For most internet users, there's not much of a perceivable difference between the domain name they want to visit and the server that the domain queries.
That's because the Domain Name System (DNS) protocol does a good job of seamlessly routing users to different IP addresses that are all associated with a single domain name. The bad news is that this level of seamlessness makes it easier for threat actors and criminals to steal sensitive information and compromise computer hardware and networks with malware.
The latest news on DNS vulnerabilities shines the spotlight on nine newly discovered vulnerabilities that put more than 100 million IoT devices in jeopardy. These DNS vulnerabilities, dubbed "NAME:WRECK DNS," threaten IoT users with Denial of Service (DoS) and Remote Code Execution attacks that let cybercriminals assume control over targeted IoT systems. Once attackers take these devices offline, there's nothing left to stop them from targeting and assaulting other IoT attack surfaces.
It's important that organizations in sectors from government to healthcare better understand how to protect themselves and their networks from NAME:WRECK DNS bugs. Let’s take a quick dive into how these DNS vulnerabilities are impacting organizational security before exploring the best ways that organizations can guard against them.
Patching TCP/IP stacks is the priority
Among the different TCP/IP stacks that IoT firmware and IT software use, FreeBSD, IPnet, Nucleus NET and NetX are the most popular. And since all network traffic is processed by a TCP/IP stack, bugs in a TCP/IP library can lead to major DNS vulnerabilities. These four TCP/IP stacks run on high-performance servers that handle networks for organizations operating in multiple sectors, which are now at serious risk of suffering widespread disruption.
Organizations using these vulnerable IoT TCP/IP stacks need to prioritize patching them to protect their connected IoT devices. Users who need to know whether they have devices running on these vulnerable stacks should stay up to date on an open-source script that can discover and take inventory of at-risk devices. Once organizations can confirm which of their IoT devices are running on vulnerable stacks, they should use stack patches that their device suppliers release and determine how best to proceed with their affected devices.
This situation can create an incentive for organizations to take their data security to the cloud. In the wake of NAME:WRECK DNS attacks, users should safeguard their records against disaster with backups in the cloud that they can keep secure against DNS vulnerabilities.
Stop entrusting IoT devices with personal data
As more people use the internet, more information gets exposed to the cloud. This makes it vulnerable to threats and hacks. And while a Virtual Private Network (VPN) can encrypt the data that an IoT device sends across the internet, organizations also need to adopt holistic approaches to maintaining their cybersecurity posture.
A large concern surrounding IoT is that device manufacturers often fail to protect their users for the sake of making an installation process easier. IoT discovery services such as the Shodan search engine have shown just how risky smart devices can be when users entrust IoT devices with too much personal data.
In today’s digital age, consumers and end-users want instant access to information without compromising their personal data. The unfortunate reality is that organizations that need to secure operational environments risk the integrity of their customers' data and as well as their employees’ personal data every day.
As cybersecurity analyst Barbara Ericson of Cloud Defense notes, “No one is safe from the threat of breaches and leaks so long as businesses have valuable proprietary data waiting to be exposed. In most cases, people are the weakest link when it comes to cybersecurity and we are all interacting with network endpoints on a daily basis, which is why vulnerability management is very important.”
In 2021, privacy intrusions from devices that are installed in both small business as well as large enterprise environments are very real possibilities once a user has made too much of their personal data public.
That's why organizations must integrate better security hygiene training and more IoT/OT tools into an enterprise-wide security strategy that meets acceptable security standards, which is a must-have to guard against DNS vulnerabilities such as NAME:WRECK DNS bugs.
Segmentation and network hygiene are must-haves
Discovering and taking inventory of IoT devices that are running on compromised TCP/IP stacks is the first step organizations can take to respond to NAME:WRECK DNS bugs. But what, exactly, should be done with vulnerable devices once they're accounted for? A greater emphasis on segmentation controls and network hygiene is a good place to start.
While they monitor for patches being dropped by their affected device suppliers, organizations can immediately enhance their network's security posture by following a few steps. Since IoT devices are constantly communicating with the internet, organizations should first restrict the external communication paths that these devices use.
In the meantime, it's also recommended that they enable a VPN to mask the IP addresses of their devices under their respective DNS server to keep them anonymous from DoS and Remote Code Execution attacks. The response that organizations have to the NAME:WRECK DNS bugs needs to be a quick one, which means it also needs to be cost-efficient.
Summary
The NAME:WRECK DNS vulnerabilities have the potential to wreak havoc and compromise the security of victim networks in multiple business sectors. These DNS vulnerabilities threaten at-risk TCP/IP stacks that millions of IoT devices rely on to communicate back and forth with internet servers. Vulnerable organizations must respond with speed and precision to protect their devices from DoS and Remote Code Execution attacks that can cause irreversible damage to their cybersecurity posture.
Organizations with at-risk IoT devices need to prioritize patching the TCP/IP stacks that their devices use to stay connected to the internet. Once organizations have patched their stacks with their device supplier's appropriate update, their next step should include complete device segmentation and an enhancement of network hygiene by way of cost-effective VPNs. Finally, it's important that organizations defending against DNS vulnerabilities harden their security strategy with more IoT/OT tools, remind employees to never entrust personal data to their IoT devices and ensure their security strategy meets acceptable security standards.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
