Companies have invested in security solutions at an exponential rate to protect themselves from continually evolving cyber security threats. And while these investments are important, many companies remain vulnerable to what security experts are now referring to as critically-important security blind spots.
Company domain names, domain name systems (DNS), and digital certificates are being attacked or compromised with increasing frequency, sophistication, and severity. These are all of the fundamental components of the most important applications that enable your company to conduct business—including your website, email, and more. And when they're compromised, criminals can redirect websites for financial gain, intercept email to conduct espionage, and even harvest credentials to breach your network. This can have a serious impact on your company's revenue and reputation and expose your company to significant financial penalties as a result of the EU's General Data Protection Regulation and other policies like it.
Because of the recent surge in DNS hijacking and related attacks, government agencies including the U.S. Department of Homeland Security, the U.K. National Cybersecurity Centre, and many of the most respected security companies and experts in the world are urging companies to take action to protect their domain names, DNS, and digital certificates.
OUR JOB IS TO KEEP CLIENTS SECURE
As the leading enterprise-class domain name registrar, we help the world's largest corporations protect against security blind spots by mitigating the risks of DNS hijacking, domain spoofing, domain shadowing, DNS cache poisoning, and other attacks that compromise your business-critical applications. We do this by using a multi-layered defense in depth approach to managing domain names, DNS, and digital certificates.
First, we consolidate all these business-critical assets into a single secure portal and an operational model that's designed to deliver industry-leading security and service.
Second, our proprietary technology helps proactively mitigate risks by ensuring that vital domain names powering your business are continually monitored, and are using security controls like registry locks, domain name system security extensions (DNSSEC), and domain-based message authentication, reporting, and conformance (DMARC).
DEFENSE IN DEPTH STRATEGY FOR DOMAIN SECURITY
CSC recommends using the principles of defense in depth for domain security. Defense in depth is an approach that started as a military strategy to protect a targeted asset. For domain security, it provides the coordinated use of multi-layered security countermeasures.
APPLY A MULTI-LAYERED, DEFENSE IN DEPTH APPROACH TO DOMAINS, DNS, AND DIGITAL CERTIFICATES
Use an enterprise-class provider
Organizations should validate their domain name registrar is Internet Corporation for Assigned Name and Numbers (ICANN) and registry accredited and can demonstrate their investment into systems and security. This should include both staff training on cyber security, as well as a variety of controls, processes, and security measures that ensure a defense-in-depth approach.
Secure domain name and DNS portal access
Organizations should seek to consolidate domains and DNS with one provider. The provider should offer two-factor authentication, IP validation, and federated identity for a single sign-on environment.
Control user permissions
Organizations should routinely review permissions for staff with access to domains and their DNS portal. A secure provider should be able to alert companies to changes in permissions and implement their authorized contact policy. Only trusted individuals should have access to elevated permissions.
Leverage advanced domain security features, such as:
DNSSEC, which encrypt queries to the internet service providers and therefore act as a visual deterrent for cyber criminals. Moreover, DNSSEC digitally signs the root zone, which means the organization can be confident of reaching a legitimate website.
Registry locks stop automated changes of DNS records, preventing execution of unauthorized requests.
Digital Certificate Policy with certification authority authorization (CAA) records allows only authorized certification authorities to issue a certificate on your domains.
DMARC, which gives organizations protection against unauthorized use of their domains, commonly known as email spoofing.
Proactive, continuous monitoring and alerting to ensure that the domain name registrar or DNS hosting provider has continuous monitoring and alerts in place such as CSC Security CenterSM
CSC SECURITY CENTER MITIGATES THE RISK OF CYBER THREATS TO YOUR DIGITAL ASSETS
CSC Security Center is built to minimize unknown risks and reduce disruptions to your business by identifying threats to your vital digital assets, helping you keep your business operating at all times. View, manage, and secure your company's domain portfolio.Learn more
MITIGATE RISKS FROM RIGHT WITHIN YOUR SIEM
Our newly launched domain name security intelligence API supports the mitigation of cyber threats such as domain name and DNS hijacking events directly from your own security operations platform or security information and event management (SIEM) system. For most organizations, the exploitation of weaknesses in DNS infrastructure is caused by a lack of controls, processes, and policies. For clients using a security operations platform or a SIEM, it's now possible to display all your security intelligence in one place, adding security controls for domains, DNS, and digital certificates. This insight can help organizations foresee and manage business continuity disruptions that lead to financial repercussions, loss of consumer trust, and sensitive data leaks.Learn more
CSC MULTILOCK PROVIDES MULTIPLE LAYERS IN DEFENSE
Using multi-layered security solutions for your registry locks provides you with the best defense-in-depth approach. The most effective mechanism is to employ all registry locks together with the registrar transfer locks. At CSC, we combine them into our MultiLock service, which includes an additional mechanism not shown in the WHOIS to protect any THIN WHOIS details held with us as the registrar.Learn more
WE'RE READY TO TALK
Our specialists are ready to answer your questions about domain security.