The domain industry is a fast paced, fluid environment that is constantly evolving. Security breaches, social engineering attacks and phishing schemes continue to be on the rise and are becoming more sophisticated. Brand holders need to ensure they are taking all necessary precautions to protect one of their most valuable assets—their domains.
One of the first steps brand holders should take is to make sure their registrar of choice employs a hardened portal that constantly checks for security and code vulnerabilities. The registrar must have a proven track record of being able to stay on top of new exploits, researching and understanding new vulnerabilities. In addition, the registrar must be able to demonstrate use of strong internal security controls and best practices.
At a minimum, all users need to be set-up with two-factor authentication, and optionally allow IP Access Restrictions to be set. Login credentials to domain management and DNS management accounts should never be shared and should be reviewed on a regular basis. Single Sign-On (SSO) can be used to help corporations easily control user access through their own identity provider. In addition, brand holders should limit the number of authorized users that have access to these portals, and even go one step further and limit the number of individuals that have access to a brand's core domains.
Registry Lock needs to become a standard offering that all registries and in return all registrars offer for all TLDs. This additional lock should be applied to all core domains. Registry Lock freezes all domain confirmations at the registry level until the correct high-security protocol is followed as specified by both the client and registrar. This additional lock prevents erroneous nameserver updates, hijackings and social engineering attacks.
Registrars should employ secure account management services that send notifications to a specified, secure e-mail address when any change to a domain occurs. Once enabled, this service will automatically send a system-generated e-mail to the secure e-mail address, notifying the recipient of any change that was made. These e-mails needs to be reviewed on a 24/7 basis to ensure all domains updates were authorized by the appropriate individual. While domain updates, such as nameserver changes, can be made within a matter of seconds, it can take up to 24 to 48 hours to fix an erroneous or malicious update. In relative terms 24 to 48 hours may not seem like a long period of time, but it can be a life-time when a brand loses millions of dollars each day a domain is pointing to the wrong web host. Irreversible damage to your brand can happen in the time it takes to have nameserver and/or DNS updates populate out throughout the global Internet.
As bad actors become more and more sophisticated, security breaches, social engineering attacks and phishing schemes will continue to grow as threats. Brands, registrars, and registries have to be diligent and work together to thwart any and all attacks. It is our responsibility to make the Internet safe for all users.