Three Reasons CISOs Should Understand Domain Security

Domain name abuse is one of the most dangerous and least regulated issues in digital business security today. An attack on a web domain can lead to company website redirection, domain spoofing, phishing attacks, network breaches, and business email compromise (BEC). The domains used as a company’s online world are part of an organization’s external attack surface and must be continuously monitored for cybercrime attacks and fraud. As cyber risks continue to increase, organizations and cyber insurers face greater challenges in quantifying them and addressing their ability to cause harm. Seemingly every day we discover new developments involving supply chain attacks, ransomware and phishing attacks, as well as additional layers of complexity in terms of how much cover they need and how to stop them.

1. Many of the world’s largest companies still lack basic domain security protocols

As seen in the latest CSC newsletter Domain Security Reportnearly three-quarters of Forbes Global 2000 companies have implemented less than 50% of recommended domain security measures, making them prime targets for bad actors.

Securing the domain portfolio, which includes securing a brand’s online presence, but also the domains that run your email, customer portals, or other important business applications, is fundamental to managing your cyber risk. It’s important to check with your organization’s teams if they are using an enterprise-class registrar or deploying registry lock, Certificate Authority Authorization (CAA) records, name system redundancy (DNS), DNS Security Extensions (DNSSEC), Sender Policy Framework (SPF), Mail Identified by Domain Keys (DKIM), and Domain-Based Mail, Authentication, Reporting, and Compliance (DMARC).

2. You are as secure as your suppliers and you can choose your domain registrar

When it comes to the security of a registrar and the value it places on the security of its customers’ domains, vendor selection is critical. Large enterprises still use consumer-grade registrars that cater to individuals, start-ups, and small businesses, but vendor selection is key here. CSC analyzed the trend of domain security adoption against the type of domain registrar used and found:

BUSINESS CLASS CLERKS CONSUMER GRADE RECORDERS
An enterprise-class registrar specializes in working with businesses and brand owners who need advanced business practices, domain management and DNS capabilities, expertise, and support staff , as well as security, brand and fraud protection, data governance and cybersecurity. A consumer-grade registrar is designed for domain services, websites, and email for personal use, entrepreneurs, and small businesses just getting started.

Many companies mistakenly think that all registrars are the same. There is misplaced trust in consumer registrars that may not have been designed for domain security; this trust can impact a company’s overall security posture. This is particularly evident for the adoption of registry locks, as most mainstream registrars do not support them.

In late 2021, SecurityScorecard studied cyber ratings of companies that use enterprise-grade registrars versus consumer-grade. Their results show that companies whose domains are managed by enterprise-class domain registrars have a better overall cybersecurity rating of half a letter to a full letter.

Consumer-grade domain registrars offer transactional relationships with their customers and don’t go through the extensive review process of an enterprise-grade provider. They do not offer solutions to mitigate all digital risks from domain spoofing, domain and DNS hijacking attacks, subdomain takeovers, and phishing attacks. In addition to the lack of security, the hard truth is that consumer-grade domain registrars have proliferated typosquatting, domain name auction services – often infringing on other brand names – and name rotation services. These registrars monetize the goodwill of trademark owners they have worked hard for, creating a revenue stream for themselves rather than protecting their customers.

An enterprise-class registrar specializes in working with businesses and brand owners who need advanced business practices, domain management and DNS capabilities, expertise, and support staff , as well as security, brand and fraud protection, data governance and cybersecurity. For more information, visit Domain security starts with your registrar.

3. Failing to monitor and remove fraudulent domains resembling your brand will increase your risk of attacks

The intention of these maliciously registered fake domains is to leverage the trust placed in the targeted brands to launch phishing attacks, other forms of digital brand abuse, or intellectual property infringement. This often results in lost revenue, traffic diversion, and diminished brand reputation. There are endless domain spoofing tactics and permutations that can be used by phishers and malicious third parties.

This year’s report mentions that 75% of homoglyph domains belong to third parties and not to the brand owner. 82% have their WHOIS or ownership details hidden for privacy reasons. This demonstrates the attempt to mask or conceal their ownership, showing that they might have malicious intentions. Additionally, 48% of these third-party domains have MX records and could be used to launch phishing attacks.