Security Manager's Journal: Taking on the DNS flaw from the other side of the world

Top Stories

Related

• Microsoft's Web site overwhelmed by would-be Windows 7 downloaders
• Review: Windows 7 Beta 1 shows off new task bar, more UI goodies
• FAQ: How to get the Windows 7 beta
• Elgan: Palm and Sony out-Apple Apple
• Google: Chrome in 'never-ending' beta
• Memory card standard could provide up to 2TB on an SD card

• Fake Christmas, holiday greetings spread new malware
• Network Solutions phishing campaign preceded CheckFree domain takeover
• Estonian ISP cuts off control servers for Srizbi botnet
• Massive botnet returns from the dead, starts spamming
• Hosting firm takedown bags 500,000 bots

Zone

The Security Zone With the mobility of employees and the ease with which external devices can be brought in and out of a network, continuing to build your security plan for network servers and clients is a must. Fortunately, there is much that organizations can do to protect themselves from attacks - internal and external. Having the right policies, procedures and server configurations is critical... Learn more in The Security Zone See All Zones

August 25, 2008 (Computerworld) Trouble Ticket

Issue: Even when you're overseas, some problems need immediate attention.

Action plan: Educate yourself fast, and give the folks at home a decision.

I was on the road when the DNS cache-poisoning vulnerability hit. Since "on the road" for me can mean being on the other side of the world, it was good to see that I could effectively address this potentially serious problem while thousands of miles from home.

My travels took me to Hong Kong, mainland China and Germany. My company's recent acquisitions have given us facilities in all three locations, and I always seek to ensure that tying new facilities to our corporate network won't introduce vulnerabilities. The connection itself is simple enough -- we simply order an MPLS circuit or establish a point-to-point VPN -- but I won't give my OK without first checking things out.

I typically ensure that desktop PCs and servers are running antivirus software and that they're up to date with patches. Then I check out how employees, partners, suppliers and other business affiliates are given remote access. This usually includes a systematic review of firewalls, VPN concentrators and any other devices that control access.

Then there's the question of intellectual property protection. That one's very important -- after all, it's usually a company's IP that made us want to acquire it. Finally, I turn my attention to physical security: badge systems, doors, cameras, alarms and security guards.

I was in the midst of all of that when I received an e-mail from the IT department asking for my opinion on the DNS cache-poisoning vulnerability. Having been busy with my review of the facilities (not to mention the logistics of travel itself), I wasn't up to speed on the issue, so I went online and read some of the reports. What I learned was that a vulnerability had been identified that could allow a malicious user to replace legitimate Domain Name System entries with bogus addresses. This is not a new style of vulnerability; the DNS has had its share of security issues, most of them involving either a denial of service or a cache poisoning, as in this case. Is the Threat Real?

Our IT operations team is responsible for monitoring and assessing the risk of all reported vulnerabilities. It's a good idea to assess the risks before taking action. Some reports of vulnerabilities are merely false positives, and sometimes we can opt out of the remediation because we aren't running a vulnerable version of the operating system or application in question, or we just don't have any vulnerable infrastructure. Then you have to consider the availability of exploit code.