Aug 21, 2019 - by Nicole DelleDonne
Domain Name Principles: Security Above All Else
In a recent survey of corporate domain name professionals, more than 90% of respondents stated that ensuring the security of their domain name portfolio was an extremely important goal. But ensuring the security of corporate domain name portfolios is so much more than just requiring two-factor authentication or registry locking mission critical domains so that they are impervious to breached accounts. Yes –authenticating users and locking domains are key components, but many other vulnerabilities exist.
Evaluating Your Registrar
When mitigating risks related to managing corporate domain name portfolios, companies should ensure that their registrars have implemented their own security controls. This includes internal security training which is critical. Most corporate registrar breaches over the last 10 years have been the result of social engineering attacks, so ensuring that all registrar employees have undergone training is necessary.
When evaluating your registrar’s security practices, also look for network and endpoint hardening, periodic penetration testing, and ongoing monitoring for potential security risks. Your registrar should also have a comprehensive business continuity plan which includes access to a warm standby should a disruption in service occur. Some registrars are SOC 2 compliant. SOC 2 assessments evaluate security, availability, processing integrity, confidentiality and privacy. If your registrar is SOC 2 compliant, then you can take some comfort in knowing that your registrar is committed to providing the highest levels of security.
Beware of Phishing Attacks
Those responsible for managing domains should also familiarize themselves with the ways in which their registrar communicates with them. Corporate registrars should never ask for login credentials and would never ask for users to download executable files or to visit a page other than their own website. Paying close attention to email requests being sent by your registrar can help to protect against spear-phishing attempts.
Review User Access and Permissions
While this seems simple enough and SSO (single sign-on) can help to alleviate some of the risks associated with managing users, reviewing user access and permissions is an important component to ensuring the security of domain names. Where possible, domain managers should consider restricting users to specific groups of domains or limiting access to update nameservers.
And if SSO is not implemented, domain managers should make two-factor authentication a requirement for all those who access domain name management accounts. Not doing so leaves portfolios vulnerable if credential information is compromised.
Protect Mission Critical Domains
Restricting access to specific groups of domains can be taken one-step further by creating self-enforcing policies for all mission critical domains. Along with having highly restricted user access, these domains should have all registrar automation turned off. This can be done by implementing registry locks to prevent any automated changes from being made to these domains.
Be sure to continually review the portfolio so that any new domains that are deemed critical have the same policies applied. We recommend collecting detailed information at the time of registration/acquisition and defining clear policies for what defines a core domain name. Applying this logic and the defined security standards upfront will ensure that portfolio standards are maintained over time.
Uncover Domain Name Risks
Automated, daily reviews of domains can also help to uncover a number of security risks. Key areas to review include:
- Site resolution to ensure that domains are pointing to approved content. Tip: ensure your monitoring tools assess both the root and www versions
- EPP status for domains to ensure that transfers, updates and deletes are prohibited
- Nameservers to ensure that they are under the company’s control, approved, and accessible
- DNS settings to ensure that only approved domains are allowed to send email and that associated records (A, CNAME, etc.) tracked and approved
- Registrar to ensure that names are managed only by approved registrars
- SSL status and expiration to alert you to potential configuration errors or upcoming renewal dates
Also, defining portfolio policies and security upfront will allow domain managers to evaluate the portfolio. For example, if DMARC reject records are required for all defensive registrations, then being able to quickly identify and add any missing records will help to ensure that the portfolio is compliant with company policy.
Consider DNSSEC
DNSSEC is a set of protocols that can authenticate the origin of data sent from a DNS server, verify the integrity of data and authenticate non-existent DNS data. DNSSEC protects against cache poisoning, which is used to redirect website traffic. Complete DNSSEC implementation requires that domains are authenticated at the root by the registry and that DNS zones and records are authenticated as well. The adoption rate of DNSSEC is currently around 13%.
Clearly, securing domain names is much more than just two-factor authentication and registry locking. And because threats to domain name security continue to evolve, both registrars and registrants need to be diligent in their pursuit to keep domain names secure.
Nicole DelleDonne is Senior Director, Sales. With ten years of direct industry experience, she has worked with some of the world's most valuable brands to implement domain management solutions designed to protect and promote their businesses online.
Recent posts from Nicole DelleDonne
