The domain registrar ecosystem is complex, and there are numerous threat vectors that could attack an organization through compromised legitimate domains or malicious registrations. When your cybersecurity is only as strong as your weakest vendor, vendor selection matters.
Our research with SecurityScorecard has shown a positive correlation between organizations that use an enterprise-class domain registrar and its cybersecurity rating, having a total score that was on average at least one-half to one letter grade higher than those who did not.
There are two general categories of domain registrars—consumer-grade and enterprise-class. Consumer-grade registrars make up over 99% of all registrars in the world, and are geared for domain services, websites, and email for personal use, entrepreneurs, and small businesses that are just getting started. Enterprise-class registrars specialize in working with corporations and brand owners that require advanced business capabilities, expertise, and support staff in relation to domain and domain name system (DNS) management as well as security, brand and fraud protection, data governance, and cybersecurity.
To identify if you’re working with an enterprise-class registrar, they should have these security controls in place:
- Proactive security measures to prevent domain and DNS hijacking
- Defense-in-depth domain security measures including two-factor authentication, domain-based message authentication (2FA), reporting, and conformance (DMARC), DNS security extensions (DNSSEC), and domain registry locks
- Know Your Customer (KYC) identity verification and Office of Foreign Assets Control (OFAC) screening
- ISO 27001 accredited data centers
- SOC 2® compliance
- Third-party penetration and vulnerability testing
- Regular security tests, including SQL injection and XSS
- Internet Corporation for Assigned Names and Numbers (ICANN) and registry accreditation
Some consumer-grade registrars have business practices that may inadvertently harm brands. Some operate domain marketplaces that drop-catch, auction, and sell branded or trademarked domain names to the highest bidder, or undertake domain name spinning and advocate the registration of trademarked domains that proliferate typo-squatting. Many monetize trademarked domains with pay-per-click sites or domain parking, and offer low-cost domains and bulk registration service with little or no validation of domain registrants. While these do not directly compromise businesses, they encourage brand infringement, or the registration of confusingly similar domain registrations that could be used for malicious purposes.
We recommend using an enterprise-class provider that has people, process, and technology structured with security in mind.
While anyone can say they offer services that meet the needs of today’s global corporations, the onus is on companies to do the homework to understand the differences between third-party providers. Companies need to understand how their choice of provider fits into decisions made about their organization’s overall security posture, along with concerns about compliance and risk.
Contact us to find out how we can help you with domain management and cybersecurity.