Cybersecurity

Amid telework boom, CISA reminds agencies of DNS resolution requirements

The Cybersecurity and Infrastructure Security Agency is reminding agencies to use Domain Name System resolution services offered through the National Cybersecurity Protection System to ensure visitors to federal websites aren't being redirected to malicious websites.

In a memo dated Apr. 21 but publicly released this week, Director Chris Krebs reiterated that civilian agencies are legally required to use sinkholing capabilities through EINSTEIN 3 Accelerated as their primary upstream DNS resolving service.

In a related blog post, Bryan Ware, Assistant Director of Cybersecurity and Communications noted that Einstein 3 Accelerated is already in place in most agencies, but "particularly in light of increased telework, we felt it worth reiterating."

The global DNS system translates website URLs into their corresponding IP addresses. However, an attacker can interfere with that translation to reroute Internet traffic away from its intended destination, instead sending users to fake or spoofed websites where they can be eavesdropped on, tricked into downloading malware or revealing personal information

According to a Privacy Impact Assessment drafted in 2016, EINSTEIN 3 Accelerated's sinkholing capability "allows DHS to prevent malware installed on .gov networks from communicating with known or suspected malicious Internet domains by redirecting the network connection away from the malicious domain to 'safe servers...thus preventing further malicious activity by the installed malware."

Krebs also highlighted recent security updates to several popular browsers, such as Chrome and Firefox, that impact how they resolve such disputes while more broadly incorporating two widely adopted DNS security protocols – over Hypertext Transfer Protocol Secure (HTTPS) and Transport Layer Security (TLS). CISA is working to make their DNS resolution services compatible with both, but until then agencies are required to use EINSTEIN 3 Accelerated as their primary tool. Agencies are permitted to utilize other services as backup options.

"We also recognize that increased use of encrypted DNS resolution will require many enterprises — including ours! — to update how they protect their users from malicious DNS traffic," Ware stated. "We accept and support that, and we're working to offer better services to the executive branch that are easier to use."

The memo notes that CISA will begin issuing reports to agencies highlighting DNS traffic anomalies and will reevaluate the status quo in six months, at which time the agency may issue a follow up emergency or Binding Operational Directive.

CISA's concerns about domain name manipulation are more than theoretical: it put out an emergency directive last year ordering agencies to shore up their DNS protections and reporting as evidence emerged that multiple state-sponsored hacking groups were conducting campaigns to tamper with the global DNS system.

About the Author

Derek B. Johnson is a former senior staff writer at FCW.

Featured

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    OPM nominee plans focus on telework, IT, retirement

    Kiran Ahuja, a veteran of the Office of Personnel Management, told lawmakers that she thinks that the lack of consistent leadership in the top position at OPM has taken a toll on the ability of the agency to complete longer term IT modernization projects.

  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

Stay Connected