Securing Domains – Five Ways to Protect Your Domain and Site
Approximately one year ago, Baidu — the major Chinese search engine and one of the world’s most-visited websites — went offline. For four hours, visitors to the site were greeted by a message from a group calling itself the “Iranian Cyber Army,” the same group which had earlier hacked the Twitter.com website. It looked bad for Baidu’s security team, but the company was not entirely responsible for the compromise. After the event, Baidu stated that the hackers executed a social engineering attack on a support team member of its domain name registrar (Register.com), allowing them to hijack the “baidu.com” address.
This was not an isolated incident. Baidu is not the only high-profile company to have its Internet presence compromised, and its domain registrar is not the only one to have been used as an attack vector. Comcast, CheckFree, Twitter and even ICANN, the domain name system’s technical coordination body, have fallen victim to domain name hijacking.
Domain names are one of the critical components of any Internet presence. They are the gateway to websites, the enabler of email, and the key to e-commerce. They can cost as little as $10 per year to register, but can have hundreds of millions of dollars riding upon their availability. It’s often only when domain names stop working that many enterprises come to appreciate their true value and put measures in place to mitigate the risk of hijacking.
1.) Audit Your Domain Name Portfolio: Recognizing that your domain names have value is only half the battle. It’s important to audit your domain name portfolio at least once a year to establish which domains are associated with which assets and who is responsible for their management. And be sure to update the contact information.
2.) Monitor Your Domain Renewals: It’s crucial to document your domain renewals procedure, especially if you have a large number of domains. While hijacking is a possibility, you’re much more likely to lose a domain name by simply forgetting to renew the registration. Remember: you don’t own a domain name, you lease it in annual increments. If a domain name responsible for a business-critical asset fails to work because you forgot to pay your $10 renewal fee, it’s embarrassing but, more importantly, it will lead directly to losing the revenue that flows through your website. It might be a good idea to pay up-front for a 10-year registration — the maximum period most registrars offer — as long as you bear in mind that it’s easier to forget about something that happens once a decade than something that happens once a year. And remember to include such names in your portfolio audit.
3.) Manage Your Domain Name Contacts: Staff turnover is also an important consideration. Domain registrars will attempt to remind the registrant of record via email if they have domains coming up for renewal. But if the domain is registered to an individual who is no longer with your company, those reminders can disappear into the ether. While it sounds obvious, it’s amazing the number of times companies don’t remember to update contact information, resulting in domains either not being renewed, or worse, deleted. It’s important to ensure that the listed administrative contact is your organization, not an employee’s personal email address — disgruntled former employees are potential attackers — and that it maps to a current employee’s inbox at all times. It should go without saying that a third-party consumer email service that your company does not have access to should never be used for these accounts.
4.) Pick a Good Registrar: There are also technical measures enterprises can take to reduce the risk of domains being hijacked via their registrar. Many of these precautions rely in part on your choice of registrar. While registrars all offer the same basic domain registration service, many also offer improved account security that can help prevent domain names falling into the wrong hands. A few extra dollars spent on such services can go a long way in safety and protection.
Authentication and access control are important factors. Ensuring your own employees use strong passwords is one way to make an impact here, but there are also many questions that should be asked of the registrar. Will your entire domain name portfolio be protected by a simple user name and password combination, or has the registrar enabled multi-factor authentication? Does the registrar have an automated “password reminder” feature that could be exploited by an attacker? What defense mechanisms does the registrar’s website have against brute-force scripting attacks? And, planning for a worst-case scenario, possibly the most important question of all is: what changes could attackers make if they successfully accessed your account? Most registrars offer standard “locking” features that are designed to prevent domains from being transferred to another registrar without proper authorization, but these can offer a false sense of security. Generally, anyone with full access to your registrar account will be able to “unlock” the domains with a single click of the mouse. In addition, these basic locking features will not usually protect against the kind of name server changes that were used to perpetrate the Baidu hijacking.
Fortunately, many registrars also offer deeper levels of locking protection, which require one or more levels of stronger authentication before potentially damaging changes are made, such as adding or removing name servers. Emailed confirmation codes are one method to confound attackers, but phone calls to relevant authorized personnel are better. These upgrades come at a price, but the premium is modest compared to the value of an enterprise’s business-critical domain names. Establish what malicious activity you need to prevent, and ask your registrar how it can help you prevent it.
5. Consider the Human Factor: When considering how changes to your domain names are authorized and authenticated, the human factor should not be ignored. Just as many of the most effective attacks against domain names exploit human frailty, some of the most effective defenses rely upon human trust. While technological safeguards are invaluable, there can be no substitute for developing a close relationship with your registrar. Social attacks sometimes require social defenses. Many leading registrars offer personal account executives for high-value clients. These services should be investigated by any enterprise that places a high value on its domain name portfolio.
Domain registrars can serve their customers well when it comes to security. The major challenge for many organizations is getting beyond the mindset of regarding domain names as cheap commodity assets. Online, your domain name is your brand, your revenue, the $10 gateway to your million-dollar Internet empire. Once you recognize the security of your domain as paramount, implementing the correct defenses is a straightforward proposition.
