Global 2000 companies do not adopt key domain security measures

Forbes Global 2000 companies fail to adopt key domain security measures, exposing them to significant security risks, says CSC Domain Security Report 2022. The Enterprise-Class Domain Registrar and Domain Name System (DNS) Threat Mitigator found that 75% of Global 2000s implemented less than half of all domain security measures with Domain-Based Message Authentication, Reporting, and Compliance (DMARC)the only domain security measure whose adoption has significantly increased since 2020. Data follows Akamai Research from Augustwhich discovered increased malicious domain activity and reuse of phishing toolkit based on DNS data.

Slow adoption of domain security measures, most popular DMARC

Adoption of domain security measures recommended by Global 2000 companies has been slow over the past two years, CSC said. Measures such as DNS redundancy, registry locking, Certificate Authority Authorization (CAA) records, and DNS Security Extensions (DNSSEC) have only seen very modest growth since 2020. “With the risks of not having domain security in place potentially leading to phishing or ransomware attacks, and many other cyber threats, we were hoping to see an implementation higher implementation of some of these security measures,” the report read.

In contrast, DMARC adoption has increased from 38.9% in 2020 to 61.5% in 2022. CSC cited the fact that Verified Brand Certificates (VMCs) now require DMARC to be configured to verify SSL (Secure Sockets Layer) certificates as a key factor. behind adoption. “Additionally, Apple announced Brand Indicators for Message Identification (BIMI) in September and said its email clients for iOS 16 and macOS will support a broad industry effort to combat email spoofing. branding and spoofing Senders that support BIMI must adhere to a strict email authentication standard, which includes the use of the DMARC security standard,” the report adds.

Overall, companies with the most adoption of domain security measures earned the “highest security score” based on CSC’s calculations, according to the report. Conversely, 137 companies received a domain security score of zero, with most based in the APAC region.

Similar domains targeting businesses to launch phishing attacks, misuse brands

Lookalike/fake domains target the Global 2000 to leverage trust in well-known brands and launch phishing attacks or other forms of digital brand abuse/intellectual property infringement, the CSC report states. More than 75% of homoglyph domains are owned by third parties, which means many of the world’s biggest brands face web domains that appear to maliciously resemble their registered trademarks, the company added.

GoDaddy, Namecheap, and PDR LTD are the companies most associated with fake third-party domain registrations, the report says. In terms of industry verticals, banking (10%), computer software and services (7%) and business services and supplies (5.5%) were listed as the most targeted sectors. by fake domain registrations, with food markets (0.4%), semiconductors (1.7%) and media (1.8%) the least.

Top-level domain cyberattacks should never be underestimated

Domain-based security threats are numerous, but the most pervasive threats are the least interesting: phishing domains and BEC attacks using registered short-term domains in an attempt to attack a customer, said Peter Lowe , senior security researcher at DNSFilter, at CSO. “However, the risk of more high-profile attacks should never be underestimated – with the worldwide rise of ransomware, protecting your network from communicating with C2 domains can prevent critical data loss, downtime arrest and potentially even costly ransoms,” he adds.

While adoption of domain-based security measures is steadily improving, there’s still some way to go, says Lowe. “DNS as a layer of threat protection is now accepted as a standard part of security policies, with the US government launching several initiatives to provide protective DNS and officially recommending it, along with guidance on how to select a service. However, it still lacks the attention and awareness it deserves from many MSSPs and individual businesses. »

To protect their domains, it’s crucial for organizations to use a trusted registrar that provides 2FA, registry locking and built-in DNSSEC, as well as a robust support service, says Lowe. “On the network side, it is essential to select a DNS resolver that offers efficient and configurable filtering on an encrypted DNS channel. Any commercial resolver should also provide a decent Anycast network behind the scenes and provide useful reports that can give you insight into what’s going on on your network.

Copyright © 2022 IDG Communications, Inc.