A recent report “Domain Security: A Critical Component of Enterprise Risk Management” published by the Interisle Consulting Group highlights why domain security should be a critical component of enterprise risk management, a proposal that resonates closely with what we at CSC advocate.
The report describes the current threat landscape characterized by cyber attacks that use domain names as a resource for spammers or cyber criminals to conduct phishing, fraud, malware, ransomware, distributed denial of service (DDoS) attacks, and data breaches. They either register confusingly similar domains to existing brands or exploit legitimate domains by compromising web servers or domain registration accounts to seize control of the domains and domain name system (DNS), then manipulate them for malicious purposes.
Every minute a website is unable to process transactions—or the days an organization is unable to operate while their systems are held at ransom—equates to costly revenue loss and reputation damage that organizations cannot afford. As a result, there have been increasing cyber insurance claims and the need for companies to have higher levels of risk assessment and compliance. Yet cyber threats continue to occur at increasing frequency, even among large enterprises and governments.
“Because incidents and responses attract public attention, there is an overemphasis on attack response and underemphasis on pro-active, preventative measures to detect, identify, and mitigate threats before an attack can occur.”
At CSC, we have isolated the common phishing tactics that we see cybercriminals and fraudsters using by taking advantage of already established brand trust:
The report from Interisle Consulting Group further quotes from CSC’s 2020 Domain Security Report that only 47% of the Forbes Global 2000 use enterprise-class registrars, and more dismally, their own research reveals that only 10% of FDIC-insured U.S. banks use enterprise-class registrars. This means the overwhelming majority are taking a huge risk by using consumer-grade registrars that are characterized by volume sales and commodity pricing with “little margin for them to implement costly security measures. Multi-factor authentication is not widely deployed, and registrar assistance with email authentication and integrity or [DNS security extensions] DNSSEC is rare.” Some of these consumer-grade registrars even display indicators of criminality, offering bulk registration services, name generation tools, and have persistently high concentrations of spam domains under management.
“The threat landscape for domain names and their owners is no different from the landscapes for other assets that enterprises fold into enterprise risk management.”
Interisle recommends incorporating domain security into enterprise risk management, and for organizations to use enterprise-class registrars that understand “the needs of customers who place a high value on their domain names, consider their domain names and online presence to be business-critical, or recognize that their business or brands may be highly-targeted for abuse or criminal activities.