This week on our blog, we have a guest post from Matthew Schofield Security Solutions Consultant at NTT Security.
Following the adoption of the microprocessor into the vehicle industry, safety has improved in leaps and bounds. Decoupling the human from complex and high speed tasks better suited to a computer (such as measuring the rotation of a wheel relative to that of the other wheels) has undoubtedly made roads safer. However, this doesn’t mean there’s no place for simple, mechanical safety aids such as those plastic tags on trucks and bus wheels that indicate a loose wheel nut.
As a fellow NTT Security blogger will testify, no amount of dynamic stability control will help you out when the wheels are no longer attached to the car.
The same is true in cybersecurity. The market is awash with high tech solutions to complex problems and, while they undoubtedly help address the problems we face, this blog post looks at the cybersecurity equivalent to those un-glamourous yet invaluable plastic lug nuts that help keep our digital business on the road.
The foundational elements of any internet presence are the mechanisms used to ensure customers and partners can access information services we provide. Organisations whose business depends on these services put a lot of time, effort and money into designing robust solutions at the component level, but it’s as important to ensure the interfaces are equally secured and resistant to tampering.
These interfaces are Domain Name System (DNS), by which an organisation’s information services can be found on the internet, and SSL/TLS, where trust and privacy can be asserted. If either mechanism is broken or hijacked, both service and trust can be disrupted and damaged. So what can be done?
- Ensure the security of DNS management – if attackers can change your DNS records, web and email traffic could be diverted or SSL/TLS certificates reissued. This happened recently to a well established cybersecurity company Fox-IT. Similarly, it may be that your DNS records are managed by a third party, in which case undertake due diligence. Questions to ask yourself or your supplier include: what are the physical and logical security controls limiting access to DNS management (e.g. strong authentication, bastion hosts)? Is there a full audit trail to identify erroneous or malicious activity?
- Audit externally facing DNS – what domains does the company own? Who manages them? When is ownership due to expire? Which are in use currently? Attackers will pounce on domains that become available and readily use them to attack an organisation or commit fraud.
- Consider the use of anti-phishing and reputational services that will use automated and manual methods to identify fraudulent domains intended to deceive users/consumers and to supervise or oversee takedowns in association with ISPs, hosting companies and domain registrars.
- Consider the use of DNSSEC. DNSSEC adds a layer of authentication to an otherwise insecure DNS infrastructure that is open to spoofing and other abuse.
- As per DNS, ensure the security of certificate management. As this will inevitably be via a third party ‘Certificate Authority’, ensure you select your provider carefully and based on clear business and security requirements.
- Audit external (and while you’re at it internal) certificates using crawler tools. Ensure consistency across domains and suppliers and ensure robust processes are in place to update certificates prior to their expiration. Consider whether the private keys that underpin the use of SSL/TLS certificates are properly secured as compromised keys break all trust. Audit the use of legacy Symantec/Verisign issued certificates that will be dis-trusted in 2018.
- Consider implementing Certificate Authority Authorization (CAA). This is a public DNS record that defines which CAs can issue certificates for that domain and therefore minimise the risk of attackers requesting certificates for your domain. It became mandatory in September 2017 for public CAs to check for existence of this record prior to issuing a certificate.
- Consider the ‘health’ of SSL/TLS certificates using tools that scorecard their implementation against good practice and take time to understand the relevance of the output.
You may have noticed that, despite their non-transactional nature, both this site and all the sites I reference above encrypt communications using certificates. They are no longer the exception for internet communications and with their use comes elevated expectations of trust from the user. DNS and encryption requires good, secure management and as such it has never been more important to consider these foundational controls to keep your digital business out of the ditch.