CISA issues guidance to help federal agencies better encrypt DNS traffic
The Cybersecurity and Infrastructure Security Agency is out with new guidance to help federal civilian agencies meet website encryption requirements and move closer toward shoring up the security posture of their internal networks.
CISA says the guidance released Thursday would help federal agencies set benchmarks for zero trust, a security methodology where users on a network are never inherently trusted and must be regularly verified to allow for access into sensitive systems and pages.
The guidance document centers on Domain Name System, or DNS, a networking hierarchy that catalogs organizations’ sites and maps them to usable web addresses. The protocol, in essence, converts everyday website URLs into a query that internet browsers can use to locate and navigate to a webpage.
CISA argues that the longstanding DNS protocol has not supported methods that encrypt or protect against cyberspies latching onto a user’s browsing pathway and sabotaging their navigation.
“As the operational lead for federal cybersecurity, CISA developed this guide to assist federal agencies with understanding and implementing key actions and protocols to begin encrypting DNS traffic,” said Eric Goldstein, CISA’s executive assistant director for cybersecurity, in a written statement.
One malign possibility involves DNS spoofing, where an attacker alerts the DNS responses to redirect a user to malicious sites that trick them into providing information or downloading malware that tracks their whereabouts or siphons their login credentials.
The agency supplied a sweeping checklist to feds, asking them to encrypt communications pathways between their devices, known more technically as endpoints. It also suggests they implement the changes in phases, starting with broad configurations and later encrypting over specific traffic like HTTPS, a highly common website transfer mechanism seen across browsers everywhere.
Agencies across the federal ecosystem are accelerating improvements to their internal security posture as part of a maturity deadline in which they will have to adopt zero trust architecture in their systems by late September.
The National Institute of Standards and Technology this week issued a new set of security standards to help protect against unauthorized transmission of sensitive unclassified information that’s frequently exchanged between agencies and their private sector contractors.