Unlocked domains are susceptible to malicious tactics that can lead to unauthorized DNS changes and domain name hijacking, says CSC.
Your organization’s public-facing domain is often as important and critical a resource as are your internal files, data, and network. And just as you protect your internal infrastructure from cyberthreats, so too do you need to protect your domain. A report released Tuesday by domain security provider CSC highlights some of the security threats that can affect your domain and what you can do to fight them.
SEE: Zero trust security: A cheat sheet (free PDF) (TechRepublic)
Analyzing the domain security practices of companies across the Forbes Global 2000, CSC found that only 17% of organizations use registry locks to prevent domain name hijacking and unauthorized changes to their DNS. Without a lock, such threats could take a website offline or redirect users to malicious content. Many domains may be unlocked as not every domain registrar offers this service.
But a registrar lock alone may not be sufficient. In one example cited by CSC, a security expert lost his core domain to scammers. Even though the domain owner had a lock, the registrar succumbed to a scam and transferred his domain to another registrar. To protect against this action, the owner should have insisted on a registry lock that prevents domain transfers initiated by the registrars.
Only 20% of the global 2000 companies use enterprise-grade DNS hosting. Using a non-enterprise DNS host without redundancy can lead to potential security threats such as distributed denial of service (DDoS) attacks. If your DNS goes down, then your websites, email, remote employee access, and other services go down as well.
One measure that can defend against DNS-related attacks is DNSSEC (Domain Name System Security Extensions), which authenticates and secures communications between different DNS servers. Only 3% of the companies in the Forbes Global 2000 use DNSSEC, according to CSC. Yet the lack of this security measure can help attackers hijack elements of the DNS lookup process, allowing them to control a browsing session and redirect users to malicious websites.
A(CAA) record determines which certificate authorities (CAs) are authorized to issue a certificate for a specific domain name. A CAA provides protection for your domain as it ensures that only your chosen CA can issue certificates. However, just 4% of the Global 2000 companies analyzed by CSC have adopted CAA records. The risk here is that an attacker who is able to access a domain name can always arrange for a new certificate to be issued without your knowledge.
SEE: Cybersecurity: Let’s get tactical (free PDF) (TechRepublic)
Spoofing an email to make it look like it was sent from a legitimate source is an easy enough task. One way to protect against such spoofs is through DMARC (Domain-based Message Authentication, Reporting & Conformance), which verifies that email messages are being sent from the correct domain. However, only 39% of the Global 2000 companies currently use DMARC. Without this type of protection, an organization’s email domain could be used for email spoofing, phishing scams, and other crimes.
To help your organization improve its domain security measures, CSC suggests the following steps:
- Incorporate secure domain, DNS, and digital certificate practices into your overall cyber security posture.
- Use a defense in-depth strategy to secure your domains, DNS, and digital certificates. As part of this strategy, select an enterprise-class provider though which you can secure access to your domain and DNS management systems (two-factor authentication, IP validation, federated ID), control user permissions, and leverage advanced domain security features.
- Consolidate your domain, DNS, and digital certificate providers into one enterprise-class provider.
- Proactively identify, understand, and employ the appropriate security measures for your vital domain names through an enterprise-class provider. Choose a provider that offers continuous vital domain name identification, registry lock, DNSSEC, and DMARC.