Home / Blogs

Why Domain Name Security Matters Most?

In my recent CircleID post, DNS, Domain Names, and Certificates: The Missing Links in Most Cybersecurity Risk Postures, I highlighted the importance of applying multiple layers of defense to secure these business-critical assets. Last Friday, Brian Krebs, the world-renowned cybersecurity journalist, reiterated the criticality of domain name security because the domain name "e-hawk.net" was stolen from the rightful owner using social engineering tactics targeting its domain name registrar.

In his post, Does Your Domain Have a Registry Lock? Mr. Krebs walked through the tactics and measures companies can use like Registry Lock to protect their vital domain names (see below). He also reiterated that an overwhelming majority of organizations, regardless of industry or geographic location, including the Forbes Global 2000 are at risk with less than 25% having adopted the Registry Lock Protocol.

Best Practices to Maximize Security Against Domain Name & DNS Hijacking (Source)

  1. Use registration features like Registry Lock that can help protect domain name records from being changed. Note that this may increase the amount of time it takes going forward to make key changes to the locked domain (such as DNS changes).
  2. Use DNSSEC (both signing zones and validating responses).
  3. Use access control lists for applications, Internet traffic and monitoring.
  4. Use 2-factor authentication, and require it to be used by all relevant users and subcontractors.
  5. In cases where passwords are used, pick unique passwords and consider password managers.
  6. Review the security of existing accounts with registrars and other providers, and make sure you have multiple notifications in place when and if a domain you own is about to expire.
  7. Monitor the issuance of new SSL certificates for your domains by monitoring, for example, Certificate Transparency Logs.

From my perspective, the reason for this business risk is that there is a general lack of awareness related to domain name and DNS hijacking and the fact that most domain name registrars do not support the Registry Lock Protocol. However, security warnings came from FireEye's Mandiant team in early 2019 about a global DNS hijacking campaign that appeared to be connected to the Iranian government. This prompted the Department of Homeland Security to issue an emergency directive about mitigating the risk of DNS hijacking.

Cybercriminals are taking advantage of this risk and have been doing so for quite some time. Throughout 2019, Cisco Talos warned about the state-sponsored 'Sea Turtle' attack taking control of DNS systems and stated, "the actor ultimately intended to steal credentials to gain access to networks and systems of interest." And just this week, Reuters reported in "Exclusive: Hackers acting in Turkey's interests believed to be behind recent cyberattacks — sources” that another group of hackers alleged to be working for the Turkish government's interests attacked government organizations and companies via DNS hijacking.

Furthermore, domain name registrars have varied controls, processes and security measures. When assessing your domain name registrar capabilities validate that they are applying a Defense in Depth Approach to secure your "vital" domain names:

  • Are they ICANN & registry accredited with enterprise-class technology and operational processes?
  • Do they provide secure portal access with 2FA for example?
  • Do they help apply advanced security features like Registry Lock/DNSSEC/DMARC/CAA Records?
  • Do they allow for the control of user permissions?
  • Do they help identify "vital" domain names and provide continuous monitoring and alerting?

In closing, ask your domain name registrar tough questions because they hold the "keys to the kingdom," which can jeopardize your company's reputation, finances, security, data and intellectual property.

By Vincent DAngelo, Global Director at CSC

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Comments

 Be the first to post a comment!

Add Your Comments

 To post your comments, please login or create an account.

Related

Topics

Whois

Sponsored byWhoisXML API

Brand Protection

Sponsored byAppdetex

DNS Security

Sponsored byAfilias

New TLDs

Sponsored byAfilias

Cybersecurity

Sponsored byVerisign

Cybercrime

Sponsored byThreat Intelligence Platform

Domain Names

Sponsored byVerisign

IP Addressing

Sponsored byIPv4.Global