Home / Industry

Domains Are a Critical Component of Your Enterprise Risk Management

A recent report "Domain Security: A Critical Component of Enterprise Risk Management” published by the Interisle Consulting Group highlights why domain security should be a critical component of enterprise risk management, a proposal that resonates closely with what we at CSC advocate.

The report describes the current threat landscape characterized by cyberattacks that use domain names as a resource for spammers or cybercriminals to conduct phishing, fraud, malware, ransomware, distributed denial of service (DDoS) attacks, and data breaches. They either register confusingly similar domains to existing brands or exploit legitimate domains by compromising web servers or domain registration accounts to seize control of the domains and domain name system (DNS), then manipulate them for malicious purposes.

Every minute a website is unable to process transactions — or the days an organization is unable to operate while their systems are held at ransom — equates to costly revenue loss and reputation damage that organizations cannot afford. As a result, there have been increasing cyber insurance claims and the need for companies to have higher levels of risk assessment and compliance. Yet cyber threats continue to occur at increasing frequency, even among large enterprises and governments.

"Because incidents and responses attract public attention, there is an overemphasis on attack response and underemphasis on pro-active, preventative measures to detect, identify, and mitigate threats before an attack can occur."

At CSC, we have isolated the common phishing tactics that we see cybercriminals and fraudsters using by taking advantage of already established brand trust:

Common TacticsOutcome
Domain spoofing and look-alike domainsRogue domains and connected web services look authentic
Spoofing email headersEmail messages appear to be coming from someone else
Email account take over (ATO)Legitimate email addresses are weaponized via email account breaches
Domain account take over (ATO)Legitimate domains and connected web services are weaponized via domain registrar and dns/cloud account breaches
Website, app and social media profile spoofingFraudulent web content is used as bait

The report from Interisle Consulting Group further quotes from CSC's 2020 Domain Security Report that only 47% of the Forbes Global 2000 use enterprise-class registrars, and more dismally, their own research reveals that only 10% of FDIC-insured U.S. banks use enterprise-class registrars. This means the overwhelming majority are taking a huge risk by using consumer-grade registrars that are characterized by volume sales and commodity pricing with "little margin for them to implement costly security measures. Multi-factor authentication is not widely deployed, and registrar assistance with email authentication and integrity or [DNS security extensions] DNSSEC is rare." Some of these consumer-grade registrars even display indicators of criminality, offering bulk registration services, name generation tools, and have persistently high concentrations of spam domains under management.

"The threat landscape for domain names and their owners is no different from the landscapes for other assets that enterprises fold into enterprise risk management."

Interisle recommends incorporating domain security into enterprise risk management and for organizations to use enterprise-class registrars that understand "the needs of customers who place a high value on their domain names, consider their domain names and online presence to be business-critical, or recognize that their business or brands may be highly-targeted for abuse or criminal activities.

If you'd like to assess your domain security posture as part of a larger risk management plan, fill in the form to receive our domain security checklist →

By CSC, We are the business behind business – We help effectively manage, promote, and secure our clients' valuable brand assets against the threats of the online world. Leading companies around the world choose CSC as their trusted partner to gain control of their digital assets, maximize their online potential, and increase online security against brand risks.  Visit Page

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Related

Topics

Brand Protection

Sponsored byAppdetex

Domain Names

Sponsored byVerisign

Cybersecurity

Sponsored byVerisign

IPv4 Markets

Sponsored byIPXO

Domain Management

Sponsored byMarkMonitor

Threat Intelligence

Sponsored byWhoisXML API