DNS Edge: Addressing GAO’s “High Risk” Cybersecurity Findings

The Government Accountability Office first identified cybersecurity as a “high risk area” over twenty years ago.  As detailed in a report released this week, that high risk area now covers an even broader swath of government operations, including cyber threats to critical infrastructure and privacy protection.

GAO’s cyber assessment is both stark and damning for the entire government enterprise:  “IT systems are often riddled with security vulnerabilities—both known and unknown.”  The stakes are high – security incidents and cyberattacks on government systems “disrupt critical operations; lead to inappropriate access to and disclosure, modification, or destruction of sensitive information; and threaten national security, economic well-being, and public health and safety.”

Drawing from FISMA data, GAO categorized over 35,000 security incidents reported by government agencies in 2017.  Phishing and web application incidents constitute around one-third of all reported vulnerabilities.  This suggests that boundary-level firewalls and filters cannot be trusted to protect government networks on their own – malicious code is still getting through.  Another quarter of reported incidents were caused by “improper use”, suggesting that internal network controls are still lacking.  Perhaps most troublesome is the one-third of incidents marked as “other”, suggesting that government IT systems are vulnerable in ways which have yet to be fully analyzed.

A simple fix? Not for cybersecurity

There are no silver bullets in cybersecurity, and it would be naïve to state that any one factor could address all of the 1,000 open GAO recommendations.

Yet DNS is an intriguing (if underappreciated) aspect of many vulnerabilities identified in the GAO report.  What do malicious phishing and web application attackers use to navigate their way through the network?  DNS.  Which protocol serves as the gateway for unauthorized users to access forbidden parts of the network?  DNS.  What do over 91% of cyberattacks utilize for command and control?  DNS.

Just as the ubiquitous nature of DNS makes it an ideal attack vector, its position at the network core also contributes to complacency in addressing the inherent vulnerabilities of DNS infrastructure.  Cybersecurity teams may not realize that their most precious and effective asset is down the hall with their network colleagues.  In their GAO-recommended plans, agency IT administrators would do well to think of their existing DNS infrastructure as an untapped security asset.

What DNS can do to keep us safe

Here are just a few examples of how DNS can address the GAO’s most pressing recommendations:

  • Ensure the security of emerging technologies (p. 20): Using client-facing DNS security tools like BlueCat’s DNS Edge, IT administrators can block all queries from IoT devices without the need for cumbersome agents.
  • Improve implementation of government-wide cybersecurity initiatives (p. 22): If DHS deployed its DNS-based EINSTEIN filters inside agency networks instead of on the network boundary, it would gather more actionable information and enable timely agency responses to cyber incidents.
  • Address weaknesses in federal information security programs (p.23): Using DNS configurations to segment networks would go a long way toward eliminating unauthorized access on Federal systems.
  • Enhance the federal response to cyber incidents (p.25): At BlueCat, we know that a joint approach is needed for both prevention and mitigation of cybersecurity incidents.  DNS already has a track record of bringing network and security teams together to enhance cyber response.

The cybersecurity responsibilities of Federal agencies will only become more complex and harder to implement over time.  DNS is the kind of low hanging fruit which it makes sense to address now – before the next GAO report shows the problem spreading even further.

Want to learn more about the role of DNS in government cybersecurity?  See BlueCat’s security resources here.

Published in:

An avatar of the author

BlueCat provides core services and solutions that help our customers and their teams deliver change-ready networks. With BlueCat, organizations can build reliable, secure, and agile mission-critical networks that can support transformation initiatives such as cloud adoption and automation. BlueCat’s growing portfolio includes services and solutions for automated and unified DDI management, network security, multicloud management, and network observability and health.

Related content

Detect anomalies and CVE risks with Infrastructure Assurance 8.4 

The Infrastructure Assurance 8.4 release features an anomaly detection engine for outliers and a CVE analysis engine to uncover device vulnerabilities.

Read more

Get fast, resilient, and flexible DDI management with Integrity 9.6

With Integrity 9.6, network admins can get support for new DNS record types, architect and configure multi-primary DNS, and automate IP assignments.

Read more

Deepen your security insight with Infrastructure Assurance 8.3

BlueCat Infrastructure Assurance 8.3, with an enhanced analytics dashboard, including interactive widgets and top 10 alerts, is now available.

Read more

Security, automation, cloud integration keys to DDI solution success

Only 40% of enterprises believe they are fully successful with their DDI solution. Learn how to find greater success with new research from EMA and BlueCat.

Read more

Our commitment to Micetro customers and product investment

From CEO Stephen Devito, a word on BlueCat’s ongoing commitment to supporting Micetro customers and Micetro’s evolution as a network management tool.

Read more

Seven reasons to rethink firewall monitoring and boost automation 

With BlueCat Infrastructure Assurance, you can better protect your network with automated alerts and suggested remedies for hidden issues in your firewalls.

Read more