Managing the risk of third parties has become a compliance focus for many large organizations. Companies even work with third-party service providers and external vendors just to manage this risk. The recent SolarWinds attack escalates the critical need for chief compliance officers to collaborate with their business counterparts to identify and mitigate potentially unknown threats that lie within third-party supply chains. Yet how can companies manage this risk when it’s not if but when you’re attacked?
To assess, we can look at the domain and domain name system (DNS) vulnerabilities within a company’s cyber security posture, as this is often a blind spot for many businesses. Companies manage their domain portfolios via two general categories of domain registrars: consumer-grade registrars and enterprise-class registrars. A consumer-grade registrar specializes in domain services, websites, and email for personal use, entrepreneurs, and small businesses that are just getting started. In contrast, enterprise-class registrars focus on corporations and brand owners that require increased security, advanced capabilities, and support staff.
The registrar that your organization uses matters. As my colleague, Vin D’Angelo, mentions in Infosecurity Magazine, consumer-grade domain registrars are not inherently malicious actors, but because of certain standard business practices, they attract bad actors that execute brand abuse, phishing attacks, and fraud. For example, on February 1, the PERL.COM domain, managed by the Perl Foundation, was hijacked by cyber criminals who redirected the URL to a domain parking site that may have been related to sites that distributed malware in the past. Bad actors had hacked into the PERL.COM account (whose domain registrar is consumer-grade Network Solutions) and the Perl Foundation found it for sale for $190K at afternic.com, a domain parking site.
As I mentioned in my blog “Four-Pronged Approach to Keep Your Domain Names and DNS Secure from Cyber Attacks,” working with an enterprise-class provider can help you develop the right compliance checklist for your organization to select the right registrar vendor. When it comes to working with your registrar, you need to work with a provider that has invested in protecting its own systems. In essence, it takes the right people, processes, and technology.
A good enterprise-class registrar should provide corporate clients with a dedicated account team, necessary to securely manage their business. You want to be sure you’re working with a vendor that also knows who they’re doing business on the back end, so you should be completing OFAC screening before account set-up. A good registrar also needs to have 24x7x365 in-house support. It’s also important that they can provide global support in local languages via certified and fully trained managers.
Registrars should be Internet Corporation for Assigned Names and Number (ICANN) and registry accredited. A registrar that’s qualified to serve an enterprise will offer a full accounting of all your domains, DNS, and digital certificate providers. It should provide cyber security training for its staff, including phishing and social engineering awareness. It’s also important for your registrar to mandate written requests (never via phone), be data and policy compliant—following the rules of the EU’s General Data Protection Regulation (GDPR) and other similar regulations, like WHOIS practices—as well as have a registry transfer-lock policy.
With all of the cyber security threats today, not only does your domain name registrar need to have the right technology—to protect itself and your company from a data breach—but it also needs best-in-class operations practices that put security at the forefront of its mission, and in how it engages with you. An enterprise-class registrar should have ISO 27001 accredited data centers, SOC 2® compliance, and third-party penetration and vulnerability testing. They should conduct regular security tests, including SQL injection and XSS.
While anyone can say they offer services that meet the needs of today’s global corporations, the onus is on you to do the homework to understand the differences between third-party providers. Companies need to understand how their choice of provider fits into decisions made about their organization’s overall security posture, along with concerns about compliance and risk.
CSC encourages its clients and corporations across the globe to adopt a defense in depth approach to secure vital domain names, DNS, and digital certificates. They should assess the security, controls, and processes of their domain name registrar and DNS management provider. Additionally we recommend implementing two-factor authentication, monitoring DNS activity, and using security measures like domain name registry locks, DNS security extensions (DNSSEC), domain-based message authentication, reporting, and conformance (DMARC), and redundancy on DNS hosting.