When it comes to your web domains, put the controls back in your hands

When I started my career with a domain registrar over 20 years ago, companies and individuals alike only had a few accredited domain registrars to choose from, and the aim was to quickly secure a domain registration – so your website or email address could be fired up within minutes. Today, these providers are in the crosshairs of cyberattacks as evidenced by the recent GoDaddy breach.

With this in mind, the U.S. National Cybersecurity Strategy announced by the Biden administration finally puts a focus on securing critical infrastructure – cloud services, domain registrars, email providers, hosting providers, DNS, and other digital services. From my perspective, this is encouraging news because it begins to address phishing and related scams like business email compromise (BEC), ransomware and wire transfer fraud at the source: the web domain.

Furthermore, the potential weaponization of millions of trusted web domains when compromised, along with the registration of “fake” web domains associated with critical infrastructure, has a far-reaching impact on government and brands. Though not yet widely recognized, there is a ripple effect on domain reputation, domain trust, across security appliances (i.e. firewalls, email gateways) and on zero trust practices. This creates challenges in differentiating: Friend vs. Foe!

Domain Security: How to improve your organization’s odds

An important point to remember is that no provider—regardless of size—is immune to the risks of a breach. But more can be done pre-emptively to secure and protect web domains to plan for when these attacks happen.

Choose your domain registrar wisely!

When it comes to anything associated with your domain, vendor selection matters, including the complexities of the domain registrar ecosystem. Is your domain registrar focused on domain security capabilities, thereby increasing your odds of securing your web domains and organization from these risks?

Step beyond your owned domains.

With corporations owning multiple brands, and hundreds or even thousands of domains within their portfolios, it’s crucial to have proactive security measures in place, along with a rapid detection and de-activation capabilities to manage the threat of fraudulent domains that imitate trusted brands. Organizations should not only be watching and monitoring the domains they own, but also their domain ecosystem, which encompasses any domain registrations that are similar to their own brands.

Implement essential domain security measures.

Our recent Domain Security Report shows that most organizations overlook domain protection and external attack surface risks associated with the domain name portfolio. As adversaries launch successful takeovers of domains, they essentially acquire the keys to that front door.

Our research shows that nearly 75% of the Forbes Global 2000 have implemented less than half of the 8 domain security measures we analyzed (ie DMARC, DNSSEC, and Domain Registry Lock). In another CSC report, Threatening Domains of the Top 10 Most Valuable Brands Report, we found that 99% of the identified domain names that closely matched legitimate brand names were owned by third parties. This resulting chronic abuse of domains adds a layer of significant risk that can impact the security posture, consumer safety, intellectual property, and revenue of victim companies.

Consumer-grade vs. Enterprise-class domain registrars

Adversaries know that domains represent the digital “front door” that customers and business partners associate with a company’s products, email communications and corporate persona. However, today many large organizations and brand owners are still using consumer-grade registrars that cater to personal users and small businesses. But, why?

It take evaluation, segmentation and policy…

Analysts, policy makers and other experts have not yet segmented domain registrars (and cloud providers) based on business capabilities and focus on domain security, brand protection and fraud protection. In addition, cyber insurance carriers and companies themselves are not evaluating domain portfolios with a wide enough lens to see the crucial cyber security, legal infringement, reputation, and revenue risks associated with the lack of domain security measures.

With a domain registrar, comes domain reputation…

In late 2021, CSC and Security Scorecard—the global leader in cyber security ratings for enterprise organizations—released research in a whitepaper that shows a company’s choice of domain registrar really does matter when it comes to cyber security. A company’s total security rating on average is one-half to one whole letter grade higher if using an enterprise-class registrar. That’s a compelling difference when you’re trying to maintain strong domain reputation.

How can I identify an enterprise-class registrar?

The checklist below is a great way of ensuring that you have selected your organization’s domain registrar based on capabilities, expertise and solutions that focus on cybersecurity, data protection, consumer safety and safeguard intellectual property:

• Enterprise-wide scale and expertise with a corporate-only domain, DNS and certificate management offering.
• Mission and focus on cyber security and IP protection.Do not use registrars that offer:
  • Domain services through retail websites or reseller offerings
  • Pay-per-click, domain spinning, and domain auctioning services that facilitate the infringement of intellectual property and trademarks

• Emphasis on domain security via advanced services such as domain registry lock, DMARC, DNSSEC, CAA records and DNS hosting redundancy.
• Provide global and local 24x7x365 support capabilities with worldwide domain registration capabilities.
• Implementation of Know Your Customer (KYC) methods of sourcing and validating client interactions.
• Internet Corporation for Assigned Name and Numbers (ICANN) and registry accredited globally.
• Offer domains, brand and fraud monitoring and enforcement and takedown capabilities with unique capabilities such as DomainSecSM and 3D Domain Security and Enforcement.
• Offer complimentary advisory services and tools that facilitate domain management and security along with brand and fraud protection.
• Use best-in-class operations processes and controls such as mandating written requests, conducting cyber security awareness training, and taking data and policy measures.
• Have best-in-class operations practices that put security at the forefront of its mission, including ISO27001 accredited data centers, SOC 2 compliance, and third-party penetration and vulnerability testing.

To learn more about CSC’s best practices for domain security, visit our recommendations to protect your domain reputation.

About Vincent D’Angelo

Vincent D’Angelo is global director with CSC. With his 20+ years of experience, Vincent has a deep understanding of the digital business ecosystem inclusive of brand protection, phishing, fraud and the cybersecurity of domain names, certificates and the domain name system (DNS). He’s an industry recognized subject matter expert helping the world’s most valuable brands mitigate related business risks with the development of best practices, policies, and strategies. Vincent serves as the chairperson of the cybersecurity domain/DNS abuse subcommittees for the International Trademark Association (INTA) and the American Bar Association (ABA). He’s also a dynamic forward-thinker, keeping a pulse on the impact of emerging technologies on digital brand strategies and the cyber security of digital business assets.