Domain names, domain name systems (DNS) and digital certificates are fundamental components of the most important applications that enable your business to operate, including your website, email, voice over IP, etc. However, these vital applications are being attacked with an increasing level of sophistication and severity.
When these assets are compromised, criminals can redirect websites for financial gain, intercept emails to perform espionage, and even collect credentials to breach your network. This can have a serious impact on your business’s revenue and reputation, costing you customers and exposing your business to significant financial penalties through the EU’s General Data Protection Regulation (GDPR) and other similar policies.
Our defense-in-depth approach to domain and DNS security offers four layers of security to provide the highest level of threat mitigation.
1. Make sure you are working with an enterprise class supplier
While anyone can say that they offer services that meet the needs of today’s global businesses, it behooves you to do your homework to understand the differences between third-party providers. Businesses need to understand how their choice of supplier fits into decisions made about their organization’s overall security position, as well as concerns about intellectual property infringement and trademark law.
When it comes to the domain ecosystem, the choice of domain registrar can impact colleagues responsible for cybersecurity and IT, as well as legal (general counsel), risk, and compliance ( Chief Risk Officer) because it has a major impact on cybersecurity, online phishing attacks and fraud, and brand abuse. To manage a company’s domain name portfolio, you need to work with a vendor who has invested in protecting their own systems.
With all of today’s cybersecurity threats, not only does your domain registrar need the right technology – to protect itself and your business from a data breach – but it also needs the best. operational practices that put safety first. of its mission and the way it engages with you. An enterprise-level registrar must have ISO 27001, SOC 2 accredited data centersÂ® compliance, third party penetration and vulnerability testing. They should perform regular security testing, including SQL injection and XSS. They should also be accredited by the Internet Corporation for Assigned Names and Number (ICANN) and the registry.
A registrar qualified to serve a business will provide full accounting for all of your domains, DNS, and digital certificate providers. It is expected to provide 24/7/365 support as well as cybersecurity training for its staff, including phishing and social engineering awareness. It is also important that your registrar:
- Written mandate requests (never by phone)
- Comply with data and GDPR (e.g. WHOIS practices)
- Have a registry transfer lockout policy
2. Only work with a registrar that provides secure access to your domain and DNS management systems.
The second layer of a defense-in-depth approach to domain security is to ensure that your registrar requires secure access to the domain and the DNS management system. Registrars should require two-factor authentication for all of their clients. They should also offer IP validation and a federated ID so that their clients can connect to their network and know they have secure authentication in their domain management system.
3. Make sure all your user permissions are checked and managed
When working with a registrar, they should be able to offer you granular permission levels. You have to work with a registrar that allows you to control who can do what. It should give you visibility into elevated permissions, including notifications when changes occur. This is especially important in the event of a cyber attack. If an attacker gains access to a registration system, he will create a new user or modify the permissions of an existing user in order to be able to cause damage.
4. Use advanced domain security features
The fourth level of the defense in depth approach is to apply advanced security features at the individual domain level. The first thing is to identify the vital domain names of your organization. Typically, between 10% and 15% of a business’s domain portfolio are “crown jewel” domains that power a business, its major websites, apps, and email.
Once you’ve identified these names, it’s time to apply the appropriate checks to them. First, there is registry locking, i.e. locking the domain name at the registry level, which disables automation between a registrar and a registry. This means that the DNS cannot be changed without a manual password which must be verified by an authorized contact to unlock the domain name. It is a highly secure and efficient way to ensure that the DNS of an important domain name cannot be changed without proper authentication.
Another domain security check is DNS Security Extensions (DNSSEC), which authenticate communication between DNS servers. There are three types of attacks that can occur at the domain and DNS level. One of these attacks is cache poisoning, where an attacker corrupts the resolver (e.g. ISP) in the search process to return a spoofed IP address, sending users to the wrong place, like a scam website. . Deploying DNSSEC prevents this type of attack by using digital signatures to validate the authenticity of DNS data.
Third, there is the certification authority (CAA) authorization. Once an attacker has access to a domain name, he can then access the existing digital certificate or have a new one issued. This allows them to decrypt encrypted information, such as VPN passwords, emails, etc. CAA allows you to designate a specific certificate authority as the sole issuer of your certificates. If the attacker does not go to that particular CA to obtain a new certificate, the request will fail. In addition, you will be sent an alert to let you know that someone attempted to request a new certificate that did not comply with your CAA policy. It’s a great compliance tool, but it’s also a great layer of security, alerting you if someone tries to issue a certificate on any of your key domain names.
The last advanced security protocol to use is Domain-Based Message Authentication, Reporting, and Compliance (DMARC). DMARC provides email authentication in the same way as DNSSEC, but at the DNS layer. DMARC is very effective in preventing email spoofing. For those who are familiar with how email works, you know how easy it is to make an email look like it is from a specific brand when it really is scam. DMARC authenticates that the email is from who it says it is. It is important to consider applying DMARC or other sender policy frameworks to your key domain names to eliminate this risk of email spoofing. All ongoing security oversight should be proactive and ongoing to ensure that you stay up to date with new vital areas and blind spots in your approach.