40% of U.S. Government Web Sites Fail Security Test

Approximately 40% of federal government agencies are out of compliance with a regulation that requires them to deploy an extra layer of authentication on their Web sites to prevent hackers from hijacking Web traffic and redirecting it to bogus sites. It's been more than two years since federal agencies were required to support DNS Security Extensions (DNSSEC) on their Web sites. However, two recent studies indicate that around 40% of federal Web sites have not yet deployed this Internet security standard. Laggards on adopting this Internet security standard include the Department of Defense and the Central Intelligence Agency, experts say. DNSSEC solves what's called the Kaminsky vulnerability, a fundamental flaw in the DNS that was disclosed in 2008. This flaw makes it possible for hackers to launch cache poisoning attacks, where traffic is redirected from a legitimate Web site to a fake one without the Web site operator or end user knowing. DNSSEC prevents cache poisoning attacks by allowing Web sites to verify their domain names and corresponding IP addresses using digital signatures and public-key encryption. It prevents man-in-the-middle attacks as long as every aspect of the DNS hierarchy - including the root zone, top-level domain such as .gov, and individual Web site such as www.irs.gov -- support the standard. The DNS root zone and the .gov domain are cryptographically signed, so now it is up to individual federal Web sites to deploy DNSSEC in order to bolster end-to-end security of the government's Web traffic. Federal agencies were required to support DNSSEC on their Web sites under an Office of Management and Budget mandate issued in August 2008. The deadline for compliance was Dec. 31, 2009.

DNSSEC deployment also is necessary for high marks in agency IT security report cards under the Federal Information Security Management Act or FISMA. One study, conducted on March 2 by DNS vendor Secure64, indicated that 57% of the 359 federal government Web sites tested had deployed DNSSEC. This study indicated that the other 43% of Web sites had not yet added digital signature technology to their DNS servers. A similar study, conducted on March 11 by the National Institute of Standards and Technology (NIST), estimated that 59% of federal agencies are running DNSSEC on their Web sites. The NIST study of 1,595 Web sites shows that of the 41% of federal agencies that don't have DNSSEC deployed, 7% appear to be in the process of deploying it. Both sets of results indicate slow adoption of DNSSEC among federal Web sites. DNSSEC is "not on anyone's radar screen," says Ray Bjorklund, Chief Knowledge Officer at Deltek, a federal IT market research firm. "I remember hearing of it vaguely a couple years ago, but it's not coming up with the agency CIOs that I talk to." Bjorklund acknowledges that agencies should be taking DNSSEC more seriously given that hactivist-style attacks are on the rise and that U.S. federal agencies are likely targets. "I don't know whether it's inattention by the government, or the government generally believes that it has enough other security measures in effect that this is not going to cause a problem," Bjorklund says. "But federal CIOs need to understand that government sites can be hijacked. If agencies aren't paying attention to this, they should." The Secure64 study does show some improvement in terms of federal DNSSEC deployment. A year ago, the study found that half of federal Web sites hadn't deployed DNSSEC. Now that figure is down to 43%. "In a year, the needle moved from 50% DNSSEC deployment to 57%," says Mark Beckett, vice president of marketing at Secure64. "It doesn't seem to be going up that fast year over year. I would have hoped for a bigger leap this year." Among the federal agencies that have made progress on DNSSEC deployment in the last year are the Treasury Department and its subsidiaries, including the Internal Revenue Service. Treasury was signing only one of its sub-domains last year but appears to be signing everything - including www.irs.gov - today. While the Department of Homeland Security and the White House have deployed DNSSEC on their Web sites, the Defense Department and the CIA appear not to have adopted this extra information security measure yet. "I find no evidence of any signing going on at the Defense Department with its .mil domain," Beckett says. "The CIA is still not signed either." The Secure64 survey showed that while most cabinet-level departments like the Commerce Department, the Justice Department and the Department of Health and Human Services are cryptographically signed, smaller sub-agencies such as the Agency for Toxic Substances and Disease Registry are not. Beckett says that of the 57% of federal Web sites that have deployed DNSSEC, 81% have established a chain of trust to their parent domain, which is the optimal configuration for the standard. Additionally, of the 81% of federal Web sites that have established a chain of trust, 98% are validating DNSSEC queries, which is another sign of full compliance with the standard. "When people have problems with DNSSEC, it's usually with the key rollover process which is somewhat complicated," Beckett explained. "You have to allow the right amount of time to pass or else you'll be in a state where the domain doesn't validate." One development that may prompt federal agencies to give DNSSEC a higher priority in 2012 is a new requirement from NIST that federal agencies must validate DNSSEC queries in their DNS resolution servers. In January, Comcast said it was providing DNSSEC resolution services for its 20 million residential customers. "NIST recently came out with a new version of one of the FISMA documents. When it is finalized, it will essentially require federal agencies to do the same thing that Comcast is doing: to turn on validation in their cacheing resolvers," Beckett says. "It's a draft now and it has to be finalized, which can take many months. But it's a requirement that's on the horizon."