The Password that Could be Your Organization's Achilles Heel
If we told you that a single password is all that stands between hackers and the entire Internet security of your organization, you might think that we are exaggerating and even full of it. Or, perhaps you would think that we are referring to your coveted Windows domain administrator credentials, which you diligently keep protected and monitored (hopefully). You will say that it really is only available on your internal network that is also well-protected, and so on and so forth. However, that is not what we are talking about.
This particular set of credentials, which will potentially allow one to take control of your entire organization, is frequently not monitored. It is used infrequently and is probably not changed when your IT administrators change jobs. Any guesses? It’s something most organizations have – a web portal login to administer your domain registration and/or DNS records.
Now that you know what we’re referring to, do you know what the credentials are and who has access to them?
A little IT101 for those who don’t do it for a living. The entire Internet operates on what is called IP networking, where any and all hosts are identified by a unique address – a set of four numbers. For example, one of Google’s servers has an IP address of 188.8.131.52. (An IT guru will object here saying that the newer IPv6 standard is different, but we will not go there – most of the Internet still runs on IPv4, and the problem is the same.)
Since most human beings are more likely to remember words than a set of numbers, enter the frequently troubled system called DNS (Domain Name Service). It is a protocol that allows us to refer to Internet things by name instead of numbers, e.g. www.google.com. Google is now free to assign whatever address (or addresses) it wants to that name, so when you go to that site, your request ends up reaching the right host. So, where’s the problem, you may ask.
Nowadays, the DNS and the related Domain Registrar records are managed in the cloud by a service provider, for example GoDaddy or Network Solutions. In a standard scenario, let’s say you purchase a domain, OurOwnCompany.com, from one of these providers. The provider makes it really easy for your IT team to manage the records. It gives them a username and a password to their online portal, where they can make whatever changes they want.
Therein lies the problem. Imagine what the bad guys could do if somehow they got these credentials. They would control pretty much your entire Internet presence, and if they do it right, you won’t even know. For example, assume Our Own Company has a web site, store.ourowncompany.com, where you let people buy stuff using their credit cards. The bad guys quietly change that name to point to their own IP address. They may even set up their server to then redirect traffic back to your legitimate address. Voila, they are collecting all the data that your clients enter into your web site. The initiated may argue that SSL certificates can still protect you if you use them, but really, how many clients will just dismiss that pesky warning?
That is just one example. All your incoming mail is in danger, too. Basically anything that comes in from the outside is now in the hands of the bad guys. And you are probably none the wiser, as this can be done relatively transparently. They could even let some portion of the traffic go to your address directly, just to keep things less suspicious.
Before we get into what to do to tighten things up, let’s consider what weaknesses exist in the current DNS and domain hosting system. This is a general list, not representative of a specific provider. Frequently,
- A single username/password is all that is required to change records.
- Changes can be made from anywhere in the world.
- There is no change control or verification/validation process.
- There is no alerting or monitoring of the changes.
In reality, having such a ‘flexible’ change process also allows providers to make their services more cost-effective and profitable. After all, more security means more effort and, inherently, more cost. Providers are not just doing you a favor by making things easy, they are saving money.
Assuming you now believe that securing these credentials is a legitimate concern, here are the things you should consider when selecting a provider or deciding how to manage your Internet records:
- Look for a provider that can
- Require multifactor authentication to protect the portal.
- Restrict portal access to specific Internet addresses only.
- Use a verification process where the provider will verify the requested changes with your company out of band (phone, text, etc.).
- Set up alerting on changes to your domain records to go to specific phones, emails, etc. Obviously, assure that the changes to the notification addresses are alerted on as well.
- Log and monitor administrative access to the portal.
By taking these measures, you will reduce the risk of the bad guys taking control of your DNS and accessing your organization’s sensitive information.
The Winxnet Security Team provides information security services to customers throughout the Eastern United States. Led by Eugene Slobodzian, PhD, CISSP, the team has over 15 years of experience helping organizations keep their information safe from the bad guys. Winxnet security offerings include Managed Security Services, Penetration Testing, Vulnerability Management, Social Engineering Tests, IT Risk Assessments, and Virtual Security Officer consulting.