DNS security battlecard
Need a quick summary of essential DNS security measures on a single page? I've published a DNS Security Battlecard just for you. My intention is to "net out" the key measures you should consider to better secure your DNS and thereby better secure your overall network. The battlecard summarizes, for each DNS server role, various controls you can implement related to deployment, routing controls, server controls and DNS application/protocol controls.
Beyond the network and server level controls highlighted in the battlecard, please do not forget the human element of security that pervades all DNS server roles. This includes developing and enforcing an organizational security policy, incorporating security functions and requirements into staff job descriptions, staffing of personnel with appropriate job-specific skill sets, regular training of security policies and controls, and periodic auditing of staff activities.
Other enterprise-wide security considerations include documenting business continuity/disaster recovery plans, implementing supply-chain controls, protecting data, and communicating detected threats and resolutions with the cybersecurity community. These broader controls are defined in the National Institute of Standards and Technologies (NIST) Cybersecurity Framework (CSF). The CSF is a de facto security implementation standard not only for the U.S. government, but for organizations worldwide. I invite you read my prior post for my perspective on applying the CSF to DNS.
While the CSF as applied to DNS provides a broader perspective on suggested security outcomes, the DNS Security Battlecard offers a focused albeit brief summary of requisite network, server and DNS controls you can implement for improved network security.
Beyond the network and server level controls highlighted in the battlecard, please do not forget the human element of security that pervades all DNS server roles. This includes developing and enforcing an organizational security policy, incorporating security functions and requirements into staff job descriptions, staffing of personnel with appropriate job-specific skill sets, regular training of security policies and controls, and periodic auditing of staff activities.
Other enterprise-wide security considerations include documenting business continuity/disaster recovery plans, implementing supply-chain controls, protecting data, and communicating detected threats and resolutions with the cybersecurity community. These broader controls are defined in the National Institute of Standards and Technologies (NIST) Cybersecurity Framework (CSF). The CSF is a de facto security implementation standard not only for the U.S. government, but for organizations worldwide. I invite you read my prior post for my perspective on applying the CSF to DNS.
While the CSF as applied to DNS provides a broader perspective on suggested security outcomes, the DNS Security Battlecard offers a focused albeit brief summary of requisite network, server and DNS controls you can implement for improved network security.
Comments
Post a Comment