Calm down, Internet. You're fine. A look at DNS security
The recent Syrian Electronic Army attacks on the New York Times and Twitter have gotten a lot of people thinking and talking about Internet security. Attackers gained access to the domain registration for popular web sites, and redirected DNS query traffic to servers under their control, effectively usurping control of all web traffic for the affected sites.
The choice of targets couldn’t be more representative of the crossroads we face as a culture. Taken down by these cyber thugs were the New York Times, the most venerable institution within traditional media, and Twitter, who for many consumers of news is the future. The moral of the story? No one is safe from a cyber attack.
Don’t let all this scare you. When events like these occur, people often overreact. Suddenly the Internet seems a scary, dangerous place. If Middle Eastern hackers can reroute traffic from the New York Times, couldn't they do the same to my site? Or maybe even worse, like, hack into my computer systems, steal customer information and delete all my data? What if I can never get my computer systems online again. What if...
Okay, take a deep breath. Calm down. Everything is going to be fine.
The stewardship of the Internet is in good hands, and many of the problems, which seem catastrophic, are often easy to fix. When a situation like what happened with the Times occurs, things actually get safer. That’s because there are some great organizations out there maintaining order. While we all know what FBI and LOL stand for, there are some new acronyms we should all commit to memory:
IETF – The Internet Engineering Task Force, which creates Internet protocols.
ICANN- The Internet Corporation for Assigned Names and Numbers, which creates security policies
NANOG - The North American Network Operators Group, which meets regularly to share security best practices.
The work these groups are doing is having a major impact. For every threat that has been actualized a thousand were quietly mitigated. The batting average of Internet security would be bound for Cooperstown.
Of course, these acronym-infused organizations can't operate alone. They need our help. It's time that everyday users began to take security more seriously. For too long, we, the public, have looked at the Internet as magic. How many times has someone said, “I don’t understand how it works. I just expect that it does.” Well, the Internet has become too much a part of our lives to plead ignorance anymore. We need to educate ourselves. While we don’t all have to become computer scientists or programmers, we need to be aware of the issues. Only then can we solve them. Remember, you cannot outsource ultimate responsibility.
That being said, everything is a trade off. Companies must find the right balance between ensuring their product is safe and releasing new features to their clients. There is no one formula etched in stone. The industry is constantly evolving, as are threat levels. As this happens companies evolve their allocation of time and attention to these issues.
For any company generating revenue online there are best practices for securing your Domain Name System (DNS), the part of the Internet experience that was affected in these most recent attacks:
- Use a trusted provider of registration services that has multi-factor authentication security check in.
- Where ever possible use an IP Access Control List, which allows you to dictate which IP addresses are allowed to connect. Example: Our Salesforce account is locked down to our IP address so to access it you need to be in our office or on our VPN.
- Turn on DNSSEC. This allows users to validate that the DNS data they are getting hasn’t been altered in a malicious way).
- Make sure that your authoritative DNS servers are on a geographically diverse Anycast network as this makes it more resilient against a DDoS attack.
- Use strong passwords, and when your venders have granular permissions to what users can do within the system, take advantage. Employees don’t need access to everything. If they do, and one of those credentials is compromised, then the hacker has access to everything.
- Always make sure your domains are locked from transfer and potential changes at your registrar.
Remember, the Internet is the final frontier but also still in its infancy. Some of the greatest contributions to humankind will be enabled because of the it, but aspirations to greatness come with risk.
If you keep calm, educate yourself, and implement best practices, you'll rest easy.
[Image Credit: Wikimedia]