[ISN] Securing DNS should trump budget-cutting for enterprise IT, experts say

From: InfoSec News <alerts_at_private>
Date: Wed, 31 Dec 2008 03:07:24 -0600 (CST)
http://www.networkworld.com/news/2008/123008-dns-security.html

By Denise Dubie 
Network World 
12/30/2008 

The discovery of a major DNS flaw in mid-2008 landed the technology in 
many headlines, but with economic concerns weighing on many in IT, 
industry watchers worry that revamping systems and security around 
domain name servers could be put on hold in 2009.

The vulnerability discovered by director of penetration testing at 
IOActive Dan Kaminsky motivated numerous vendors to upgrade their 
products to protect enterprise networks against cache poisoning and 
other DNS attacks, such as distributed denial-of-service (DDoS). IT 
directors were encouraged to upgrade their DNS systems to guard against 
potential threats, but a survey by The Measurement Group revealed that 
about 25% of servers had yet to be upgraded by mid-November. Now, with 
the year coming to a close, DNS experts worry the projects will take a 
back seat to cost-cutting measures.

"These name servers are trivially vulnerable to the Kaminsky attack. 
With an effective exploit script, a hacker can insert arbitrary data 
into the cache of one of these names servers in about 10 seconds," says 
Cricket Liu, vice president of architecture at Infoblox.

A separate survey of 466 enterprise online customers conducted by 
DNSstuff in September revealed that 9.6% hadn't patched their DNS 
servers and 21.9% didn't know if they were patched. The findings show 
that despite the DNS community's and several vendors' efforts, a 
significant number of server administrators have yet to take action. As 
for the reasons behind the lack of patches, more than 45% cited a lack 
of internal resources, 30% said they were unaware of the vulnerability 
and 24% reported they didn't have enough knowledge of DNS to take the 
appropriate steps. DNSstuff's customer research also found that the most 
common DNS issues among respondents include e-mail downtime for 69%, 
DDoS attacks and cache-poisoning attacks for nearly half and spoofing 
for 18.5%.

[...]


_______________________________________________      
Please help InfoSecNews.org with a donation!
http://www.infosecnews.org/donate.html
Received on Wed Dec 31 2008 - 01:07:24 PST

This archive was generated by hypermail 2.2.0 : Wed Dec 31 2008 - 01:17:55 PST