DNS Edge: Addressing GAO’s “High Risk” Cybersecurity Findings

The Government Accountability Office first identified cybersecurity as a “high risk area” over twenty years ago.  As detailed in a report released this week, that high risk area now covers an even broader swath of government operations, including cyber threats to critical infrastructure and privacy protection.

GAO’s cyber assessment is both stark and damning for the entire government enterprise:  “IT systems are often riddled with security vulnerabilities—both known and unknown.”  The stakes are high – security incidents and cyberattacks on government systems “disrupt critical operations; lead to inappropriate access to and disclosure, modification, or destruction of sensitive information; and threaten national security, economic well-being, and public health and safety.”

Drawing from FISMA data, GAO categorized over 35,000 security incidents reported by government agencies in 2017.  Phishing and web application incidents constitute around one-third of all reported vulnerabilities.  This suggests that boundary-level firewalls and filters cannot be trusted to protect government networks on their own – malicious code is still getting through.  Another quarter of reported incidents were caused by “improper use”, suggesting that internal network controls are still lacking.  Perhaps most troublesome is the one-third of incidents marked as “other”, suggesting that government IT systems are vulnerable in ways which have yet to be fully analyzed.

A simple fix? Not for cybersecurity

There are no silver bullets in cybersecurity, and it would be naïve to state that any one factor could address all of the 1,000 open GAO recommendations.

Yet DNS is an intriguing (if underappreciated) aspect of many vulnerabilities identified in the GAO report.  What do malicious phishing and web application attackers use to navigate their way through the network?  DNS.  Which protocol serves as the gateway for unauthorized users to access forbidden parts of the network?  DNS.  What do over 91% of cyberattacks utilize for command and control?  DNS.

Just as the ubiquitous nature of DNS makes it an ideal attack vector, its position at the network core also contributes to complacency in addressing the inherent vulnerabilities of DNS infrastructure.  Cybersecurity teams may not realize that their most precious and effective asset is down the hall with their network colleagues.  In their GAO-recommended plans, agency IT administrators would do well to think of their existing DNS infrastructure as an untapped security asset.

What DNS can do to keep us safe

Here are just a few examples of how DNS can address the GAO’s most pressing recommendations:

• Ensure the security of emerging technologies (p. 20): Using client-facing DNS security tools like BlueCat’s DNS Edge, IT administrators can block all queries from IoT devices without the need for cumbersome agents.
• Improve implementation of government-wide cybersecurity initiatives (p. 22): If DHS deployed its DNS-based EINSTEIN filters inside agency networks instead of on the network boundary, it would gather more actionable information and enable timely agency responses to cyber incidents.
• Address weaknesses in federal information security programs (p.23): Using DNS configurations to segment networks would go a long way toward eliminating unauthorized access on Federal systems.
• Enhance the federal response to cyber incidents (p.25): At BlueCat, we know that a joint approach is needed for both prevention and mitigation of cybersecurity incidents.  DNS already has a track record of bringing network and security teams together to enhance cyber response.

The cybersecurity responsibilities of Federal agencies will only become more complex and harder to implement over time.  DNS is the kind of low hanging fruit which it makes sense to address now – before the next GAO report shows the problem spreading even further.

Want to learn more about the role of DNS in government cybersecurity?  See BlueCat’s security resources here.