This blog was written by an independent guest blogger.

The Domain Name System (DNS) is an important tool that connects devices and services together across the Internet. Managing your DNS is essential to your IT cybersecurity infrastructure. When poorly managed, DNS can become a huge landscape for attackers.

Nonetheless, when properly configured, DNS is a key line of defense against cyber threats for your organization. DNS filtering is an essential component of business cybersecurity. The best part about DNS filtering is that it is simple and effective to implement. Think of DNS filtering as another component in building a secure network. Implementing a DNS web filtering solution will protect your network in many different ways.

In this article, we’ll discuss how DNS systems work and how DNS filtering works. Then we’ll take a look at how DNS filtering can improve the security of your network. Finally, we’ll take a look at some of the other issues you might face with your DNS system.

DNS filtering to improve security

What is the Domain Name System (DNS)?

The Domain Name System, abbreviated DNS, is a tech solution for matching domain names (also called web addresses) to IP addresses, like 192.168.1.1. DNS is useful because it allows you to access the web without memorizing IP addresses. If you’re old enough, you might remember memorizing all of your friends’ telephone numbers, but today most people don’t bother.

How does DNS work?

DNS works by taking a web address and then matching it to the right IP. 

When you open a web browser (like Safari or Firefox), you typically type in a web address, like www.att.com, into the address bar. The browser then sends a DNS query to a specialized web server called a DNS resolver.
The DNS resolver then checks for an IP that matches the name you type into the web browser. It does this by either checking additional DNS servers or by checking its own cache.
Third, the DNS resolver “resolves” the domain by sending a reply to the user’s web browser with the correct IP address.
Finally, the user’s web browser contacts the server at the IP address that the DNS resolver looked up to establish a connection and load the web page.

Why is DNS so important?

The DNS system is essential to be able to access the web. Unless you have the web addresses of all your favorite websites memorized, you can’t load any web content before the DNS resolution process occurs. As a result, DNS filtering is a smart, effective way of enhancing security.

Furthermore, today web security is a top priority for businesses. This is because cybersecurity is no longer just an IT issue, but it’s a practical business issue as well.

How does DNS filtering work?

Because all DNS queries go to a DNS resolver, DNS resolvers can also be used as a filter to block malicious activity. For instance, a specially configured DNS resolver can refuse to resolve queries for certain domains that are listed on a private or publicly-maintained blocklist (sometimes called a blacklist). 

Similarly, for even greater and enhanced security, DNS resolvers can also be configured to only permit access to the web through an allowlist (or whitelist). An allowlist is a list of websites that users are permitted to access. Any attempts to visit unauthorized websites will prevent the page from loading.

For example, imagine an employee browsing Facebook at work. The employee comes across a Facebook post with a link to win $1,000,000, so they never have to work again. When the employee clicks the link, the query is first sent to a DNS resolving service. The service compares the link to a list of unapproved websites. If it turns out that the link is to an unauthorized website, the DNS resolver will block the request.

As it turns out, in this scenario, the $1,000,000 prize was actually a phishing attempt, and the request is blocked. This is one way that you can configure DNS filtering services.

Bring phishing attacks and inappropriate browsing to a halt

A blocklist isn’t just for stopping phishing attacks. A blocklist can list harmful domains and IP addresses that are curated by the cybersecurity community or are maintained by your own cybersecurity team. Consider joining OTX, the Open Threat Exchange, where you can stay up to date on the latest developments in emergent cybersecurity threats.

In some cases, DNS filters are automated, where they will check websites for malicious code. Often, JavaScript is a primary culprit for these types of malicious websites. When malicious code is detected, the website and IP address are automatically added to the blocklist.

As a plus, DNS filtering can also be used to block objectionable content. A common way this is done is by blocking adult content. Unsurprisingly, these websites frequently contain malware and cause other security concerns, so they are probably best blocked anyway. DNS filtering is often used in conjunction with a firewall to enhance security protections.

Block malware with secure DNS servers

Malware is a type of software designed to execute bad code that steals information or takes control of a user’s device. Using secure DNS servers is one way to enhance security and prevent malware from taking hold. Secure DNS servers can also enhance the privacy of user data. Cloudflare, a popular web hosting backup service, offers a DNS resolving service called 1.1.1.1 that wipes all of its DNS query logs after 24 hours.

In order to increase security, it’s recommended that you enable several additional security tools when utilizing DNS resolution services. DNSSEC is a protocol that verifies DNS resolver information and makes sure they have not been compromised by an attacker.

Additional protocols like DNS over TLS (DoT) and DNS over HTTPS (DoH) encrypt your DNS queries and replies. Encrypting DNS queries is vital because it prevents attackers from analyzing your queries and tracking which websites your users visit. When used in conjunction with threat monitoring and detection, your security will be a step above everyone else.

Stop DNS spoofing

A final form of DNS security to be aware of is DNS spoofing. DNS spoofing is sometimes called cache poisoning. When a computer takes data from a cache (a saved index), it does not know if the IP has changed since the last time a website was visited. If that’s the case, a computer can maliciously change values in a cache and redirect users to malicious websites. 

DNS spoofing is done using malicious software like Ettercap, dns2proxy, SSLStrip+, and others. In some cases, hackers gain access using a user’s computer. When they do, the hackers gain access to the DNS cache and manipulate the addresses.

Preventing DNS spoofing is easy if you utilize a secure DNS service. Additionally, preventing users from phishing attempts also helps increase security.

Use multiple forms of protection

DNS filtering is just one step in building a cybersecurity defense net. Cybersecurity is all about identifying potential threat vectors and eliminating them. Remember, there are plenty of other dangers to educate yourself and be aware of, whether it’s e-mail security to potential threats from hackers and malware. Grab AT&T’s latest cybersecurity insights report to learn more about the latest issues in cybersecurity.

Additional thought: try using tools such as GetWeave to find out what people are saying online about the security of your business.

Read More

The stuffing attack exposed customer information and allowed hackers to redeem rewards points

Read More

Clearview AI has also ordered to delete existing data of UK residents from its systems

Read More

Machine identities are a large, and fast-growing part of the enterprise attack surface. The number of machines—servers, devices, and services—is growing rapidly and efforts to secure them often fall short.

Cybercriminals and other threat actors have been quick to take advantage. Cyberattacks that involved the misuse of machine identities increased by 1,600% over the last five years, according to a report released last spring by cybersecurity vendor Venafi.

Research firm Gartner named machine identity as one of the top cybersecurity trends of the year, in a report released last fall. In 2020, 50% of cloud security failures resulted from inadequate management of identities, access, and privileges, according to another Gartner report. In 2023, that percentage will rise to 75%.

To read this article in full, please click here

Read More

While an attacker only needs to be right once, security teams must be right every time. That’s why SOC teams must stop ransomware attackers from exploiting AD weaknesses.

Operating in shifts around the clock, Security Operations Center teams strive to prevent, detect and respond to cybersecurity threats and incidents. But in an evolving threat landscape where bad actors relentlessly attack critical assets such as Active Directory, security analysts find that traditional SIEM (Security Information and Event Management) solutions fall short. Consider major ransomware operators such as LockBit 2.0, Conti, and BlackMatter—they all used AD to introduce or propagate malware.

SOC teams rely on SIEM solutions to aggregate and correlate log and other data from assets across an organization’s IT infrastructure, including AD. While the SIEM is a powerful solution to monitor the network infrastructure in general, it was never designed for the specifics of AD security. 

Key challenges faced by SOC teams include:

False positives: Analysts in the SOC struggle dealing with the myriad alerts generated by SIEM solutions, and pinpointing the few truly critical events. As a result, SOC teams spend too much time assessing countless false alarms, which impacts their ability to address real threats effectively. 

Difficulty preventing backdoor creation: Recent ransomware attacks reveal that hackers increasingly understand they can easily gain unrestricted access to a victim’s AD environment by exploiting misconfigurations and creating backdoors. Combating this threat requires capabilities that go beyond what a SIEM has to offer.

Adding the intelligence piece to SIEM

How can SOC teams gain more visibility into AD so they can better detect threats that fall through the cracks of a traditional SIEM? 

An AD-specific solution such as Tenable.ad does not just fill the gaps of a traditional SIEM but actually integrates with SIEMs to improve AD security and increase SOC efficiency, enhancing the organization’s cybersecurity posture. Tenable.ad adds the “AD intelligence” piece to your SIEM, eliminating false positives and zeroing-in on the critical vulnerabilities that must be addressed right away. With Tenable.ad, SOC teams boost their productivity and efficiency, and strengthen the security of their AD environments.

Read our white paper Must-Have #1: Make Your SOC Identity-Aware and you’ll learn:

Why SOC teams struggle to monitor Active Directory and to detect live attacks with generic SIEMs
How SOC teams can fill the gaps of their SIEM using an AD-specific solution
How Tenable.ad acts as a pre-SIEM solution to bolster security defenses and boost SOC efficiency

Download the white paper!

Read More

An investigation found Zuckerberg had lax oversight of users and created misleading privacy agreements

Read More

DCMS announce 14 finalists of the UK’s Most Innovative Cyber SME Competition

Read More

A practical approach to understanding shift left security and how shifting security left can help teams achieve DevSecOps success. 

As a critical part of DevSecOps, shifting left has become a key aspect of the modern software development process. Traditionally, security was applied at the end of the software development lifecycle (the right side) and treated as an afterthought. As a result, the security checks and tests would often miss flaws in the code, such as vulnerabilities and misconfigurations, while also slowing down the software release process.

Now, to address these issues, CISOs and security leaders are implementing shift left security, enabling DevOps teams to scale faster while detecting and minimizing risks early on. With a shift left approach, security is applied proactively and early in the DevOps cycle, reducing the time and cost of software development and boosting application’s cyber hygiene, while facilitating CI/CD (continuous integration / continuous deployment.)

It requires a holistic approach to security, one that embraces cultural change and fosters collaboration among development, operation and security teams. By shifting left, organizations are putting security at the forefront of their business strategy and can therefore improve their overall security posture. 

Here, we’ll take a practical approach to understanding shift left security and why it’s a game-changer for DevOps.

What is shift left security? 

Over the last decade, the term “shifting left” has grown in popularity, becoming a buzzword in its own right among the DevOps community. But what exactly does it mean?  

Coined by Larry Smith in 2001, shifting left is an “approach used to speed software testing and facilitate development by moving the testing process to an earlier point in the development lifecycle. Shifting left is a reference to moving testing to the left on a timeline,” according to TechTarget. 

The concept of shifting left is all about prevention. It urges DevOps and security teams to be proactive rather than reactive, thus shifting the focus from a reactive state to a proactive one. Shifting left is an agile practice that offers early visibility into development issues, bugs and errors so that they can be addressed and resolved earlier rather than later. 

Traditionally, DevOps teams centered their efforts on agile development, pushing out products and releasing new features to get them to the market faster, but often without taking security into consideration, resulting in release delays, misconfigurations, undetected vulnerabilities and compliance violations. 

However, the concept of shifting left was introduced to combat the issue of “security as an afterthought,” by applying security earlier in the development pipeline rather than at the end. Therefore, with security applied earlier on, DevOps teams can remain agile while simultaneously boosting their organization’s security. 

Shifting left with DevSecOps

Shifting security left starts with DevSecOps. It requires organizations to embrace the DevSecOps culture, creating an environment where development, operations and security teams can thrive and work together to ensure that security remains the top priority. 

Traditionally, development and security teams operated independently of one another, working in silos to achieve business goals. Developers were responsible for writing code while security was responsible for identifying and eliminating vulnerabilities and risks. Consequently, this resulted in a disconnect between DevOps and security. DevOps viewed security as a hindrance to their ability to work at their desired speed, while security viewed DevOps as apathetic and unwilling to adhere to security guidelines and regulations. Therefore, a solution was needed that bridged the gap between DevOps and security, and the concept of DevSecOps was born. 

Now, CISOs and security leaders are implementing a DevSecOps approach in their organizations to ensure that all team members are sharing the responsibility for security. A collaborative culture is key for organizations transitioning into DevSecOps. Additionally, DevSecOps enables security to become an ongoing conversation, helping to establish a strong security culture within the organization. With security now seen as a “shared responsibility” rather than just the onus of the security team, organizations can implement shifting left as a part of their security strategy. By involving DevOps teams in security, teams can ensure that any security concerns are addressed while applications are being developed rather than after they are deployed. 

Best Practices for shifting left 

The hardest part of shifting left is related to culture and collaboration, but there are a few best practices that DevSecOps teams can implement to shift left successfully: 

1. Adopt a test-driven development approach 

Test-driven development is centered on shift left testing in the coding phase. It if focused on improving the quality of the code that developers are writing while creating unit tests. TDD addresses the intent or the “why” behind the code being written. With TDD, the quality of the code is enhanced and tested frequently to ensure that the code being written is executed successfully. Developers can write tests for the codes that they’re developing while thinking of various scenarios and solutions to help prevent bugs and other security issues from being developed in the code and discovered in the later stages of the development lifecycle. 

Implementing TDD can help DevOps team shift left better by enabling them to produce high-quality code at a faster rate and with fewer bugs and vulnerabilities. By adopting a TDD approach, teams can receive feedback to identify, eliminate and remediate issues early, therefore boosting the overall quality of the code and helping them focus on continuous integration and delivery.  

2.  Embrace test automation 

Test automation is key to supporting DevOps teams working in agile environments. It enables DevOps teams to create a robust testing environment where tests can be run quickly and effectively while providing feedback on security issues, bugs, vulnerabilities and the quality of the code. By embracing test automation, security can be strengthened as it removes the need for “human interaction,” and it ensures that policies are enforced and maintained. Automation enables continuous integration and delivery by implementing automated unit tests into the pipeline. 

As explained in Tenable’s white paper “How to Use Auto-Remediation to Achieve DevSecOps,” automation is key to “reducing the manual workload of any process and is one of the reasons CSPM tools have found success.” For example, CSPM tools enable enterprises to proactively identify and eliminate any issues, such as misconfigurations and other vulnerabilities, by continuously monitoring security risks across the entire lifecycle. It works to provide unified visibility into cloud workloads to prevent cybercriminals from committing attacks. CSPM continuously scans and assesses cloud environments, surfacing potential threats ensuring adherence to compliance policies and reducing drift. However, if drift does occur, actions can be taken automatically to remediate it through automation. With that being said, it’s important for DevOps teams to have the right test automation tools in place such as CSPM and other security tools to help teams remain agile and reduce time to market. 

3. Find the right security tools 

Security practices, concepts and tools such as automation, security as code and infrastructure as code can be applied when shifting left. These reduce human errors and mitigate risks as security tests and audits are run to make sure that code is secure and that applications are performing as they should be. Through automation and defining security in the code and infrastructure, teams can identify any potential flaws and issues that may interrupt their release schedule for different products and features. Not only will this save organizations time and money, but it’ll also boost the organization’s security efforts leading them to develop a strong security culture. 

While shifting left, be sure to provide DevOps teams with the right DevSecOps tools so that they can look for any opportunities for improvements. Tools such as Static Application Security Testing Tool (SAST), Dynamic Application Security Testing Tools (DAST) and the Software Composition Analysis Tools are “developer-friendly” and can help developers write more secure code. With security built directly into the CI/CD pipeline, the quality of applications significantly increases and can accelerate DevOps. 

Shifting left with DevSecOps is the right approach and provides numerous benefits for the organization. 

Benefits of shifting left 

There’s a wealth of benefits that shifting left offers: 

1. Increased agility 

Perhaps the most significant benefit of shifting left is its ability to increase business agility and efficiency among the development, operations and security teams. By shifting left, vulnerabilities and other security flaws can be detected and remediated early on, reducing issues during the final stages of development and enabling teams to go to market faster. 

2. Reduced costs 

Shifting security left can significantly reduce costs by reducing the number of security issues that are detected after the software has been deployed in production, a stage at which remediation is much costlier and disruptive. The time and money that it takes to remediate those issues in production impacts DevOps teams’ ability to be agile and fast. 

3. Minimize risks 

A shift left approach increases the quality and security hygiene of code, yielding applications that have fewer vulnerabilities, malware, misconfigurations and other flaws. As a result, applications in production are at a lower risk for breaches. 

4. Build a security culture 

Shifting left can help organizations establish a strong security culture. Shifting left provides a wealth of opportunities for DevSecOps teams to put security at the forefront and take a holistic approach to security. This promotes strong collaboration among DevOps and security teams and provides plenty of opportunities for areas of improvement. A strong security culture is key to organizational success — and shifting left forces teams to take a more proactive approach to security. 

Learn More 

Read this blog: 3 Ways Security Leaders Can Work With DevOps to Build a Culture of Security 
Download the whitepaper: Using Auto-Remediation To Achieve DevSecOps 
To learn more about our capabilities, visit the Tenable.cs Product Page  

Read More

The New South Wales digital driver’s license has multiple implementation flaws that allow for easy forgeries.

This file is encrypted using AES-256-CBC encryption combined with Base64 encoding.

A 4-digit application PIN (which gets set during the initial onboarding when a user first instals the application) is the encryption password used to protect or encrypt the licence data.

The problem here is that an attacker who has access to the encrypted licence data (whether that be through accessing a phone backup, direct access to the device or remote compromise) could easily brute-force this 4-digit PIN by using a script that would try all 10,000 combinations….

[…]

The second design flaw that is favourable for attackers is that the Digital Driver Licence data is never validated against the back-end authority which is the Service NSW API/database.

This means that the application has no native method to validate the Digital Driver Licence data that exists on the phone and thus cannot perform further actions such as warn users when this data has been modified.

As the Digital Licence is stored on the client’s device, validation should take place to ensure the local copy of the data actually matches the Digital Driver’s Licence data that was originally downloaded from the Service NSW API.

As this verification does not take place, an attacker is able to display the edited data on the Service NSW application without any preventative factors.

There’s a lot more in the blog post.

Read More

Four years’ worth of records were accessed during the data breach

Read More