Recently at a well-known cybersecurity conference, as I met with several security vendors and noticed a surprising trend in my conversations – many were unaware of who their domain registrars were. This observation was unexpected, especially in a time when companies suffer cyber attacks and phishing threats at alarming rates and businesses are called to prioritize their cybersecurity efforts across a wide variety of company initiatives and operations. In fact, according to a new Gartner report, 67% of CIOs surveyed plan to grow their IT headcount this year by at least 10% to support their enterprise’s digital initiatives. As companies’ online presence becomes a more important business asset, so too should their security.
For an industry with such a strong focus on complete visibility and awareness, and with threat vectors such as registrar account take-over, DNS redirection and/or poison, social engineering, malware, and phishing attacks (top threat vector), I was surprised to hear so many security professionals did not know who their domain registrars were. Which begs the question – are they effectively prioritizing domain security as part of their overall security program?
We recently analyzed the companies that make up the Global 2000, and of those organizations, nearly three quarters implemented less than half of all domain security measures. This insight, coupled with many organizations’ general lack of knowledge of their domain registrars suggests that domain security tends to be placed on the backburner– possibly in part due to a lack of ownership. As attacks targeting domains continue to rise, it is critical for organizations to determine who is responsible for overseeing their security and the processes they implement to achieve that security.
Embrace domain security as part of your external attack surface
Most cybersecurity risks are common knowledge to business leaders – such as how crucial it is to protect against data breaches, identity & vulnerability management, access controls, data protection, stolen credentials, and to stay vigilant when it comes to social engineering tactics. These more obvious cyber risks are rightfully given to cybersecurity teams to handle. However, when it comes to day-to-day cybersecurity protection, it’s evident that many teams are unaware of who takes responsibility for their organization’s domain security.
Because domain names are used for marketing and brand initiatives, security teams may feel that protecting online domain names falls under the marketing or legal side of the business. Or, they may have left domain protection in the hands of their IT department. But, if organizations are unfamiliar with who their domain registrars even are, chances are they are unaware of the policies the registrars use and the security measures they have in place for branded, trademarked domains. Domain security should be an essential branch of cybersecurity, protecting brands online, but it is not always the highest priority for consumer-grade domain registrars.
Unfortunately, adversaries are privy to the growth in businesses’ online presence and the often minimal attention given to domain security, leading them to take a special interest in targeting corporate and/or government domain names that are left exposed. Organizations will continue to find themselves in the path of a perfect storm for domain and DNS attacks and potential financial or reputational devastation if they continue to allow the build-up of blind spots in their security posture.
Online brand protection is a cybersecurity strategy
Domain names are often preliminary, enabling attacks before a full-blown targeted phishing campaign and/or business email compromise (BEC) equipped with a lethal downloadable malware. To prevent these initial exploitations, organizations need to address the state of their domain landscape and remove the disconnect amongst teams responsible for handling this aspect of digital brand initiatives. Securing your domains is the starting point to stop phishing in its tracks.
Here are three key areas that organizations and their security teams should prioritize to secure the foundation of their online presence and providing a comprehensive corporate security posture:
Visibility and Awareness: It’s difficult to secure something if you don’t know it exists. Getting complete visibility of a company’s domain registrar and the vendors they use is the first step to improving domain security. Being aware of and having visibility into an organization’s entire attack surface is critical to overall domain protection. For example, when appropriate domain security is in place, companies can be aware of existing risks in their supply chain, and, as such, can catch threats ahead of time before they progress and lead to major supply chain shutdowns or something more damaging – and preventable.
Monitoring and Intelligence: Security teams must actively and effectively monitor their domains and brands online to reduce any potential domain names for the use of launching fraudulent activity. Companies need better insight into bad actors who may be registering or re-registering look-a-like domains, any search engine typo squatters, social-media tactics to lure victims and other adversaries attempting to pose as their online brand. This insight can help companies catch security instances as they occur and enforce against them.
Layered Defense-in-Depth Strategy: Consider applying a cloud-like strategy to your domain. Similar to how shadow IT emerged as a challenge to organizations who did not have complete visibility into cloud deployments, implementing effective domain security ensures you have visibility into all the assets in your domain ecosystem. Before allowing vendors into your cloud infrastructure, they must be properly vetted to prevent security and compliance issues. This ensures that you are only allowing trusted, enterprise grade partners to have access to your domain.
Ensure the domain registrar is vetted and your full team understands the role the domain registrar plays in the company’s overall security posture. Security-focused domain registrars can ultimately alleviate burden from security teams and allow companies to catch threats in their domains before substantial damage to their brand is done.
Connection really is key with domain security and, like most things in cybersecurity, it starts with a thorough assessment and clear understanding of your current level of security and risk exposure across all of the company’s assets and teams overseeing brand initiatives. When security teams, as well as those working with domain registrars, come together to determine the domain security responsibilities of all parties involved, organizations can have a better defensive posture for their web domains.
Blind spots are preventable and domain security does not have to be overlooked. Domain protection should be seen as a branch of cybersecurity that organizations bring to the forefront of their business strategy – and another business asset to successfully secure.