RECORDED WEBINAR:
CSC’s 2024 Domain Security Report: How Protected are Global 2000 Companies from Domain Attacks and Digital Threats?
This webinar is a review of the 2024 Domain Security Report and how protected the Global 2000 companies are from domain attacks and digital threats. Learn how cyberattacks like ransomware, phishing, and data breaches can originate at the domain level through fraudulently registered or exploited legitimate domains names.
WEBINAR TRANSCRIPT
Disclaimer: Please be advised that this recorded webinar has been edited from its original format, which may have included a product demo and other engagement features. To set up a live demo, please complete the form above on our website. If you currently are not on our website and are watching us on our YouTube channel, there's a link to the website in the description of this video. Thank you.
Christy: Hello, everyone, and welcome to today's webinar, "CSC's 2024 Domain Security Report: How protected are Global 2000 companies from domain attacks and digital threats?" My name is Christy DeMaio Ziegler, and I will be your moderator.
Joining us today is Quinn Taggart. Quinn is a senior advisor for global brand security and assists clients in areas of online brand and cybersecurity strategy. Quinn has been with CSC for over 20 years, and his wealth and experience and knowledge is appreciated by brand owners as he helps them to better understand their evolving digital asset portfolio and minimize their risk. And with that, let's welcome Quinn.
Quinn: Thank you, Christy, and thanks to everybody that's joining in today. I think that we're going to delve into a lot of the same sort of data that we've had in previous presentations on the Global 2000. But we're going to explore I think a few different aspects that may surprise you in a couple of places as well as educate us as we go.
One of the first things we want to do is just kind of take a step back for a second and take a look at the attack surface when it comes to domain ecosystems. So it's a little bit different than a "physical" threat matrix. So when you're thinking of cybersecurity, you might be thinking of physical security and thinking of things like, oh, wow, tailgaters coming in the front door or access to the physical servers, things like that.
So in the digital environment, it's a little bit different. And a lot of companies will spend a fair chunk of time working on their firewalls. So that's this part here in the orange. But then you have all these other layers of attack vectors that are available to the third parties. And more and more important is a robust monitoring and enforcement strategy to try to help contain and identify any of these threats as they come along. The ones that are very close to you, of course, the client and partner portal, email, websites, VoIP, defensive domain registrations, those are the ones that a lot of companies will invest a fair amount of time, energy, and budget into.
But when you start to look a little beyond that, even the lapsing domains or letting domains go out of your portfolio can cause you some grief down the road. You need to be really careful on those, especially if they're branded or contain any of your key trademark terms. They can easily be reregistered by third parties and potentially used against you. So it's really important to kind of grab a lot of the extra pieces together and be able to report back to you. And that's where the monitoring and enforcement package kind of comes in. You can take some proactive stands, obviously defensive registrations, making sure you shore up domain registrations in markets where you're doing business. But it's the other areas where the third parties can really take advantage of your brand online.
So the type of attack vectors and the type of ways in which the threats kind of line up, across the top are the more common ways. Compromised or hijacked legitimate domain names, so people that have gained access to your portal at your registrar and they're able to go in and make changes. That's not as commonplace now I think as what it used to be. But some of the areas where things are a little bit more common — hijacked subdomains. As we've moved into the cloud, a lot of these subdomain web hosting systems set up allow anybody to kind of come in and pick these up. And if you're not paying attention to your hygiene on your domain name zones, it could easily be somewhere where a third party could redirect some traffic.
Dormant domain names is another hot button topic that we're going to touch on a little bit today as well. And that's where infringers will go out and register a domain name that might contain your brands or target your brands or trademarks. But from a user experience point of view, there's nothing. If you plunk them into a browser, you either get an error or you don't get anything. You get a parking page possibly or whatever. But it's below the surface where they can use those domains to launch email attacks, phishing emails. They can use subdomains off those domains. Now it's not going to be as evident on the surface as you go through them.
And, of course, the usual malicious domain registrations, homoglyphs and the like. And anything that's newly lapsed, anybody that's paying attention to what you're doing as a company will pay attention, of course, to trademarks because those filings are public. But any domain names that you've let go out of your portfolio could easily be reregistered and come back to bite you later on. So it's a little bit more of a strategic look. It's fine to say, "Oh, you know what, we're spending a lot of money on these things. We really need to kind of thin the herd out." But you really need to assess the risk that goes along with it because all of these attack vectors down below here in the bottom box could easily capitalize on those lapsed domains and come back to you later on.
So we spent a little bit of time looking at some of the vectors and some of the history of things. So we're really going to get into the Forbes Global 2000. So the methodology here is simple. We've gone out and we've gotten a list of the Forbes Global 2000 and the core websites. You can see by the bottom parts here on the chart they have enjoyed some growth, but certainly not to the extent that DMARC has. And DMARC, of course, has gained quite a few points over the last four or five years and resting right now at an adoption rate of about 70%. And that's really, really good. We like to see that because, in all honesty, a lot of these attack vectors and a lot of the threat matrices that are out there start with or utilize email. So the more security that companies can put into their email and their email infrastructure is going to be a bonus in the long run.
So when we look at the DMARC adoption, we've gone up, as I mentioned, 32 points over the last 4 years, since 2020, 5 years technically if you want to add it up right. But that's a great statistic. I would love to see growth like that with a lot of the other mechanisms.
The thing is that a lot of these security measures are either low cost or no cost to implement. It's just a matter of taking the time to kind of go through that. And as I mentioned before, we're looking at the Global 2000 and their core names, not their entire portfolios, just the core names, with the idea that if this is how they're handling their core domain names within their portfolio, chances are the rest of the portfolio will follow suit. So if they're ignoring some of these security measures on their main domain names, chances are it's similar handling when it comes to the rest of the portfolio.
So when we look at some of the other elements, registry lock, so what does registry lock actually do? It's going to protect the domain names against accidental or unauthorized modifications or deletions. Now it's very cost-effective when you look at it against your core domain names within your portfolio, your crown jewels, ones that are running your DNS, ones that are running your email, ones that are responsible for your main website. If you're doing ecom, I mean, why would you not take the extra step?
But this is also where a lot of companies will fall over a little bit by their choice of registrar. So a lot of the consumer-grade registrars just aren't in a position to be able to offer registry lock. Why? Because it's a manual process. In this world of automation, everybody is looking for automation, quick, easy, let's just get it done. Registry lock is designed specifically as a manual process to avoid those unauthorized modifications, especially when it comes to DNS and/or WHOIS details that would allow somebody to actually hijack a domain name and move it around. So this manual process just isn't conducive to the consumer-grade registrars' operating model, which they're all about automation. They're not interested in and don't have the resources for a manual process.
In the overall scheme of things, who uses the registry locks? Well, in the F 2000 report that we put together, we're running about 45% of the companies that work with enterprise-class registrars are using registry lock. But only 5% of the companies with consumer-grade registrars are taking advantage. And a lot of that, like I mentioned before, has to do with the way in which those consumer registrars are configured. There are some that will offer the registry locks on a limited basis. So just reach out, talk to them. If you are using a consumer-based registrar, I encourage you to reach out and ask the question.
So when we look at that, when we're looking at enterprise-class registrars as a whole, there's a couple of key points, and we talk about this a lot in a lot of our webinars when we gauge why CSC versus a consumer-based registrar. But there's a lot of different things, especially when it comes to advice and strategic guidance. And in a lot of cases, the consumer registrars just aren't configured, from a service point of view, to be able to offer that to their clients.
CSC's service model includes day-to-day contact, which is your client service partner, an account manager, which is your SAM, your strategic account manager. But then you also have access to specialty teams, such as the Brand Advisory team, which I'm a member of. But we have a DNS team. We have a Transfer of Registrars team. We have a lot of specialty teams that are available to help guide you through whatever issue you might be faced with or whatever challenge you might be having as it comes to your domain inventory.
And one of the other key things, of course, as well is we recognize the fact that a lot of our client contacts are only dealing with domains on a very small percentage of their day. They have other duties. They're either with the legal team or with the IT team or marketing or whichever. They have other day-to-day items that they have to deal with, and domains only occupies anywhere between 5% and 7% of their day. Domains are 110% of my day. So being a CSC client, you can take advantage of that and utilize our expertise. And this is where a lot of the guidance is going to come in when we're looking at a lot of these different security measures, but also too strategic guidance in making sure you have the right names in the right places at the right times.
So when we look at adoption and we look at it from a regional perspective, does geography really matter? I mean, when we look at the companies and the split between the regions, APAC generally will be third in the list out of three. But when you look at that, the idea is that a lot of the smaller companies are in that APAC region, but it also includes a lot of the mainland Asia companies that are using a lot of the local retail-based registrars or consumer-grade registrars rather than enterprise registrars. And that affects a lot of these ratings, as we've shown in previous slides.
And unfortunately, healthcare has dropped quite a bit. They went from 5th place to 12th out of 26. So now they're in the middle of the pile. Now on the flipside, of course, technology, hardware, and equipment went up eight spots, and we would expect that. We would expect technology and banking and anybody dealing with money and our money to be in the top of the pile. But unfortunately, banking has habitually been in the lower third of the rankings out of 26 industries. But healthcare was right up there, and they've dropped. And unfortunately, when you look at the increase in prominent cyber attacks on the healthcare industry, boy, I'll tell you that's scary and surprising at the same time. And hopefully, they'll bounce back in the next year when we start looking at the next results.
So when we look at the highest-performing industries, we would expect, of course, to see IT and software, media, and retail to be in the highest-performing categories, and they are. But when we look at the lowest-performing industries, a couple of the ones here that really surprised me, one in particular, of course, is oil and gas operations. We've seen in the past couple of years a couple of attacks on the "grid," the overall grid, not just the electric grid, but all the grids. And when you start looking at people tinkering with the computer systems that control oil and gas as well as the electricity, that can get really, really scary. And I think that they need to take a little bit of a harder look on their inventory and make sure that they plug up some of the holes in their security measures.
So when we look at security risk overall, 68% of the Global 2000 companies have less than half of the recommended security measures implemented. Again, we're only looking at eight or nine of these key elements when it comes to security. There's way more to consider, of course, than this. But we're looking at the more obvious ones that will help people shore up their inventory. The real scary part, of course, is that a full 20% of the list is in that 0% to 24% range. There's a bunch of them that are actually at zero. Five percent of the companies have a domain security score of zero, and they haven't adopted anything in there. And that's really unfortunate that they look at their core domain name as not as valuable an asset as some of their other physical. They may have chain-link fences around their buildings, and I'm sure they've got locks on their front doors. Why not do the same sort of thing to your digital assets and make sure things are secure?
So when we look at the other angle of things, the previous slides, of course, were looking at the core domains related to these organizations. Now we're going to start to expand out a little bit and look at the landscape of how third parties are attacking their brands online. And one of the easiest ways to do that is to look at homoglyphs.
Now when we looked at homoglyphs, we didn't look at more sort of like the IDN style, internationalized domain names, accented characters and Cyrillic that you see going around, the still as a meme online. We were just looking at the fuzzy matches, so substituting an "O" for a zero or a zero for an "O", m's and n's, i's and l's, and so on. These are easy ones for people to go and substitute in to your brands and then register new domain names. These look-alikes are on purpose.
This is the thing to remember as well when you're going through this is that there's only so much you can do when it comes to defensive registrations. But in a situation like this, these fuzzy matches are done on purpose. It's not accidental. So when you see these, again back to monitoring and enforcement, so when these come up, you need to pay attention. You need to take action. They can easily be used for phishing attacks. And as I mentioned before, that's usually where a lot of these attack vectors start. They start with emails.
So 80% of the parties using homoglyph or lookalike fake domains have increased their use of mail records, which means they're using them more for email, they're using them more for phishing attacks, malware delivery, ransomware attacks, and the like, and that's really scary.
So when we look at the weaponization of third-party domains, so how are the third-party domains being used? Well, we see a lot of advertising and pay per click on the front end. I mentioned before, when it comes to the user experience, it can be whatever. It's behind the scenes that really counts. So if the mail records are active, they can be using them for email regardless of what the website content looks like.
And that's where the 33%, next line, have inactive websites. Plunk them into a browser, they don't go anywhere. People might think on the surface, "Hey, I don't have to worry about this." You do. These dormant domains can really, really, really come back to bite you later on. And that's why, as I mentioned before, a robust monitoring and enforcement program will be able to help you to assess these threats and keep things going.
Now as expected, when we look at the domain registrars most associated with these fake domain registrations, GoDaddy, Namecheap, Network Solutions, they've been at the top three for the last five years for pretty much it. So it's the same sort of ones all the time, and those are the most popular consumer-grade registrars overall.
Who's being targeted when we look at the suspicious and malicious emails or domain names? We have to look at the fact that banking, although at the top and targeted the most as we would expect it to be, but we also have to remember that banking is ranked 16th out of 26 when it comes to security posture. That's a bit off-putting. If they were at the top of the pile for the security measures and still being targeted for the better part of these fake domains, I could understand that. But for them to be 16th, the banking industry needs to do a little bit better. Then, of course, diversified financials is right behind that. IT is a big target, but they're also at the top of the pile, so that's okay. And we look at utilities in the middle and so on. Media is kind of at the low end, and I think probably because they've taken a lot of action lately over things like torrent sites and online copyright infringement and the like. I think they sort of enforce their rights a little bit more aggressively than some of these other categories.
So in summary, defense-in-depth approach, start at the beginning, start at the middle and work your way out. Balance it. One of the key things is when we look at over all defense-in-depth approach, we have to kind of balance your individual company's penchant for risk versus budget versus your monitoring and enforcement. If you're going to take away from one or add to one, you can sort of balance it off with the other two pips on the triangle.
Monitor and protect your domains and digital channels for brand abuse, infringements, phishing, and fraud. This is really, really important. You can react quickly to infringements as they come along before they can do a lot of extra damage.
Use your global enforcement, takedowns, internet blocking. These are effective techniques to be able to at least get the content offline, give you some breathing room while you decide how you want to handle the actual physical domain itself. It is a two-step process.
Confirm that your vendors are actually practicing safe cyber and aren't contributing to fraud and brand abuse by them being lax in their security process as well. It is a holistic approach, and it really does expand out beyond your own internal systems.
WE'RE READY TO TALK
Our specialists are ready to answer your questions.