Home / Blogs

Going for Broke: Financial Services Industry Falling Behind on DNSSEC Adoption

Mark Beckett

Many CircleID readers have been watching the acceleration of DNSSEC adoption by top level domains with great interest, and after many years the promise of a secure and trustworthy naming infrastructure across the generic and country-code domains finally seems within reach.

While TLD DNSSEC deployments are major milestones for internet security, securing the top level domains is not the end goal — just a necessary step in the process. To truly protect against the most likely threats, DNSSEC must be adopted not only by TLDs, but also by the domain name registrants themselves.

Registrants like banks, government agencies, retailers, and other organizations that represent attractive targets for criminals or hostile nation-states stand to benefit the most by deploying DNSSEC across the domains that they own. Adoption of DNSSEC by these types of organizations is an important measure of the success of DNSSEC in achieving its primary goal: to ensure that the integrity of the internet's naming system cannot be compromised.

For the past several years, Secure64's technical team has conducted a series of studies to measure DNSSEC adoption by key groups of organizations. In the wake of a US federal government mandate that all federal agencies must adopt DNSSEC by the end of 2009, we decided to measured the progress that was being made, and publicly reported adoption rates of 20%, 49% and 57% in 2010, 2011 and 2012, respectively. However, adoption outside of the large top level domains and the US government has been slow.

In mid-2010, we were encouraged by a Forrester Research study of almost 300 IT decision makers around the world indicating that 43% of the respondents had heard of DNSSEC, and of these, 95% had already implemented or had plans to implement it within 18 months. This survey focused on those industries most likely to benefit from the security that DNSSEC provides, including financial services, public sector, ISPs, media/entertainment/leisure, online commerce and other organizations with a significant online presence. Now, over two years later, we decided to follow up on this survey, focusing on the financial services sector, to see if these plans have come to fruition.

We used the Forbes Global 2000 list of public companies as our starting point, honing that list down to 293 organizations in the financial services sector. We then queried the domain names of each of these organizations, looking for two pieces of evidence of DNSSEC deployment — signatures published at the organization's domain and a chain of trust to its parent domain.

The results were both surprising and disappointing. Of these 293 organizations, only one was publishing signatures on its domain, but that one organization had not established a chain of trust to its parent, so there is little likelihood that it is benefiting from the protection that DNSSEC can provide.

Given these surprising results compared to the attitudes reflected in the previous Forrester survey, we looked for bias in our own data and noted that our list only included public companies. We also noted that the domain name for many of the multi-national companies on the list were not the same as the names of the individual companies that they own. Is it possible that DNSSEC might be more broadly deployed in private companies or in the individual company domain names? Unfortunately, spot checking a number of these children companies yielded no evidence of DNSSEC adoption either, so we were forced to conclude that the deployment of this important security technology is happening very slowly even within an industry that should be the most concerned about it.

Perhaps it will take a real financial loss to provide the necessary motivation. According to the Forrester report, 100% of the companies that lost greater than $5 million experienced a man-in-the-middle breach. Or perhaps, as we have seen in the U.S., legislation or industry regulations will be required to spur these organizations to action. So far, at least, protecting their customers and brand reputation had not been sufficient.

By Mark Beckett, VP, Marketing & Product Management at Secure 64

Related topics: DNS Security, Security

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

To post comments, please login or create an account.

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

dotStrategy Selects Neustar's Registry Threat Mitigation Services for .BUZZ Registry

24 Million Home Routers Expose ISPs to Massive DNS-Based DDoS Attacks

What Does a DDoS Attack Look Like? (Watch First 3 Minutes of an Actual Attack)

Joining Forces to Advance Protection Against Growing Diversity of DDoS Attacks

Why Managed DNS Means Secure DNS

Rodney Joffe on Why DNS Has Become a Favorite Attack Vector

Motivated to Solve Problems at Verisign

Diversity, Openness and vBSDcon 2013

Neustar's Proposal for New gTLD Collision Risk Mitigation

IT Project Management: Best Practices in Small-Scale Engagements

DDoS Attacks in the United Kingdom: 2012 Annual Trends and Impact Survey

Dyn Adds Chris Griffiths As New VP of Labs

7 Keys to Professional Services Value: A Client-Side Perspective

DotConnectAfrica Registry Services Participates in ICANN DNSSEC Training at AFRALTI Nairobi

Neustar Launches Global Partner Program

MarkMonitor Named a Top Trusted Website in OTA's 2013 Online Trust Honor Roll

Neustar Chief Technology Officer Appointed to FCC's Technological Advisory Council

Hope is Not a Strategy: Neustar Releases 2012 Annual DDoS Attack and Impact Survey

How Neustar Technology Can Help Mitigate DDoS Attacks

Reducing the Risks of BYOD with Nominum's Security Solution

Sponsored Topics