I get tossed the question fairly frequently: How much cybercrime simply goes undetected? That's sort of like asking how many universes exist beyond the outer boundaries of our own. Nevertheless, cosmologists entertain the question in part by asking what our universe would look like if there were other universes out beyond our "event horizon." Similarly, you also might ask whether our infrastructure looks more like one with a great deal of undetected cybercrime or very little undetected crime. You'd probably conclude it looks a lot like what you'd expect of a universe where crime goes mostly undetected and isn't something people think much about.
We, as a group of security practitioners, need to think beyond the latest "compliance checklist" to overall improvements in the security of the network infrastructure.
Consider domain name system servers. It turns out that there are several ways to corrupt these critical address translators. One approach is to obtain root access to the server system and directly change the address translation database that's the heart of each DNS server. But it's also possible to corrupt servers in unexpected ways, such as causing upstream updates from corrupt Windows DNS servers to the past couple of versions of the Unix BIND server.
The markedly quirky DNS protocol is also a fundamentally insecure system, as updates among servers generally aren't authenticated. When DNS servers were attacked in March and April, the changes in DNS databases were large and noticeable. In some cases, the entire .com domain was rerouted to a server that tossed out banner ads, so it didn't take a genius to see that something was amiss. But given that DNS caches refresh themselves periodically, single-destination hijackings could take place under the radar. Traffic to a bank could be rerouted for a while, until the cache naturally refreshed itself, erasing all evidence of the hijacking. If the rerouted destination was a copy of the real bank's site that acted as a proxy and listened in on transactions, something akin to the perfect crime might be committed.
One suspects these perfect crimes aren't rampant right now, or else we'd hear a lot more noise from the financial sector. But it's clear that DNS, at least, exhibits characteristics you'd expect in a universe where crimes can be silently committed. It's not too hard to imagine what DNS would look like if it existed in another kind of universe, one that didn't enable opportunities for such crimes to go by unnoticed. Indeed, it might look something like the DNSsec protocol. But DNSsec has been kicked around for a full 10 years now, and it doesn't look like it's going to come into real-world use anytime soon.
In the short haul, there are some things that the security community can do to make DNS less vulnerable. For starters, administrators can bring their DNS servers up to the latest versions. There are going to be some trade-offs, insofar as BIND 9 offers less throughput than the widely deployed BIND 8, but this can be offset with more hardware. Multiple-server DNS server configurations should be architected with a "split-split" design, so there's a different server for advertising DNS records than the server used to resolve names, plus a further split between external and internal client service.
DNS isn't the only part of the infrastructure that presents opportunities for unseen crime. The Border Gateway Protocol, which handles interdomain routing on the Internet, has been in widespread use for years, and people are only now analyzing it so that security holes can be plugged.
There's more to be addressed. How about operating systems and applications that make encryption an easy default option? How about corporate insistence that these be the predominant enterprise choices, rather than operating systems that leave proprietary data lingering in disk slack space and applications that make it appear that data has been redacted, when in fact it's easily recoverable?
It's time to learn a lesson from the world of cosmology, where at least a few physics professors think the nature of our universe suggests there probably are lots of other universes out there.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.
IT Strategies to Conquer the CloudChances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.