Four Vulnerabilities in Infrastructure Defense
“The basic underpinnings of the Internet — BGP, DNS, and SSL — we take for granted they were built in much friendlier times when friendly people wanted to communicate with friendly people. The Internet was built to be survivable, not trustable,” said John Pescatore, vice president and research fellow for Gartner Research. This quote was sited in an article in Darkreading by Kelly Jackson Higgins.
It can no longer be assumed that whom you are interfacing with over the Internet are friendly or even who you think they are. Even if the correct site name was entered malware like DNSChanger could take you to a malicious site. There are great rewards in the theft of resources and information and also for political activists to bring attention to their cause at the embarrassment of others.
Mr. Pescatore and Lawrence Orans, research director for Gartner, site four areas vulnerable to attack:
1. Distributed Denial of Service (DDoS & DoS) – massive data and requests for data typically sent from botnets that are widely distributed.
The actions recommended include using a traffic mitigation service or install a solution to help provide protection against attack traffic.
2. Certificate Authority – The basis for https exchange on the Internet. Certificates have stolen from authorized authorities and misused.
This is an area that is still exposed. There are proposed solutions in the Sovereign Keys and DNS Authenticated Name of Entities (DANE) that have yet to be accepted by the industry.
3. Domain Name System (DNS) – This is the means by which Domain Names are linked to the authoritative server and IP address for the appropriate server. Attacks that have been focused on DNS include man-in-the-middle, DNSChanger, and others focused on redirecting clients to an alternate site.
It is important to keep DNS software up to date and also to implement DNSSEC. It should be implemented by any organization that is concerned about ensuring that traffic intended for a specific site goes to that site.
4. 4G LTE (Long Term Evolution) – is a standard for wireless communication of high-speed data for mobile phones and data. Mobile devices are very exposed to attacks.
This area is still developing. There may be many undiscovered issues. Pascatore and Orans recommended that you should use a single carrier and VPN and/or Application-Level Security for sensitive applications.
This is a very good list of vulnerabilities with sound recommended approaches to help mitigate the exposure. The Internet community needs to take action in pushing forward acceptance of solutions such as DANE and encourage the increased use of DNSSEC.
Secure64 has expertise in all of these areas. Contact us to learn more.