Transcript
Good morning, good afternoon and good evening. Thank you for joining our continuing webinar series designed to inform enterprise leaders on the state of external DNS risks and solutions. My name is Peter Lamantia, CEO of Authentic Web, provider of domain DNS and TLS certificate control systems designed for enterprise teams. Today, I'm going to share the CSO briefing to unpack the exposure risks and impacts related to DNS threats. That exist on the external DNS. This is the third webinar in the series. In the first webinar, enterprise DNS audit results revealed. I walk through DNS audit data from several large organizations to help you understand and compare your organization's posture. If you don't know your posture, then a DNS audit is a recommended first step. In the second webinar, DNS security the Zone mess. I talked about the zone file settings and how they lack management rigor. I placed emphasis on dangling c names and orphan subdomain records, and how these two examples of unattended DNS settings create cybersecurity exposures. If you're in the learning mode, you can find additional best practice guides, white papers, and webinars at authentic Web.com forward slash resources. Alternatively, reach out. I'd be happy to help you understand these exposures and what you can do about it. Today in the CSO brief, we're going to take it up a level to the business imperative. I'll talk about why you're exposed and what will happen if not addressed, as well as the impacts and costs to your company and customers. We'll conclude with a recommended CSO directive to transition from a reactive to a proactive posture to better protect the business, keep your customers safe, and make it easy for your teams to get and keep control of the external DNS. As a CSO. This is your problem. Some in the organization may obfuscate the risk or tell you that it's not urgent, but that is a fallacy. As one PhD sums it up the DNS is the soft underbelly of the internet. The DNS is, by design, not secure. You must secure it with security policies and systems to enforce those policies. Let's dig in. As an agenda, we will first provide context of what we mean by security vectors by separating them into two categories. We'll then look at the ownership and system silo issue, why and how the business is exposed, what will happen, and then take a look at the business impacts and costs, all supported by third party research evidence. In the end, we'll summarize the situation and provide a recommended Cisco directive that you can adopt to get proactive and mitigate these risks. Inbound DNS threats are known. These are inbound threats where perpetrators seek to gain command and control inside your network, exfiltrate data, or execute other compromises by targeting your internal networks. To address these threats, you need to put in place DNS blocking services, which I would expect many of you have in place today. The second threat vector is the external DNS. This is where we're going to focus on today. I think it's easiest to share this graphic to understand the external threats in relation to the internal causes of why these exposures persist. External threats exist on the internet in various flavors, from DDoS compromises. Man in the middle DNS hijacks phishing. Et cetera. They persist because of internal causes, including manual processes. Ungoverned change. Lack of oversight. Lack of visibility, among others. All of these issues constitute a legacy approach that contributes to poor enterprise DNS proactive security posture. These problems can, for simplicity, be condensed to two underlying conditions that drive the problem inside the enterprise. The first is lack of ownership domains and DNS touch every functional group as stakeholders who all have a hand in managing the external DNS, but rarely is it owned. External DNS is the hot potato technology inside the business. It's confusing, highly technical, poses great risk, and is mission critical. No one wants to accept ownership to ensure security and compliance. And this is why a DNS control directive must go up to the CEO's office to mandate that it is owned and fully secured. The second condition is a lack of control systems. Companies typically have several, if not dozens of systems across the enterprise operating in silos, typically without any security policies and without any centralized control or policy enforcement. These two conditions contribute more than any others to create security and compliance gaps on the external DNS. Let's run through why you're exposed due to a lack of ownership, governance and control systems, and discuss what will happen if these exposures are not addressed in terms of brand impersonation, theft of credentials, or PII. Ddos. Et cetera. We'll use some examples, and let's start with DNS hijacks that can be executed for many reasons. One exposure here is due to the failure to set up and maintain DNS or Domain Name System security extensions. Without DNS, you can be targeted by attackers who can compromise zone files on the recursive servers out on the internet. Injecting false or poisoned cache zone information and redirect customers to fake websites. Social engineering exposures happened in ungoverned services. Enterprises have a legacy of vendor debt akin to technical debt, with multiple and sometimes dozens of lies. Live DNS managed services. Without governance, you're exposed to clever actors getting control over some subset of your domains and perpetrating attacks by hijacking the DNS, and you won't know until it's too late. Fishing is, as we all know, perhaps the most common attack vector and can be perpetrated using your own domains. If you own a domain, you must manage it. What does that mean? Every domain must have an SPF and dMarc record to ensure it cannot be used against you. Without these protections, what will happen is a phish in an attempt to compromise your customers, partners, or internal personnel in Spearfishers, for example. Session compromise resulting from insecure redirects in audits. We see tons of exposure here. If you have an Http only redirect, this permits session eavesdropping to harvest data or enables redirection. Of your customers to a malicious website. You must ensure your encrypted end to end on all your redirects. Dangling DNS or orphaned DNS, represented by legacy settings that remain live. This was a focus of our second webinar, The Zone Mess. Simply put, people set up cnames and subdomains every day and have been doing so for decades, and those records persist on the DNS. Yet the resources may be long turned down. This means that the record is orphaned or dangling. Bad actors can get control of the web resource or the subdomain IP address to compromise your brand. This is a heightened risk where the name value is in use by other services. Internal actors. Research shows that most incidents occur because of internal resource actions and inactions. It may not be a nefarious activity, but every time a change happens, this change can create an exposure to just about any compromise imaginable. If you cannot see and control the change, then you know you are exposed. And the last example is network reconnaissance. Dns again is insecure by design. It's a public network to make your digital products services available on the internet. Similarly, bad actors use the DNS to map your network. They see what is live and they hunt for gaps in server software updates and configurations. And upon discovery, they can execute attacks. They are focused, tactically astute actors who, if they set you as a target, this is how they discover your vulnerabilities. These are examples examples you need to be aware of. If you think about your organization and how your teams manage domains and DNS, can you honestly say you have none of these issues? My bet is you're not sure. Which frankly means you have all of these issues and are exposed. Okay. So what are the business impacts and what are the costs? I'm not going to dwell on this because you probably know them. The cost per hour when systems are down, the cost to manage incidents in customer service and incident response groups, the distraction and resource costs in IT, infosec and other teams, and the opportunity cost of defocused teams from the business priority of the quarter. When an incident happens, everything stops. Teams work to mitigate the incident. They conduct postmortems and follow on actions to prevent further incident. This is a reactive cycle that just continues to repeat over and over. How about brand damage from the customer, investor and partner perspectives? And in the age of increasing regulatory compliance, you will bear the cost to report embarrassingly, have to make public comment of the incident and then set up activity to repair the regulatory shortcomings and in some cases, pay fines. Third party research shows these hard costs are increasing year over year. Other independent research reports shows the cost of various types of incidents. The constant is that both increasing costs and increasing probabilities year over year. So when you're considering how to prioritize activities, these two facts are compelling higher probabilities and higher costs. There's two quotes here from research reports that are informative to guide direction. And I'm just going to read them. Incidents and responses attract public attention. There is an overemphasis on attack response and under-emphasis on proactive preventative measures to detect, identify, and mitigate threat threats before an attack can occur. The key message there. Get proactive. Second one because cyber investigators actively look for malicious domain registration indicators such as lookalike domains. Many attackers prefer to exploit legitimately registered domain names. The domain hijacking is an enabling attack. Cyber attackers are using your own domains, so if you own it, you must manage it. Let me summarize where we are so far. Domains and DNS are extremely vulnerable to compromise. The DNS is not secure. With operating silos and clear lack of ownership. You have exposures with systems, silos without control systems in place to enforce security policies. You have exposures. Secondly, it's extremely hard for it to get and keep control. Lack of accountability and ownership is the first point. And then legacy systems, we're just not giving our teams the tools to be able to manage this effectively inside the organization. And third, the business impacts and costs are driving the need to become proactive versus reactive. Costs are climbing year over year. The probability of an incident is approaching 100%. The CSO directive. If leadership doesn't sponsor change, no one will. That's the key message. So leadership must prioritize action to get proactive and prioritize action to plug these gaps. And it's simple how to do that. Assign ownership and sponsor systems modernization to empower teams to get and keep control. Ask yourself or your operators three simple questions to determine if your organization has controls in place. Number one, do you have a unified tamper proof system to manage domains and DNS? Can someone change the zone without permission? Do you know when it changes? The implication here is unseen errors. Rogue actions can expose the business and impact digital performance. Number two. Can you prove that system enforces security policies and change management? What ensures SPF and SSL are implemented as required. Do you have an audit trail? Failure to comply with IT controls creates a gap in DNS security enforcement. And the number three is the system integrated with registrar and managed DNS controls. Our new domain additions and changes connected to the DNS system over the life cycle of that domain name. If you don't have end to end change management, you're losing compliance due to these silos and you're increasing work effort. System modernization looks like this. Where in a single system that brings together all the technologies from domains DNS approval, workflow change management, TLS certificates, security audit tools for all stakeholders to gain centralized control while empowering distributed execution. It has the effect of making it easy for teams at the same time, while reduce total cost of ownership. By bringing control, visibility and automation to your operation to improve security, compliance and performance. Last week, I read a post on LinkedIn from a Cybertech CEO, completely unrelated to our business, but I thought he described it quite well, so I thought I would share it here as we start to wrap up. In summary, he says companies spend billions on cybersecurity but ignore and neglect domain and DNS, leaving them without necessary security controls and management. Companies don't pay attention to DNS oversight and somehow don't know why. Compromises keep happening, and then he suggests that the dollars spent are a waste. If domains and DNS are not included in the security posture playbook, and concludes that this is madness and undermines cybersecurity programs. I think he's right. And you no doubt have heard this phrase. It's always the DNS. It's so well used that it's become a bit of a meme because it's true. Whenever there's a problem on some network service, your team hunts and hunts, and more often than not, it's the DNS. And it's always the DNS when everything is humming along just fine. And it's often the DNS, or at least IT contributor when attackers compromise your business. Why is the DNS security so critical? Well, the DNS is the single technology on which the entire digital business depends. Virtually every cybersecurity incidents starts with the DNS. You need to lock it down or you're going to get burned. And it clearly is not. If and when. In my years of being in this business, I run into the following ownership scenarios where internal ownership questions limits the business from moving forward, and there are four scenarios that constantly play out. One, I don't understand and I don't want to understand. It's not my problem. Or I do understand, but I choose to ignore it because it's not my problem. Or I do understand and think it's urgent, but I can't get leadership sponsorship. Why? Because it's not the leader's problem. And then lastly, I do understand and I take control and modernize. These are the winners. These are the guys that make life easy for teams. They reduce exposure and they reduce costs on the DNS. Thank you for joining today. I hope you found this 20 minutes of value. I do have a white paper that provides more detail on all this presentation information. If you'd like to get a copy, please reach out and remember. The good news here is that these exposures can be easily resolved by assigning ownership and modernizing your control systems. If you have questions or would like to discuss your situation, reach out to me and we can get you on the right track. Thank you again for the time today and have a great rest of your day.
