Fortifying Your Domain Security Ecosystem: Comprehensive Strategies to Counter Cyber Threats

Disclaimer: Please be advised that this recorded webinar has been edited from its original format, which may have included a product demo and other engagement features. To set up a live demo, please complete the form above on our website. If you currently are not on our website and are watching this on our YouTube channel, there's a link to the website in the description of this video. Thank you.

Christy: Hello, everyone, and welcome to today's webinar, "Fortifying Your Domain Security Ecosystem: Comprehensive Strategies to Counter Cyber Threats." My name is Christy DeMaio Ziegler, and I will be your moderator.

Quinn Taggart is a product coach for Digital Brand Services and assists clients in the area of online brand and cybersecurity strategy. Quinn has been with CSC for over 20 years, and his wealth of experience and knowledge is appreciated by brand owners as he helps them to better understand their evolving digital asset portfolio and minimize their risks. And with that, let's welcome Quinn.

Quinn: Thanks, Christy, and thanks, everybody, for joining in today. We've got a lot to cover in the half hour that we have together, so I just want to kind of roll through and get right into it.

One of the key aspects that a lot of people ask about is, "What's the difference? A registrar is a registrar. They can register domains. Do I really care who that might be with?"

Now certainly price point is one of the key factors that a lot of folks will look at. But really, when it comes down to brass tacks, the big difference is in the behind the scenes. In comparing a consumer-grade registrar with an enterprise-class registrar, one of the key factors, of course, is how that backend is working for you.

Now most consumer-grade registrars, the reason they can offer the price point that they can is because they're all about automation. You put your credit card on file, and that's a key factor as well to consider. You put your credit card on file, and then it's all automated in behind, which means there are some extensions on a global scale that they're not equipped to be able to handle. There are also some security features, that are available that are manually oriented, that they're not going to be able to handle as well.

Registry lock, I'm sure most of you are well familiar with that terminology. Registry lock is another one of those key factors. It's a manual process, and so because of that, a lot of the consumer-grade registrars just are not equipped to be able to deal with that.

One of the other key factors, of course, as well is access-based management in the account. So having different users assigned a different level of access to the portfolio and what sort of things they're allowed to do, you typically don't get that kind of access controls when it comes to your consumer-based registrars.

But one of those key factors, as I mentioned a minute ago, was it's all about the credit card and the credit card on file. That does pose some inherent risks when it comes to, all right, well, the credit card expires. Or let's say the person that has the credit card doesn't work there anymore. Who has access? How do you get the ability to go in and do the renewals if you don't have the ability to even get into the account?

So one of the key factors, of course, when you're looking at your registrar, is what are they doing for you behind the scenes? How is their security posture configured? What sort of things are they doing to make sure your data and your position is safe? Typically, your enterprise-class registrars, like CSC, they're going to be able to bill you. You can pay by credit card, I suppose, if you want to. But for the most part, it's invoice. It's real business-to-business kind of scenarios.

The expertise, the support staff, DNS management, security, governance, cybersecurity, all of those key factors are going to come into play when you're looking at your registrar. So choose carefully. And if you have any questions on that sort of thing, of course, you can always reach out and chat with anybody on the CSC team. But even doing your own research online, you can see the real big difference. There are not a lot of what we consider to be enterprise-class registrars out there, so it's a pretty easy comparison.

When we look in the processes, the people, and the technology, if we dig in a little deeper on that, when we look at processes alone, you've got to be up to speed on what ICANN is doing. You've got have a full accounting of all the domains and the domain name systems, written request mandates, data and general practice protection. So of course, as we talk about GDPR and other privacy initiatives on a global scale, you've got to be on top of all of those so that you don't run afoul of any of that. It's not just us as a registrar running afoul. It's you alone as well. And one of the big keys, of course, is the registry locks.

Knowing your customer, it's one of the key factors for us with the people side of things here at CSC. Having global, 24/7/365 in-house support is also key. We don't farm out our support. It's real people support. And the people that are answering the phones, they're not just taking a message and getting back to you. They're people that are actually doing the work on the front end. So they're going to be able to assist you right then and there and not have to call you back, in half an hour, once they finally find somebody that can actually do the work. And, of course, regular cybersecurity staff training.

From the technology side, one of the key factors, of course, SOC 2 compliance, ISO 27001 accredited data centers, third-party penetration testing, all that kind of stuff is really important to make sure that your supply chain is kept up to speed. In the middle of all that, of course, is CSC.

That's the salesy part of our presentation for today. But realistically, do your research and make sure you're dealing with somebody that's going to be able to support your activities.

This is affectionately known as our spaghetti slide. It's one of my favorite slides. The reason is that in a typical corporate environment, there are a lot of lines of communication. There are a lot of stakeholders. Not always are the stakeholders talking to each other.

Anecdotally, I was working with a large banking client, and we went into chat with them about different things. We managed to get all the different stakeholders together, IT, security, brand management, marketing, as well as the legal team. Even though they were in the same city, they had never really chatted with each other. They were all kind of doing their own thing. If the lines intersected, then so be it. But for the most part, they didn't have a conversation going. And certainly, we encourage that.

But as you can see, where everybody is trying to manage things on their own on this slide, there are a lot of lines going in a lot of different directions, and they don't always intersect with each other and come out with common goals. Where CSC can excel and inject ourselves into this sort of arrangement is we run middleman.

Now we always tout ourselves as wanting to be a partner with our clients, not just another supplier on the docket. So this is where we can really, really inject ourselves into the conversation and play middleman between the client, stakeholder contacts, and of course outside counsel. It's always important to make sure that you've got the lawyers and the outside counsel involved. But we're able to handle a lot of these intermediate steps with the expertise of our team.

One of the key things that we've researched over the years is how much domains work is being done by our client contacts. A lot of our client contacts are in a variety of different teams. They're in marketing, or they're in branding, or they're in intellectual property, or they're in the IT side. It really is a mixed bag. There's no one team that's going to handle domains within an organization. But one thing that does stand out is that a lot of these folks have other things to do.

And so anywhere between 5% and 7% roughly of people's days are related to towards domains and domain-related activities. It's not a lot of time, and it's certainly not a lot of time to be able to go and get yourself up to speed and consider yourself an expert or a subject matter expert on domains and domain activities. And that's where CSC excels as far as the partnership side of things goes. Domains are 110% of what we do in a run of a day. This is what we're here for. I can probably count on one hand the number of clients that have dedicated domains teams. There are some that have people that are engaged on domains more than the average. But realistically, a lot of times they'll just utilize and leverage the support that CSC gives.

Just a quick regurgitation of what the domain life cycle kind of looks like. Everything starts with an idea, hence the head, and that's where your domains are available to kind of start with. Then once you're registrations are done, it's generally a cyclical effect, where domains will come up for renewal, you'll renew them, and we go back to start. They come up for renewal. You keep going through that teal "Active" part of the circle of life over and over and over again until you're pretty much done with them.

The idea is that you never really "own" a domain name. It's like a lease, meaning that as long as you keep up on your payments, it's yours and you can do with it as you please. You can sell it, or you can just drop it, whatever works for you when the life has ended.

Then it's going to go into the expired state. It's going to go through some sort of a grace period. It really depends on the extension. It's going to go through a pending delete phase for three or four or five days, depending, again, on the extension. Then it's going to be back out into the wild after that.

One of the key things to remember, when we go through this particular slide, is that it goes back out into the wild. So if the domains contain your brand, if the domains are generic in nature, if they're short, like two or three or four characters long, anything along that line, there's a high likelihood that those names are going to get reregistered by somebody else as soon as they're dropped and available again.

That's the life cycle of domains. That's how it works. So caution, caution, caution in evaluating your portfolio to the point that you want to get rid of things out of your inventory. It's a heck of a lot more expensive to go chase a domain down that's infringing on your brand and somebody has gone and put up a phishing site or they've skinned your site out and duplicated it and are scamming people and so on. Those kinds of excessive activities are going to put you in a bit of an awkward spot reputationally.

So what you want to try to be careful of in the beginning is realizing, "All right, you know what, if it's only a few bucks for a dot.com renewal, that's probably a heck of a lot better than it is to let that go and have it show up in third-party hands." Now, of course, getting rid of domains out of your inventory is part of the life cycle. That's just the way things are.

But for the ones that you're keeping, we'll focus on those for a second. One of the key aspects in looking at how your portfolio got to be where it is, it didn't get there overnight. It's evolved over time. Whether it's 5, 10, 15 years, whatever your life in the industry or in the corporate side of the world is, your portfolio has gotten to be where it is over time. That's really important because what you're going to find, as you go through this, is that there are going to be some situations where domains are outside of your management that contain your brands, and you're going to need to be able to identify those.

Now we'll talk about robust monitoring and enforcement and stuff in a separate piece. But realistically, what you're going to be on the lookout for is one of three categories typically.

Localized registrations comes up a lot, especially in countries where they have a fully independent, localized team. China comes to mind. The rules have changed in China quite a few times over the years. So we've seen this a lot where people will register domains on a local level, and you're aware of them hopefully. But on the other side of that is that they're looked after. But again, they're typically with a consumer-grade registrar. It's credit card oriented. It's personnel dependent. It's going to present some risks, and often you just don't have control over what's going on. Especially if something goes sideways on one of those domains, typically your IT resources may not have the capability to be able to pitch in and give them a hand.

Then you've got the "rogue employees" side of things. Now these are well-intentioned individuals. I'm not going to generalize and say what teams they may typically be under. But people are like, "I've got a project. Oh, I'm going to go out and I'll go get this name. It's available. I'll go get it now. I'll put it on my credit card, and at least we've got it." But then it doesn't get consolidated into the central portfolio at whatever vendor you're using. So they typically will use their personal or team credit cards with consumer-grade registrars. It's almost a given that that's going to happen.

Those domains are typically forgotten usually until there's a problem. Then, of course, as I mentioned before, what if that person doesn't work there anymore? What happens if the credit card expires and all of a sudden you get a site offline? You can't renew the name, and you can't get access to the account. These ones are really, really bad, and you want to be able to identify those up quick so that you can get them consolidated into central management.

Then there's the fuzzy line between distributors and partners. Now in a lot of cases, the distributors or partners assume they can register branded domains based on their relationship, and it's to support the joint efforts. But again, typically they're going to be using the consumer-grade registrars, often without informing you that they're actually doing this. This is where monitoring and enforcement will pick up on these sorts of registrations, and then it's a bit of an awkward conversation that you might have to have with them in order to be able to get those names moved over and into centralized management. Without active monitoring, those names could remain undiscovered for quite some time.

The rogue employees, you can usually pick this up on expense reports. Or something along that line is going to trigger the fact that they've actually gone out and picked those up. When it comes to the localized registrations from the teams, they're typically going to have lines of communication into IT or whatever because they'll need some resources. So those ones are usually fairly easy. It's the distributors, the partners, the franchisees, those are the folks that typically are going to be undiscovered because they're not going to be using your details to go and register the domain names. They're going to be using their own. So it might not be as obvious.

So when we look at the complexity behind the names, so each domain name within the portfolio has a multitude of individual elements that can be in different places at the same time. So the registrar, that's whoever manages the domain itself, whether it's CSC or not. That's the registrar.

Now below that, when we start to look at some of the technical aspects, they can go in a bunch of different directions as well. So the DNS host provider, it could be CSC. It could be something you're doing internally. It could be a third party.

Similar fashion for mail. You could be doing it internally. You could be using a third-party to manage your domains, whether it's through Outlook or Gmail. You can do all that kind of stuff, but that's separate from all of the other pieces.

Then we have all of the security protocols that will come into play as well. Registry locks are typically done, of course, via the registrar to the registries, so that's fine. But then when you look at DNSSEC, that's going to be driven through whoever your DNS host is. DMARC could be done through a company like Proofpoint or whatever. CAA records are something that you're going to put onto your domains internally. SSLs, again, another vendor or provider and so on.

So there are a lot of moving parts for your IT resources to kind of keep track of for each domain in your portfolio. So having preferred vendors and consolidated functions is extremely important. It's going to go a long ways to preserving your sanity because you're not… You're going to have concentrated efforts.

So here's a checklist. I'm not going to go through all of these pieces. But a couple of the key things to kind of look at. DNS redundancy, that helps with downtime or any unforeseen incidents. When it comes to your DNS, it's good to have a backup.

MultiLock or a registry lock, that's a real key factor when it comes to making sure that if somebody's credentials are compromised, you can't make any changes. That's really important.

Of course, using an enterprise-class registrar. And then at the very end, when we look at 3D monitoring or enforcement services, a robust monitoring and enforcement package is really going to help save you from some of those surprises at the tail end.

What can you do to help support your domain inventory and put your posture and your best foot forward as far as that part goes? Governance is always going to be a high-level, kind of stakeholder key factor. Having a domain policy. A domains council is also another key aspect, which is really good because that gets all of your key stakeholders together, IT, legal, marketing, brand management, etc. You want to make sure that everybody has a little seat at the table and a little something to say because the domain inventory impacts everybody. You really need that stakeholder engagement.

In the middle is going to be your tactical side of things, which is where your strategic alignment is going to be. Making sure that trademarks talks to domains and, of course, coordinates. There's a real key difference between trademarks and domains, and the real big aspect of it, of course, is that domains is on a first-come, first-served basis. Trademarks are not.

You can have folks that have the exact same term trademarked, but in different industry classes. So one of my favorite ones on the North American side, of course, is Delta Airlines and Delta Faucets. Both have trademarks on Delta. But who deserves delta.com? And the answer is whoever got there first. It really is that simple. It sounds sarcastic when you say it, but it really is that simple.

So it's really important to kind of coordinate those activities. When you file for a trademark, it can take a couple years before the trademark gets registered. During those couple of years, if anybody is paying attention, it's public information. I can go and have a look at all trademark applications. By their nature, they need to be public because people can object to those trademark registrations before they even get to be registrations. And so, as a result, coordinating with your trademark filings and the domain registrations is going to be real key.

And that flows right into your strategy. Any new brands or TLD launches, it all goes back to the same thing. Now you don't always have to have trademarks on every domain string that you're doing. You don't have to have a trademark in order to register domains. And that's a key factor as well, and that's why the bad guys get in their first usually a lot.

The follow-up is also key. Managing domain inventory is a cyclical event. It really does go around and around and around and around. So what you're doing today might be relevant today. A couple years down the road it might not be. But if you don't come back around and review things and review your processes, you're not going to identify that, and then you're just going to keep doing the same old thing because that's the way it's been done. So having a look at things like your utilization, your rationalization, your monitoring and enforcement, your budgeting and your staffing, all of those things need to be reviewed on a regular basis. Whether it's semiannual or annual or every couple of years, whatever works for you as far as that part goes, but it really does need to be cyclical.

I'm going to cover a couple key events that have come up in the last little bit. I'm not going to belabor a lot of these because there are tons of resources for these online. So NIS2 is strengthening cyber resilience across the European Union. That's a bit of a mouthful as we do it. But a lot of these approaches, like GDPR and so on, have all kind of gone in on the data side of things. So NIS2 kind of takes it into the IT side of things. So it emphasizes the "all-hazards" approach, covering both cyber and physical threats, and it grants the regulators broader enforcement powers. That's key as well. There's no sense having a policy in place, whether it's internally with your own domain policy or external in this particular type of situation, if there are no penalties. You've got to have the penalties and enforcement there in order to make sure people pay attention.

Then we've got some other things, like RDAP, that are coming in. This is augmenting and supplementing GDPR and a bunch of other privacy initiatives that have been put out on a global scale. There are just a few here that I've listed for Canada, the U.S., and India as well. All of these seek to make sure that people's information is kept private if you want it to be and then also, of course, secure.

So after July of 2025, it's not going to be an option to use the WHOIS details to validate an SSL. Hmm, what's that going to do for a lot of folks as well? That's one of the key things that we look at, when we look at the WHOIS details that are on domains, is what information is listed. Now GDPR gave us a situation where generally maybe the organization would be listed, but then nothing else in between is, and even the email address might be redacted optional. The reason I say that is because a lot of the SSLs were using the email that's in the WHOIS as well as the organization that's in the WHOIS in order to validate for the issuance of an SSL certificate. Well, they've made some changes in the SSL side of things, and we'll cover that in a second, that are going to put that to bed. They're not going to do that anymore. So you're going to have to find another way to validate your SSLs.

So when we go into the SSL and the domain control validation changes, the current setup is pretty straightforward, right? So every digital certificate, whether it's an EV, OV, or DV, is validated using domain control of one of the current methods. We either use the WHOIS email, some sort of token that the certificate authority has given to us, or we add an actual record into the domain's zone file, which is really the preferred method, it's much more secure. So the WHOIS email is no longer going to be an option after July 15th. That's really key. You're going to be only able to use the token or the DNS record approach.

Now certainly, the web token is not a preferred part of the approach, simply because of the ability for people to just copy and paste it or intercept it along the way. The DNS record is going to be the preferred methodology. It's much more secure. You have control over the domain. You have control over the zone. That's where the security exists.

So when we look at the dating, so on March 15, 2026, they're going to drop the life cycle for certificates down to 200 days, then down to 100 days, then staying at 100 days but DCV re-use is only going to be 10 days. Then they're going to go to a 47-day certificate. To be honest, I have no idea why they settled in on 47, but here we are. So that's not going to happen until 2029. But if you don't start getting yourself into a cycle of managing this ahead of time, that's really going to creep up on you pretty quick.

So we've introduced here at CSC what we call Domain Control Validation as a Service, so DCVaaS. So we're the first to offer this sort of service. What we're going to do is give you the option to be able to put in the DNS record validation method. It only requires a one-time deployment per domain. That's key. I'll leave the rest of it there for you to kind of read. I want you to make sure that you go and research some of this stuff on your own.

How certificate validation works today — client, client, CSC. That's the big key is that the client has to do the work in order to be able to get the certificate back and installed on their system. When we come to DCVaaS, we've got a one-time setup. The order comes in. The validation is done by us. The issuance is done by us and then back to the client. So the client really only has to put the order in, and then with every subsequent renewal, it's back to the client. Once the setup is done, that's it. That's all you need to do is raise the order.

The digital optimization plan, it really comes to pass. You don't have to do all these steps in order. We sort of put them in a reasonable order, but it doesn't have to be. It depends on where you are in your current process. It's really important for success factors to consolidate your outliers, monitor all the usage, and of course engage the right stakeholders and partners internally to make sure that you've got those lines of communication.