The Realities of Domain Security

The Realities of Domain Security

In a recent article for, CSC’s Vincent D’Angelo discussed how domain security is being adopted by the world’s biggest brands—but unfortunately, adoption is lower than one might think.

The root of this issue, says D’Angelo, is because 57% of Forbes Global 2000 companies use consumer-grade registrars (CGRs) instead of enterprise-class registrars (ECRs). ECRs emphasize domain security through advanced services including the four listed below, as well as DNS hosting redundancy to provide a backup DNS to boost resiliency. A recent whitepaper by SecurityScorecard has shown that organizations that use ECRs are more secure and have a total security score that is on average at least one-half to one letter grade higher.

“The protection of domains remains the missing front line of defense against cyber attacks including phishing,” says D’Angelo, and advanced domain protection is something that CGRs simply do not offer.

The Cybersecurity and Infrastructure Security Agency (CISA) reports that most cyber attacks, including ransomware and business email compromise (BEC), start with phishing. By way of response, organizations are implementing more sophisticated threat monitoring, detection, and mitigation solutions, but these solutions are somewhat reactive. Proactive solutions like domain security measures are not routinely implemented by companies, leading to crippling vulnerabilities for the largest corporate brands in the world.

CSC’s recent Domain Security Report shows that Forbes Global 2000 companies invite substantial risks due to the following gaps in their phishing prevention strategies:

  • Only 19% use domain registry locks, which enable end-to-end domain name transaction security to avoid unauthorized domain name system (DNS) modifications or domain hijacking

  • A mere 5% deploy domain name system security extensions (DNSSEC), which authenticate communications between DNS servers, defending organizations from DNS cache poisoning

  • Just 5% of companies take advantage of certificate authority authorization (CAA) records, which allow security teams to designate a specific certificate authority to be the sole issuer of certificates for their organization’s domains

  • Only one-half use domain-based message authentication, reporting, and conformance (DMARC) records, which protect an email domain from spoofing and phishing

Read Vincent’s full article for recommendations on how to best deal with these issues.