Skip Links

40% of U.S. government Web sites fail security test

DoD, CIA among agencies that haven't adopted extra DNS security measures

By , Network World
March 15, 2012 01:37 PM ET

Network World - Approximately 40% of federal government agencies are out of compliance with a regulation that requires them to deploy an extra layer of authentication on their Web sites to prevent hackers from hijacking Web traffic and redirecting it to bogus sites.

It's been more than two years since federal agencies were required to support DNS Security Extensions (DNSSEC) on their Web sites. However, two recent studies indicate that around 40% of federal Web sites have not yet deployed this Internet security standard.

Laggards on adopting this Internet security standard include the Department of Defense and the Central Intelligence Agency, experts say.

RELATED: Will 2012 be the dawn of DNSSEC?

DNSSEC solves what's called the Kaminsky vulnerability, a fundamental flaw in the DNS that was disclosed in 2008. This flaw makes it possible for hackers to launch cache poisoning attacks, where traffic is redirected from a legitimate Web site to a fake one without the Web site operator or end user knowing.

DNSSEC prevents cache poisoning attacks by allowing Web sites to verify their domain names and corresponding IP addresses using digital signatures and public-key encryption.

It prevents man-in-the-middle attacks as long as every aspect of the DNS hierarchy - including the root zone, top-level domain such as .gov, and individual Web site such as -- support the standard. The DNS root zone and the .gov domain are cryptographically signed, so now it is up to individual federal Web sites to deploy DNSSEC in order to bolster end-to-end security of the government's Web traffic.

Federal agencies were required to support DNSSEC on their Web sites under an Office of Management and Budget mandate issued in August 2008. The deadline for compliance was Dec. 31, 2009.

DNSSEC deployment also is necessary for high marks in agency IT security report cards under the Federal Information Security Management Act or FISMA.

One study, conducted on March 2 by DNS vendor Secure64, indicated that 57% of the 359 federal government Web sites tested had deployed DNSSEC. This study indicated that the other 43% of Web sites had not yet added digital signature technology to their DNS servers.

A similar study, conducted on March 11 by the National Institute of Standards and Technology (NIST), estimated that 59% of federal agencies are running DNSSEC on their Web sites. The NIST study of 1,595 Web sites shows that of the 41% of federal agencies that don't have DNSSEC deployed, 7% appear to be in the process of deploying it.

Both sets of results indicate slow adoption of DNSSEC among federal Web sites.

DNSSEC is "not on anyone's radar screen," says Ray Bjorklund, Chief Knowledge Officer at Deltek, a federal IT market research firm. "I remember hearing of it vaguely a couple years ago, but it's not coming up with the agency CIOs that I talk to."

Bjorklund acknowledges that agencies should be taking DNSSEC more seriously given that hactivist-style attacks are on the rise and that U.S. federal agencies are likely targets.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News