Home / Blogs

Going for Broke: Financial Services Industry Falling Behind on DNSSEC Adoption

Mark Beckett

Many CircleID readers have been watching the acceleration of DNSSEC adoption by top level domains with great interest, and after many years the promise of a secure and trustworthy naming infrastructure across the generic and country-code domains finally seems within reach.

While TLD DNSSEC deployments are major milestones for internet security, securing the top level domains is not the end goal — just a necessary step in the process. To truly protect against the most likely threats, DNSSEC must be adopted not only by TLDs, but also by the domain name registrants themselves.

Registrants like banks, government agencies, retailers, and other organizations that represent attractive targets for criminals or hostile nation-states stand to benefit the most by deploying DNSSEC across the domains that they own. Adoption of DNSSEC by these types of organizations is an important measure of the success of DNSSEC in achieving its primary goal: to ensure that the integrity of the internet's naming system cannot be compromised.

For the past several years, Secure64's technical team has conducted a series of studies to measure DNSSEC adoption by key groups of organizations. In the wake of a US federal government mandate that all federal agencies must adopt DNSSEC by the end of 2009, we decided to measured the progress that was being made, and publicly reported adoption rates of 20%, 49% and 57% in 2010, 2011 and 2012, respectively. However, adoption outside of the large top level domains and the US government has been slow.

In mid-2010, we were encouraged by a Forrester Research study of almost 300 IT decision makers around the world indicating that 43% of the respondents had heard of DNSSEC, and of these, 95% had already implemented or had plans to implement it within 18 months. This survey focused on those industries most likely to benefit from the security that DNSSEC provides, including financial services, public sector, ISPs, media/entertainment/leisure, online commerce and other organizations with a significant online presence. Now, over two years later, we decided to follow up on this survey, focusing on the financial services sector, to see if these plans have come to fruition.

We used the Forbes Global 2000 list of public companies as our starting point, honing that list down to 293 organizations in the financial services sector. We then queried the domain names of each of these organizations, looking for two pieces of evidence of DNSSEC deployment — signatures published at the organization's domain and a chain of trust to its parent domain.

The results were both surprising and disappointing. Of these 293 organizations, only one was publishing signatures on its domain, but that one organization had not established a chain of trust to its parent, so there is little likelihood that it is benefiting from the protection that DNSSEC can provide.

Given these surprising results compared to the attitudes reflected in the previous Forrester survey, we looked for bias in our own data and noted that our list only included public companies. We also noted that the domain name for many of the multi-national companies on the list were not the same as the names of the individual companies that they own. Is it possible that DNSSEC might be more broadly deployed in private companies or in the individual company domain names? Unfortunately, spot checking a number of these children companies yielded no evidence of DNSSEC adoption either, so we were forced to conclude that the deployment of this important security technology is happening very slowly even within an industry that should be the most concerned about it.

Perhaps it will take a real financial loss to provide the necessary motivation. According to the Forrester report, 100% of the companies that lost greater than $5 million experienced a man-in-the-middle breach. Or perhaps, as we have seen in the U.S., legislation or industry regulations will be required to spur these organizations to action. So far, at least, protecting their customers and brand reputation had not been sufficient.

By Mark Beckett, VP, Marketing & Product Management at Secure 64

Related topics: Cybersecurity, DNS Security


Don't miss a thing – get the Weekly Wrap delivered to your inbox.


To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper


Sponsored by Verisign

DNS Security

Sponsored by Afilias

IP Addressing

Sponsored by Avenue4 LLC

Mobile Internet

Sponsored by Afilias Mobile & Web Services

Promoted Posts

Buying or Selling IPv4 Addresses?

ACCELR/8 is a transformative IPv4 market solution developed by industry veterans Marc Lindsey and Janine Goodman that enables organizations buying or selling blocks as small as /20s to keep pace with the evolving demands of the market by applying processes that have delivered value for many of the largest market participants. more»

Industry Updates – Sponsored Posts

Verisign Named to the Online Trust Alliance's 2017 Audit and Honor Roll

Attacks Decrease by 23 Precent in 1st Quarter While Peak Attack Sizes Increase: DDoS Trends Report

Leading Internet Associations Strengthen Cooperation

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

Don't Gamble With Your DNS

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web

New TLD? Make Sure It's Secure

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Facilitating a Trusted Web Space for Financial Service Professionals

MarkMonitor Partners with CYREN to Deepen Visibility into Global Phishing Attacks

Verisign Named to the Online Trust Alliance's 2016 Honor Roll

Verisign Q1 2016 DDoS Trends: Attack Activity Increases 111 Percent Year Over Year

Is Your TLD Threat Mitigation Strategy up to Scratch?

i2Coalition to Host First Ever Smarter Internet Forum