DNS: The Most Overlooked Aspect of Healthcare SecurityMark Beckett of Secure64 on the Top Risks to Domain Name Security
This is the premise of Mark Beckett, VP of Marketing and Product Management with Secure64.
"Essentially, the attackers can hijack anybody's website or snoop into anyone's e-mail communication," Beckett says, discussing vulnerabilities to DNS protocol. "The real solution to eliminating these kinds of problems is for organizations to deploy DNS security extensions."
In an exclusive interview on DNS security vulnerabilities and solutions, Beckett discusses:
- The main DNS risks to healthcare organizations;
- How security leaders are finding and plugging these holes;
- Tips and tools for healthcare security leaders who want to tackle the DNS challenge today.
Beckett develops and executes product strategy and customer-facing marketing programs at Secure64. He has more than 23 years of experience in product marketing, business development and software engineering. Beckett previously was Executive Vice President of Marketing for ChipData, a provider of electronic design automation software. At ChipData, he was instrumental in transforming the company from a service to a product company by launching a portfolio of award winning products that attracted over 20 Fortune 500 accounts within 12 months. He has served in technical, marketing and business development roles for a variety of software and online publishing companies. Beckett holds B.S. and M.S. degrees in Mechanical Engineering from Stanford University.
TOM FIELD: To start out, how about you tell us a little bit about yourself and your role, please?
MARK BECKETT: Well, as the title suggests, I'm responsible for product strategy for Secure 64 and marketing programs as well. I've been in the software business for most of my career in a variety of engineering and marketing and business development positions.
Most Overlooked VulnerabilityFIELD: Well, Mark, we teased people up front about the most overlooked aspect, and that is domain name system security. Tell us why that's been so overlooked in healthcare security?
BECKETT: Well, everybody who has a website or communicates by email is using the DNS for those everyday communications. The DNS is essentially the phone book for the internet, and it translates domain names like www.hp.com into IP addresses that the computer systems use to communicate with one another. It's been around since the early '80s, and for most of that time, we just didn't worry about the DNS. It was there, it did its job, and everything ran smoothly. But in about 2008, there was a vulnerability found in the DNS protocols themselves by a security researcher named Dan Kaminski. And this was a big deal, because essentially what Dan discovered was a way for any bad guy, an attacker anywhere in the world, to very simply and easily take over a domain that you may own, like www.hp.com, and redirect it to a server that the attacker controls. So essentially, the attacker can hijack anybody's website or snoop on anybody's email communication. You can imagine the uproar in the international community when this was discovered, and there was a massive patching effort to try to put a band-aid on the DNS to make it harder, but still not impossible, for those attackers to succeed with such an attack. But the problem is that it is just a band-aid and it is just a short-term fix, and the real solution to eliminating these kinds of problems is for organizations to deploy DNSSEC, and DNSSEC stands for DNS Security Extensions. So we're finally adding the necessary security into those DNS protocols by deploying DNSSEC.
Key RisksFIELD: Well Mark, bring us inside a healthcare organization and give us a sense of what some of the key DNS risks would be.
BECKETT: Well, again, if someone can hijack a domain, or an organization's domain, or intercept their email communication because they can essentially control the DNS by taking advantage of this vulnerability, think of the consequences as we're moving towards electronic health records. We're starting to put medical information online, and yet that information, which has a lot of, you know, very private, confidential information in it, is only as secure as the underlying DNS is. So if an attacker can hijack a website, they can have you log into your health care provider, thinking you're going there, you're providing your login credentials, transmitting either financial or personal information across that connection, and an attacker could essentially be on the other end listening in. And the same thing for email communications. If we're going to communicate health care information via email between patient and provider, we want those email communications to be secure. So this is an important part of security considerations for any healthcare organization that is looking to provide information online or conduct financial transactions online.
Mitigating RisksFIELD: You hinted at this a couple of minutes ago. How can some of these risks be mitigated?
BECKETT: Well, DNSSEC is the permanent solution to this problem that I mentioned before, so we discovered a simple way that attackers could hijack the websites or intercept communications, email communications, and DNSSEC is essentially making it impossible for an attacker to do these things. It's doing that by addingï¿½using cryptography and adding digital signatures to the DNS data. And essentially what this is doing is it's allowing an end user to know for sure that when they type in www.mydoctor.com or myhospital.com, that they are in fact getting to the web server that belongs to, that is the correct one, and that they're not being redirected to some false site pretending to be your doctor or your hospital. So that's what DNSSEC is about, and it's really trying to plug this hole once and for all that threatens to compromise the trust that we place in our online communications.
FIELD: Well, maybe you can tell us about some organizations that have succeeded in plugging these holes.
BECKETT: Well, DNSSEC has been in the works for awhile, and deployment, really, as you might imagine, really started gaining steam after this discovery in 2008 of these security vulnerabilities in the DNS. And deployment, in the United States anyway, really started with the U.S. federal government. It was a mandate that all federal agencies needed to deploy DNSSEC by the end of 2009, and so they were really the early adopters in adopting this kind of security around the DNS. But we're really now starting to see organizations outside of the federal government deploy DNSSEC as well. People like financial services, e-retail, and health care as well. People who have a lot to protect, either financial information or personally identifiable information and who want to protect their customers and their own brand reputation.
FIELD: Mark, maybe you can tell us about the products and services that you offer in this space.
BECKETT: Well, Secure 64 is a provider of DNS products. We have a product line of about four products. One of those is a product we call Secure 64 DNS Signer, and it was designed to make it easy for any organization to deploy DNSSEC. Although it's possible to deploy DNSSEC using free open-source tools, it can sometimes be a fairly daunting task. It's a fairly complex thing to learn, and deployment can be both time consuming and resource intensive. And so our products really try to take the time and the pain out of that process and make it simple for people to deploy DNSSEC so they can spend their time doing their real job.
Tips for SuccessFIELD: A final question for you, Mark. You talked about healthcare organizations getting into this space and these solutions now. If you could boil it down, what tips would you offer to a healthcare security leader who really wants to tackle this DNS challenge today?
BECKETT: Well, my suspicion is that many people are probably not that familiar with DNSSEC, and so I would certainly suggest they start by learning a little bit about it. What is it, what kind of attack does it prevent, and why is it an integral part of a security architecture for anybody who is processing confidential information or sensitive information? So a couple examples, we have certainly some materials and white papers and so forth on our website, www.secure64.com. You can also search on Secure 64 on YouTube. We have a couple of short videos that talk about what it is and how it works and how it protects the DNS, so those would be a couple of areas I would suggest. And there's also recently been a Forrester survey done called "DNSSEC: Ready for Primetime." This could be found on the internet, and it talks about how organizations across the world are really adopting DNSSEC and where that adoption is happening most quickly.