Home / Blogs

Three Reasons Why CISOs Need to Understand Domain Security

Domain name abuse is one of the most dangerous and under-regulated issues in digital business security today. An attack on a web domain can lead to the redirection of a company’s website, domain spoofing, phishing attacks, network breaches, and business email compromise (BEC). Domains used as a company’s online world are part of an organization’s external attack surface and need to be continuously monitored for cybercrime attacks and fraud. As cyber risks continue to increase, organizations and cyber insurers face greater challenges in quantifying them and addressing their capacity for harm. Seemingly every day, we learn about new developments involving supply chain attacks, ransomware, and phishing attacks, along with additional layers of complexity in terms of what coverage they require and how to stop them.

1. Many of the largest companies in the world still lack basic domain security protocols

As seen in CSC’s latest Domain Security Report, nearly three quarters of Forbes Global 2000 companies have implemented less than 50% of recommended domain security measures, making them prime targets for bad actors.

Securing the domain portfolio—which includes securing a brand’s online presence, but also domains that run your email, client portals, or other important business applications—is fundamental to managing your cyber risk. It’s important to verify with your organization’s teams if they’re using an enterprise-class registrar, or deploying registry lock, certificate authority authorization (CAA) records, domain name system (DNS) redundancy, DNS security extensions (DNSSEC), sender policy framework (SPF), domain keys identified mail (DKIM), and domain-based messaging, authentication, reporting, and conformance (DMARC).

2. You’re only as secure as your vendors, and you can choose your domain registrar

When it comes to a registrar’s security and the value they place on security of their clients’ domains, vendor selection is vital. Large companies are still using consumer-grade registrars that cater to individuals, start-ups, and small businesses, yet vendor selection is critical here. CSC analyzed the trend of domain security adoption with respect to the type of domain registrar used and found:

ENTERPRISE-CLASS REGISTRARSCONSUMER-GRADE REGISTRARS
An enterprise-class registrar specializes in working with corporations and brand owners that require advanced business practices, capabilities, expertise, and support staff in relation to domain and DNS management as well as security, brand and fraud protection, data governance, and cybersecurity.A consumer-grade registrar is geared for domain services, websites, and email for personal use, entrepreneurs, and small businesses that are just getting started.

Many companies have a misconception that all registrars are the same. There’s misplaced trust put into consumer-grade registrars that may not have been designed for domain security; that trust can impact a company’s overall security posture. This is especially apparent for the adoption of registry locks, as most consumer-grade registrars do not support them.

In late 2021, SecurityScorecard researched the cyber ratings of companies that use enterprise-class registrars versus consumer grade. Their findings show that companies that have their domains managed by enterprise-class domain registrars have one-half to a full letter grade higher overall cybersecurity rating.

Consumer-grade domain registrars offer transactional relationships with their clients, and don’t go through the thorough review process an enterprise-class provider does. They don’t offer solutions to mitigate all the digital risks of domain spoofing, domain and DNS hijacking attacks, sub-domain takeovers, and phishing attacks. In addition to the lack of security, the hard truth is that consumer-grade domain registrars have been proliferating typosquatting, domain name auctioning services—often infringing upon other brand names—and name spinning services. These registrars monetize the goodwill brand owners have worked hard to establish, creating a revenue stream for themselves rather than protecting their clients.

An enterprise-class registrar specializes in working with corporations and brand owners that require advanced business practices, capabilities, expertise, and support staff in relation to domain and DNS management as well as security, brand and fraud protection, data governance, and cybersecurity. For more information, visit Domain Security Starts with Your Registrar.

3. Not monitoring and taking down fraudulent lookalike domains impersonating your brand will increase your chances of attacks

The intent of these fake and maliciously registered domains is to leverage the trust placed on the targeted brands to launch phishing attacks, other forms of digital brand abuse, or IP infringement. This often leads to revenue loss, traffic diversion, and a diminished brand reputation. There are endless domain spoofing tactics and permutations that can be used by phishers and malicious third parties.

This year’s report mentioned that 75% of homoglyph domains are owned by third parties and not the brand owner. 82% have their WHOIS or ownership details masked for privacy. This demonstrates the attempt to mask or hide their ownership, showing they could have malicious intentions. Furthermore, 48% of these third-party owned domains have MX records, and could be used to launch phishing attacks.

By Sue Watts, Global Marketing Leader, Digital Brand Services, CSC

Filed Under

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Comments

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

Related

Topics

Brand Protection

Sponsored byCSC

IPv4 Markets

Sponsored byIPv4.Global

Cybersecurity

Sponsored byVerisign

Domain Names

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API