Home / Blogs

Your Cybersecurity is Only as Strong as Your Weakest Vendor

Managing the risk of third parties has become a compliance focus for many large organizations. Companies even work with third-party service providers and external vendors just to manage this risk. The recent SolarWinds attack escalates the critical need for chief compliance officers to collaborate with their business counterparts to identify and mitigate potentially unknown threats that lie within third-party supply chains. Yet how can companies manage this risk when it’s not if but when you’re attacked?

To assess, we can look at the domain and domain name system (DNS) vulnerabilities within a company’s cybersecurity posture, as this is often a blind spot for many businesses. Companies manage their domain portfolios via two general categories of domain registrars: consumer-grade registrars and enterprise-class registrars. A consumer-grade registrar specializes in domain services, websites, and email for personal use, entrepreneurs, and small businesses that are just getting started. In contrast, enterprise-class registrars focus on corporations and brand owners that require increased security, advanced capabilities, and support staff.

The registrar that your organization uses matters. As my colleague, Vin D’Angelo, mentions in Infosecurity Magazine, consumer-grade domain registrars are not inherently malicious actors, but because of certain standard business practices, they attract bad actors that execute brand abuse, phishing attacks, and fraud. For example, on February 1, the PERL.COM domain, managed by the Perl Foundation, was hijacked by cyber criminals who redirected the URL to a domain parking site that may have been related to sites that distributed malware in the past. Bad actors had hacked into the PERL.COM account (whose domain registrar is consumer-grade Network Solutions) and the Perl Foundation found it for sale for $190K at afternic.com, a domain parking site.

As I mentioned in my blog “Four-Pronged Approach to Keep Your Domain Names and DNS Secure from Cyber Attacks,” working with an enterprise-class provider can help you develop the right compliance checklist for your organization to select the right registrar vendor. When it comes to working with your registrar, you need to work with a provider that has invested in protecting its own systems. In essence, it takes the right people, processes, and technology.

People

A good enterprise-class registrar should provide corporate clients with a dedicated account team, necessary to securely manage their business. You want to be sure you’re working with a vendor that also knows who they’re doing business on the back end, so you should be completing OFAC screening before account set-up. A good registrar also needs to have 24x7x365 in-house support. It’s also important that they can provide global support in local languages via certified and fully trained managers.

Processes

Registrars should be Internet Corporation for Assigned Names and Number (ICANN) and registry accredited. A registrar that’s qualified to serve an enterprise will offer a full accounting of all your domains, DNS, and digital certificate providers. It should provide cybersecurity training for its staff, including phishing and social engineering awareness. It’s also important for your registrar to mandate written requests (never via phone), be data and policy compliant—following the rules of the EU’s General Data Protection Regulation (GDPR) and other similar regulations, like WHOIS practices—as well as have a registry transfer-lock policy.

Technology

With all of the cybersecurity threats today, not only does your domain name registrar need to have the right technology—to protect itself and your company from a data breach—but it also needs best-in-class operations practices that put security at the forefront of its mission, and in how it engages with you. An enterprise-class registrar should have ISO 27001 accredited data centers, SOC 2® compliance, and third-party penetration and vulnerability testing. They should conduct regular security tests, including SQL injection and XSS.

While anyone can say they offer services that meet the needs of today’s global corporations, the onus is on you to do the homework to understand the differences between third-party providers. Companies need to understand how their choice of provider fits into decisions made about their organization’s overall security posture, along with concerns about compliance and risk.

By Sue Watts, Global Marketing Leader, Digital Brand Services, CSC

Filed Under

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Comments

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

Related

Topics

IPv4 Markets

Sponsored byIPXO

Threat Intelligence

Sponsored byWhoisXML API

Brand Protection

Sponsored byAppdetex

Domain Names

Sponsored byVerisign

Domain Management

Sponsored byMarkMonitor

Cybersecurity

Sponsored byVerisign