The Real Risks of Not Deploying DNSSEC
To understand the importance of DNSSEC, you need to know what can happen without it. Hackers aggressively target the DNS because it’s both vulnerable and valuable. Without DNSSEC in place to authenticate a legitimate online destination, an organization’s priceless user traffic can be hijacked. When the DNS is compromised, companies and their customers both suffer the consequences.
Organizations can lose control of their DNS in a number of ways: DNS hijacking, domain shadowing, DNS cache poisoning, Man-in-the-Middle (MITM), and DNS spoofing. In many cases, malicious parties can take advantage of the complexity of DNS management, which makes companies vulnerable. Organizations typically use multiple DNS providers, few of which interface with domain registrars. This common DNS management scenario exposes organizations to compromise through misuse of orphaned domains and dormant DNS zone files. Hackers actively scan corporate networks for these vulnerabilities.
Hijacked, spoofed, or corrupted DNS files are used to divert internet users and customers to fraudulent websites that can convincingly imitate a trusted enterprise brand. These fraudulent sites can be further disguised by the use of mimicked SSL certificate-based encryption that appears in the browser window under the victim brand’s own name. Unauthorized certificates are easy to acquire when the bad guy has control of the domain owner’s DNS.
Malicious sites can expose users to spam, fraud, and malware infection. In the worst cases, users will enter login credentials or financial information without suspecting their data or identities are being stolen. In another worst-case scenario, stolen login credentials can be used to gain access to a company’s IT network to launch further attacks.
Everything that is digital runs on the DNS. Cybercriminals know the DNS is an easy target, so they use it to initiate larger, more sophisticated campaigns that can put a victim organization in digital crisis.
DNS hijackers aren’t necessarily motivated by monetary gain. Politically motivated DNS attacks, sponsored by states and dissident groups, are on the rise. So is corporate sabotage: In 2019, hackers manipulated the DNS of orphaned domains registered with GoDaddy in two exploits nicknamed Spammy Bear and Gand Crab. Major brands including AT&T and DHL were victimized with bogus, malware-laden emails sent out under their names. Similar DNS attacks succeeded against WikiLeaks and The New York Times.
The risks of undersecured DNS have become so urgent that the Cybersecurity and Infrastructure Security Agency, an agency of Homeland Security, has released an unprecedented emergency directive alerting organizations to DNS hijacking. Shortly afterward, ICANN issued its own emergency alert. As both warn, the DNS is under attack. Without DNSSEC, it’s especially vulnerable.
Who Is at Risk of DNS Attacks?
Any company with an online presence is at risk, and the size of the presence is proportional to the risk. The more domains, subdomains, DNS zone files, and vendor platforms companies have to manage, the more likely it becomes that some are vulnerable to attack.
Though all companies should be on guard, industries that collect valuable data are the most frequent targets. Financial institutions (including banks and payment processing companies) have been the most attacked industry sector for three consecutive years, comprising 19% of all attacks in 2018. As customers demand greater convenience in the form of more digital services, banks and others in the industry are expanding their collective online footprint. DNS security, including DNSSEC, will be critical as customers expect to engage with trusted brands and entities.
Healthcare is another industry at risk. By some estimates, the healthcare sector experiences 32,000 attacks every day. Because providers deal with medical and financial information in large quantities, they’re an attractive target for hackers. Digitally connected medical technologies enable the industry to collect more data than ever, reducing costs and improving care. The downside is that more data makes attacks more likely, with the DNS ranking highly as a preferred attack vector.
Government agencies face a similar situation. From state secrets to Social Security numbers, they arguably manage the most valuable information. Even the National Security Agency was successfully hacked in 2016. U.S. government agencies have responded to the global threat against DNS networks by mandating DNS security measures including DNSSEC and DMARC.
The risks are real, but that doesn’t mean they’re unavoidable. DNSSEC is the most effective measure to defend against DNS hijacking. Unfortunately, corporate DNS management inefficiencies and failure to follow DNS security best practices have impeded DNSSEC adoption.