Featured Article: Domain Security
After a recent report found that poor domain security has left most Global 2000 companies vulnerable to the threats of phishing and brand abuse, we take a closer look at domain security and how businesses can maximise their protection against popular threats.
CSC Research – Domains Dangerously Under-Protected
Recent research by US-based CSC, which describes itself as “a world leader in business, legal, tax, and domain security” has shown that web domains of the Global 2000 companies remain dangerously under protected. The research revealed some worrying statistics, including:
– 81 per cent of companies are not using registry locks. Not using a registry lock means that (for example) a registrar could move your domain to another registrar on its own and/or the domain could be hijacked.
– 70 per cent of homoglyph (i.e. fuzzy match) domains are owned by third parties . This is a tactic known to be commonly used in phishing and brand abuse (refer ‘typosquatting’) . A homoglyph (name spoofing) attack uses processes or domain names that are visually similar to legitimate and recognised names to fool unsuspecting users, who may not notice a minor difference (e.g. Unicode characters from non-Latin character sets) in the domain name, into clicking on a malicious link.
– Only 50 per cent are using Domain-based Message Authentication, Reporting, and Conformance (DMARC) records as an email authentication method.
– 43 per cent are configured with MX (email) records that can be used to send phishing emails or to intercept email.
– 57 per cent of the Global 2000 are relying on off-the-shelf consumer-grade registrars who offer limited domain security mechanisms to protect against domain and DNS hijacking.
Also, the research found that among the 70 per cent of the third-party domains deemed suspicious:
– 56 per cent were pointing to advertising, pay-per-click content, or being used for domain parking (registering a domain name but not linking it to any services e.g., e-mail or a website).
– 38 per cent had inactive web content (there are technical problems, problems with the account, or they don’t have nameservers associated with them).
What Are The Main Risks and Threats To Domain Security?
Some of the main risks and threats to your domain security include:
– Your registrar being compromised or hackers gaining access to your account with the company where you registered your domain name, or to the e-mail address that “reset password” forms on their websites send emails to. This can allow hackers to transfer the domain to another registrar, gaining complete ownership over it.
– Domain spoofing, used by phishers and malicious third parties to fool users into clicking onto domains that are visually similar to the legitimate domain e.g., Fuzzy matches/typo squatting, Homoglyphs – IDNs, Cousin domains, Keyword match, and Homophones (Soundex).
– Cybersquatting/brand jacking/name jacking i.e., the unauthorised registering and use of a domain name that is identical or similar to trademarks, service marks, company names, or personal names. In the US, this is a crime under the 1999 Anti-Cybersquatting Consumer Protection Act (ACPA).
– Sophisticated DNS attacks that can allow hackers to create confusion and redirect some of your website users to their servers.
– Reverse domain hijacking – i.e. whereby another entity deliberately registers something with the name of your domain/trademark and accusing you of stealing their domain.
– Not having DNS redundancy – i.e. a lack of a failsafe solution or a backup mechanism for DNS outages, such as having a having secondary DNS. A lack of DNS redundancy can leave the business open to threats like a reduced resiliency to DDoS attacks, and the associated problems of down-time, disruption to business continuity, revenue loss and diminished reputation.
– Not using certificate authority authorisation (CAA) records i.e., not designating a specific certificate authority (CA) to be the sole issuer of certificates for your company’s domains. Not using CAA could allow a cybercriminal to use the appointed certificate authority to get a new certificate and could represent a threat to compliance.
– Not authenticating the company’s email channel with DMARC, SPF, or DKIM. Sender Policy Framework /SPF, for example, enables a domain to state which servers can send emails on its behalf, and DMARC is an email validation system. Not authenticating the company’s email channel can leave the business open to threats like having the company’s email domain being used for email spoofing, phishing scams, and other cybercrimes.
– Not staying on top of matters relating domain renewals, thereby potentially allowing a company domain to be purchased and used by another party, perhaps for malicious purposes.
– Not having a security certificate (https). This protocol uses encryption to protects the integrity and confidentiality of data between the user’s computer and the site. The authentication aspect proves that users are communicating with the intended website, and can, therefore, protect against man-in-the-middle attacks and build/maintain user trust, not to mention improving the search engine profile and ranking.
What About GDPR Domain Masking?
The introduction of GDPR meant that the identity of a domain name registrant couldn’t be published in the public WHOIS database (without consent) and without the risk of penalties. This, however, is a two-edged sword, as it gives criminals more anonymity for registering domain names for malicious purposes, and can stop investigators and security professionals from uncovering dangerous/malicious/phishing website owners. There are, however, ways for cybercriminals and investigators to find out the identity of a domain owner.
How To Boost Your Domain Security
Despite significant potential domain security risks and threats, there are a number of measures that you can take to plug this potential gap in your business cyber security strategy. These measures include:
– Choosing a professional, reliable, and reputable business-focused registrar.
– Authenticating your email channel with DMARC, SPF, or DKIM to minimise the incidence of email spoofing and potential phishing.
– Using enterprise-grade DNS hosting. This could mean consolidating your domain, DNS, and digital certificate providers into one enterprise-class provider.
– Incorporating secure domain, DNS, and digital certificate practices into the overall cyber security posture.
– Using a registry lock for your domain to prevent the risks of administrative and technical hijacking.
– Using domain privacy services and ensuring that WHOIS details are redacted.
– Ensuring that there is DNS redundancy (a failsafe/backup for DNS outages e.g., a secondary DNS).
– Adding CAA records to allow for policy enforcement and to mitigate cyber threats such as HTTPS phishing of hijacked sub domains.
– Buying security certificates for domains (https).
– Continuous monitoring of the domain space and key digital channels e.g., marketplaces, apps, social media, and email for any evidence of brand abuse, infringements, phishing, and fraud.
– Minimising third-party risk by looking at/auditing the business practices of the domain registrar to make sure they are not contributing to fraud and brand abuse e.g., through operating domain marketplaces, domain name spinning, and more.
– Maintaining good basic cyber security practices that can prevent hacks or accounts being compromised that could lead to domains being hijacked and more.
What Does This Mean For Your Business?
The security of your company domain(s) is an often overlooked part in the cyber security strategy of a business and yet, a domain is direct, public part of your brand and reputation that (if successfully attacked and compromised) could lead to huge technical, legal, monetary, and reputational damage to your business. Research, such as that by CSC, confirms that businesses are still taking big risks by not addressing domain security, and cyber criminals use domains as a key part of popular attack methods such as phishing. There are, as outlined in the article, basic measures that businesses can take to make sure that their domains are protected, and that threats to domain security are addressed.