions to check with their external DNS providers to ensure that those that they connect to support DNSSEC, and that institutions also configure their externally facing web servers to fully support DNSSEC.
When it comes to DNS on the internal network of an institution, we believe that all institutions should implement it as a control to protect against an inside attacker from being able to intercept communications. Institutions should find a provider that has experience configuring DNSSEC, as it can be complex.
Bedel Security helps financial institutions to identify and assess cybersecurity controls. If you need help understanding potential controls better, please do not hesitate to reach out to us. We would love to help! Shoot us an email at support@bedelsecurity.com.