CSC Domain Security Report 2023: How Many of the Largest Companies in the World have a Domain Security Score of “0”?

WEBINAR TRANSCRIPT

Disclaimer: Please be advised that this recorded webinar has been edited from its original format, which may have included a product demo. To set up a live demo or to request more information, please complete the form to the right. Or if you are currently not on CSC Global, there is a link to the website in the description of this video. Thank you.

Christy: Hello, everyone, and welcome to today's webinar, "CSC Domain Security Report 2023: How Many of the Largest Companies in the World have a Domain Security Score of 0?" My name is Christy DeMaio Ziegler, and I will be your moderator.

Joining us today is Quinn Taggart. Quinn Taggart is a senior global brand security advisor and assists clients in the areas of online brand and cybersecurity strategy. Quinn has been with CSC for over 20 years, and his wealth of knowledge and experience is appreciated by brand owners as he helps them to better understand their evolving digital asset portfolio and minimize their risk.

And with that, let's welcome Quinn.

Quinn: Thank you, Christy. So today we're going to cover a bunch of different things, and we're going to try to get through it in our half an hour time slot. We'll have some time hopefully at the end for a couple of questions. And then, of course, please submit your questions. If we don't get to them today, we'll definitely reach out with some answers afterwards.

So we're going to cover our annual security report. We're going to go over a few things about security risks. We're going to look at the key findings, of course, of our G2000 Brand Report under the homoglyph side of things, which is a bit of a variation. We're also going to look at our defensive domain security measures, some more key findings, and then, of course, our blanket recommendations.

So in looking ahead into where the 2023 report takes us, what we want to try to look towards is the key and core domains related to the G2000 companies. So we went out and we grabbed all of the key names. Now we were looking mainly for the corporate sites. Some clients or some companies might have an e-com site, which is a little different branding wise than their corporate site. So we were looking mostly for the corporate sites as and where we could find them, and those were the domains that we used, one per company.

And what do we do with the report? Well, because the domains and the surrounding services like domains, DNS spoof domains, it's often an overlooked security risk, and we want to make sure that we're able to highlight these risks and show what trends we're seeing. Now since these are the core and key domains related to the company's activities, they're likely being used for email. They're likely being used for DNS services. They're also, of course, being used for the main web properties. So we're expecting to see with the core domains a very high level of security protocol that may or may not be relevant or applied against the rest of their domain inventory. And that's why we're really only looking at that core domain.

So, of course, this is the fourth year we've been doing the report. Things have evolved a bit over time and, of course, so have the bad actors, and they adapt and adapt and adapt as they go over. So we want to make sure that we're keeping up on what's important when it comes to security.

So today's domain security risks again, as I mentioned, it's ever evolving. So we're looking at some different things now that we might not have been looking at a couple of years back. And one of the big ones, of course, is hacked subdomains. So we're looking at the usual things. Going left to right, we're looking at compromised or hijacked legitimate domain names. We're looking at malicious domain registrations, for example the homoglyphs. We're also going to target a bit on AI domains as that's the hot button topic that we're working with right now. But then we're looking at hacked subdomains or hijacked subdomains.

And one of the key things, when you're looking at subdomain provisioning within your organization, is where is your subdomain pointed. Are you pointing to an IP service? Fine, similar to an A record that you might have on your root domain or your www version of your domain name. But a lot of people are using the cloud services and the provisioning services that they provide, and that's where things can go a little sideways.

Now I'm not going to say a whole lot on hijacked subdomains today. A colleague of mine, Mark Flegg is going to handle that in a separate presentation. So I don't want to really steal a whole lot of thunder there, and we don't want to get distracted away from the rest of the material that we want to go through.

So when we're looking at malicious domain registrations, we're really looking at those third-party risks, and balancing, of course, with monitoring and enforcement is going to really help with that. I realize a lot of people are under a lot of budgetary restraints. COVID really kind of kicked us all in the pants a little bit when it came to that. So it really is just a bit of a teeter-totter of balancing when it comes to managing your brand protection risk, managing your budget piece, and then counteracting that with some monitoring and enforcement.

When we look at AI specifically, now this again hot button topic, .ai for artificial intelligence. This is one of those domain TLD-related items that falls into what we consider to be the vanity category. So the most epitomized one is .tv. It stands for Tuvalu. It's an island chain in the South Pacific. But they're making about 10% of their GDP off of domain registrations. People associate it with television, not the country, but that's the vanity of it.

Now there are some other legacy ones that are out there, .ws for website, .cc for credit card, .am, .fm in the radio sphere. There's a lot of different ones, and some of them flash really quick and then they're gone. .io was a big one not that long ago. It's kind of tempered down a bit.

Now that may or may not happen here with .ai, but at the meantime we need to really pay attention to this. And what we're seeing, when we took the Fortune 2000 core brand strings and applied a .ai to them and had a look to see how many of them were registered, we only really saw that about 8% of the domain registrations were held by the brand owner. It's a bit light, and we're expecting that to maybe go up or shoot up in the next little while. But of that, of course, 43% of the .ai associated with the Global 2000 companies are registered with what we deem to be third parties. And over 49% of them are still available for registration. Now that percentage has likely gone down quite a bit as we prepared this report a month or so ago, and things are cycling through. AI is still a hot button topic. We're seeing some domain sales even in the AI sphere that are creeping up into the six figure range.

But on the flipside of that, of course, we're seeing a 350% year-over-year increase in domain dispute cases involving .ai and UDRPs. That shows us that (a) people are paying attention, but they were a little late to the game. And so, as a result, they're having to go out to defend their brands using the UDRP process.

But this really shows how current events and buzzwords can make the infringers go wild, right? In one of our earlier reports, we looked at COVID-related domain names and saw what happened with that. Incidents, news events, and the like are really just big fodder for third-party registrations. Whether they stick around or not is generally the question. And I think with .ai, it's probably going to be around for a bit, but time will tell when the renewal dates happen to come around.

When we look at the homoglyph side of things, and this is one that we picked up on a couple of years ago in our security report, and this is where we're looking at domains that resemble the Global 2000 Brands, substitutions, typos, common elements, this is where we're going with this. So that we're looking ahead and seeing 79% of these variations are being owned by third parties. Now that's a pretty high percentage, but it's also what they're doing with them that's going to count. We're going to look at that here in a second.

And magically the next slide. So how are they being used? Well, in for the most part, something as innocuous as say pay-per-click or a parking page, not too necessarily concerned about that as far as content goes. But it's really the configuration of them that's really going to make a difference. How many of them have active mail records set up because that's going to indicate, hopefully not, but that's going to indicate the potential for being used as phishing. Now remember, a lot of these homoglyph substitutions, they're lookalikes, and that's driving that potential for phishing attacks because it's visually confusing.

So it's important to decide on what type of infringements you can accept. What's your risk tolerance when it comes to that? If you're using a very robust monitoring and enforcement package, they're going to detect a lot of these different types of typos, homoglyphs, IDNs (internationalized domain names). Now that's where a character set from a different language, like an accented "e" from French, all of a sudden shows up as a domain name using your brand. These are the kinds of things that will get picked up on a monitoring and enforcement package. Then with that in mind, you get a chance to go and react quickly and be able to defend yourself.

Registering domain names in your inventory that relate to industry-type keywords, stuff that's related to your services, shop, store, or online, now you've got .shop, .store, and .online. There's a wide variety of options available to you in order to kind of protect your brand online but also drive traffic.

When it comes to these substitution domains, it's an intentional act. It's really hard to prioritize what a third party might do or not do when it comes to your brands. So it's important to have and balance that out with some monitoring and enforcement that's going to really, really augment your registration and defensive registration strategy with being able to identify these domains so that you can take prospective action as and where you need to.

There might be other ways to use your domain name with your brand without having to have content on the site, and that's the key thing too. Like I said, it doesn't have to necessarily relate back to how the domains are being used content wise. It's how they're being used behind the scenes.

Forty percent of these third-party domains that resemble the Global 2000 brands have mail records. So as I mentioned before, this is where they get potentially used for phishing attacks. So MX records allow you to send those phishing emails, scams, spam, any of the stuff that may negatively affect your brand reputation online.

Nine out of the ten domains that we analyzed have their WHOIS or ownership details masked. Now that's sort of kind of the default nowadays with a lot of the consumer-based registrars. They'll do the WHOIS masking on purpose. But, of course, you've got GDPR and a bunch of other privacy initiatives that are also going to be masking or essentially masking WHOIS details, making it very difficult for you to be able to go and determine whether or not or who the third parties might be.

Now remember, any third party could be a friendly. It could be a distributor, a franchisee, a retail provider. It could be somebody that you're working with that has decided to go out and register these. So knowing the ownership and being able to determine the ownership is helpful so that you can go and deal with it appropriately. Certainly if it's a distributor or a franchisee type scenario, you're going to deal with it a little bit differently than if it's an outright third party.

As we go through these homoglyph type substitution domains that we're looking at, we're also looking at where they're being registered. Now certainly the registrars that are associated with a lot of these registrations are ones that we would normally see when it comes to third-party infringements. We're going to see the GoDaddys of the world, Namecheap, Network Solutions. These consumer-grade registrars are typical in our analysis as we see.

But all of these registrars have a few things in common. One, they're dealing in a high volume of domains with private persons. No questions are asked when the domain is registered, and they're not very compliant when it comes to enforcement. They're going to make you go down the road of the UDRP and the like in order to be able to handle it. They're not really helpful in a lot of cases when it comes to working with brand owners. And we consider these to be what we call consumer-grade registrars.

So when we look at the maturity level of the security measures and we look at enterprise-level registrars versus consumer-grade registrars, we can see that there's a bit of a tilt towards the registrars of the enterprise class. A lot of the security measures in place, like registry lock, DMARC, DNSSEC, CAA records, and DNS redundancy, these sort of things are being driven a lot more through the enterprise-level registrars.

And I think part of that is due to just the way your account management teams are set up. You're going to get that analysis. You're going to get the support. You're going to get the recommendations that are going to go along with that. Whereas your consumer-grade registrars, you're typically only as good as the credit card you've got on file. They're not offering a lot of strategic support and guidance. Chances are if you want that sort of thing, you're going to have to go and get a consultant to go and help you with that.

So what dictates a consumer or a corporate registrar? What does that really come down to? So we basically evaluate a consumer-grade registrar as they're geared towards domain services, websites, email for personal use, basic entrepreneurs and small businesses that are just getting started. Typically it's a credit card run, ideally suited for the onesie-twosie kind of thing, or somebody that is looking for that inexpensive way of doing things. Because of that, a lot of the consumer- grade registrars, when you register your domain names, will stuff up a pay-per-click landing page. That's their default setup. Why? Because they're the ones making the money off the pay-per-click, not you. So with that in mind, that helps them subsidize their low registration rates. But again, on the flip, you're not getting any strategic support. You're not getting a dedicated account manager type setup.

When we look at enterprise registrars, and it's not just the [inaudible 00:16:22] in that range when it comes to enterprise-class registrars, but they specialize in working with corporations and brand owners that require advanced business practices and capabilities, expertise, support staff, and the way in which the team is organized, DNS management as well as security brand and fraud protection, data governance, cybersecurity. All of those extra plus, plus pluses are important when you're evaluating an enterprise-class registrar.

And one of the key factors, of course, is going to be the registry lock. Now what registry lock basically does is put a bunch of measures into place that are manual. They're not automated. And the reason why it's a manual process is because we want to make sure that if somebody does compromise or comes across compromising account credentials, that they're not able to go in and just all of a sudden change the servers on your core domain name and take your name down, and/or redirect content to something else.

That's where automation comes into play. Consumer-based registrars or consumer-grade registrars are all about the automation. They're not about anything to do with manual. And that's also why a lot of the extensions that they offer are strictly that. They're on the automated side of things. Any of the more difficult ones, like the Middle East and some of the other manually-based registries that are out there in the world, they don't offer that. So they can't give you "the world." They can give you a slice of it, but not necessarily the whole world.

And this is where registry lock is going to come into place. It is a manual process. They're on purpose as a manual process. And, of course, the registrars that are consumer grade aren't geared for that. They just don't have the resources to be able to handle that. And we're going to see some statistics later on when it comes to that.

So when you go and put your trust in a consumer-based registrar, that may or may not be designed for domain security, that can impact your company's overall security process. Now registry lock is only one component of it. But, of course, you're not getting that added security posture, but also recommendations and consultation, sorry got hung up on that word, when it comes to how your portfolio is configured.

Now when we look at some of the other key components, like DMARC, DNSSEC, CAA records, and DNS redundancy, these are all components that by themselves have a particular function. But when you add them all together onto a particular domain name or series of domains within your inventory, that's where things start to get locked down quite a bit. And I use the analogy of a $1 million home, $10 lock. The lock in and of itself might work for a particular purpose, but by and large it's not really going to protect you overall. And then once people pick that $10 lock, the door is open, and that's what we really want to try to avoid when it comes to security. Security is going to be the key.

Now all of these elements together make up a company's security score. The higher the score, the stronger the security posture, meaning that companies are at less risk of domain security threats in the area. What we're seeing, of course, is that 46% of the companies that use enterprise-class registrars are also using the registry lock. And that's not a surprise. And like I mentioned before, the consumer-grade registrars are really all about the automation, and registry lock in and of itself is a manual process. So they're really just not equipped to be able to handle that.

Now this registry lock is going to protect yourself against accidental or unauthorized modifications or deletions. Some domains may remain unlocked. It's not a service that you're going to stuff on every domain in your portfolio. But certainly when it comes to the mission critical ones, we certainly would expect to see that enabled.

Overall, companies having registry lock turned on went from a 17% adoption in 2020 to 23% in 2023. So it is catching on. People are starting to use it a lot more, understand it a lot more. Now there are some caveats when it comes to registry lock. Not all registries worldwide support it. So there are some TLDs out there that are not able to utilize the registry lock at the moment simply because the registries themselves don't support it and don't necessarily have a good process in place to be able to deal with it. Now remember, the consumer-grade registries by and large aren't supporting it simply because they don't have the resources. The registries are going to be in the same boat.

Now we'll go to the bottom of the pile. So out of the 2000, F2000 domains that we analyzed, 112, about 5% of the companies have a domain security score of zero. And that means that they have adopted absolutely none of the security processes that are available. It's depressing a bit to see this given the fact that these are supposed to be the core names related to these companies and should be by and large top tier when it comes to all of the different add-ons and bells and whistles that are available to them. Some of these records cost nothing to put into play. CAA records, it's a memo entry. You've got to configure it properly, of course. Additional cost being enabling CAA records into a zone. You've just got to get off and do it.

But when it comes to these companies, unfortunately they've decided to do absolutely nothing with their main domains. So I'm going to make a reasonable presumption that they probably haven't done anything with the rest of their portfolio as well. This puts them at a substantial risk. It's unfortunate.

We are seeing a bit of growth in DMARC. Now DMARC is kind of like top tier in email security. It has the best overall chance of preventing spoofing and imitation of your domain names when it comes to email and email traffic. So DMARC is certainly one of those things that we're looking for the growth to come up. Six percent the highest we've seen in the past four years as far as the growth percentage goes. It's designed to protect your company's email domain from spoofing, as I mentioned. So we're certainly expecting to see the growth to go up. And with some of the clients that I've worked with over the years, I'm seeing it now as a default. They're putting it on every domain in their portfolio, which is great because then nobody can spoof any domain that they have, not just the ones that they're using for email. They're putting it on every domain in the portfolios.

Now 2022 was a record year for phishing, 4.7 million attacks logged. Business email compromise attacks in Q4 of 2022 averaged more than $130,000 per instance. Like that's just unreal. So protecting your email as well as your brand online from these sorts of attacks is going to be key going forward.

Driving growth in DMARC is the increased adoption of brand indicators for message identification, BIMI on email clients that allow brand logos to be displayed against authenticated emails. That's important as well because as people start to use things and be creative in how they use things, it's going to be important to make sure that the detection keeps up with what the bad guys are doing.

So this summary slide I'm not going to go through each individual piece, but you can look at it and see that when it comes to the domain security measures by region, this is where some of the regions are a little behind some of the others. This is in line with what we've seen in prior years, although we're seeing some improvement of course in APAC as well as in EMEA. But we need to see more. And especially given a lot of the attention that is in the APAC region when it comes to domains, we certainly would want to grow and see an increase in security measures being adopted there as well.

So who's picking on which? So when it comes to which particular industries are being picked on and/or have the highest performance, it's not a surprise, I suppose, to see IT and software at the top of the pile. What is surprising is banking is kind of middle of pack, and we certainly would expect that banking be at the top of the pile, but it's not. Scary is when we start looking at utilities. Utilities is in the bottom of the pile. But we've seen some attacks on utilities in the last while, and certainly that's a bit of a scary situation when somebody can hack into the grid and start taking some liberties in that area. But as I mentioned, IT and software services, media, we certainly would expect to see them closer to the top. And we're hoping, of course, that banking will continue to climb.

So what do we do with this? Well, with this report what we're really hoping that people will take note of is that some of the adoption of the security elements really don't represent a cost. Some of the stuff does cost. But for the most part a lot of these postures can be implemented with little to no cost.

So going down through our recommendations, we want to see clients and companies in general adopt a defense-in-depth approach for domain management and security. Start from the inside. Work your way out. You'll have a tougher outer layer, and it makes it a little harder to get at that core.

Continuously monitor the domain space and key digital channels. As I mentioned before and multiple times, a robust monitoring and enforcement package is going to be really, really important to make sure that you're picking up on all these variations that go along with it.

Use global enforcement. So you want to make sure that you have the ability to do takedowns and blocking on a global scale, because even though you may be "a domestic brand," that's also where the bad actors are going to start to take advantage or potentially take advantage by being able to pick up domains that are relatively inexpensive but represent other country codes.

We also want to make sure that you confirm your vendor business practices aren't contributing to fraud and brand abuse. You want to look at your supplier chain. You want to look at your franchisees, your distributors, your retailers, make sure that they're not registering a bunch of domain names that contain your brand and everybody is in compliance. And that way, you can make sure that you're able to keep control over your brand online.