fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

NSA Advises Companies To Avoid Third Party DNS Resolvers

NSA Advises Companies To Avoid Third Party DNS Resolvers

The US National Security Agency (NSA) says that companies should avoid using third party DNS resolvers to block threat actors’ DNS traffic eavesdropping and manipulation attempts and to block access to internal network information.

NSA’s recommendation was made in a new advisory on the benefits (and risks) of using DNS over HTTPS (DoH) in enterprise environments, an encrypted domain name system (DNS) protocol that blocks unauthorized access to the DNS traffic between clients and DNS resolvers.

“NSA recommends that an enterprise network’s DNS traffic, encrypted or not, be sent only to the designated enterprise DNS resolver,” the US intelligence agency said.

“This ensures proper use of essential enterprise security controls, facilitates access to local network resources, and protects internal network information.”

Also Read: Limiting Location Data Exposure: 8 Best Practices

Block third-party DNS services

Companies are suggested to use their own enterprise-operated DNS servers or externally hosted services with built-in support for encrypted DNS requests such as DoH.

“However, if the enterprise DNS resolver does not support DoH, the enterprise DNS resolver should still be used and all encrypted DNS should be disabled and blocked until encrypted DNS capabilities can be fully integrated into the enterprise DNS infrastructure,” the NSA added [PDF].

The NSA urges enterprise network administrators to disable and block all other DNS services besides their organizations’ dedicated ones.

Network admins who disable DoH on their networks are also recommended to block “known DoH resolver IP addresses and domains” to block client attempts from using their own DoH resolvers instead of the DHCP-assigned DNS resolver.

The agency’s advisory also provides additional details on the purpose of DoH and the importance of correctly configuring it to augment enterprise DNS security controls.

“We are releasing this guidance to our NSS, DIB, and DoD partners to help them manage encrypted DNS as it is automatically enabled by more applications, as part of our continuous efforts to provide timely, actionable, and relevant cybersecurity guidance,” Neal Ziring, Technical Director at NSA, told BleepingComputer.

“Encrypted DNS features are becoming more widely supported in commercial products, and our customers need to understand the technology and potential trade-offs.”

US government agencies also told to avoid third-party resolvers

Last year, US government agencies’ CIOs were recommended to disable third-party encrypted DNS services until an official DNS resolution service with DoH and DNS over TLS (DoT) support would be available.

CISA also reminded that agencies are legally required to use the EINSTEIN 3 Accelerated (E3A) DNS service on all devices connected to federal agency networks as the primary (or ultimate) upstream DNS resolver for all local DNS recursive resolvers.

Until a DNS resolution service with DoH and DoT support was made available, federal agencies were also recommended to “set and enforce enterprise-wide policy (e.g., Group Policy Objects [GPO] for Windows environments) for installed browsers to disable DoH use.”

DoH allows DNS resolution requests over encrypted HTTPS connections, while DoT will encrypt and wrap all DNS queries using the Transport Layer Security (TLS) protocol instead of using insecure plain text DNS lookups.

“The ‘Adopting Encrypted DNS in Enterprise Environments’ Cybersecurity Information Sheet provides National Security System (NSS), Department of Defense (DoD), and Defense Industrial Base (DIB) network administrators guidance on proper network configuration for handling encrypted domain name system traffic,” Ziring added.

Also Read: 10 Practical Benefits of Managed IT Services

“NSA recommends customer enterprise network owners and administrators follow the guidance as detailed in the information sheet.”

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us