The Foundation of Cybersecurity: Identifying and Securing Your External Digital Ecosystem

Disclaimer: Please be advised that this recorded webinar has been edited from its original format, which may have included a product demo and other engagement features. To set up a live demo, please complete the form above on our website. If you currently are not on our website and are watching us on our YouTube channel, there's a link to the website in the description of this video. Thank you.

Christy: Hello, everyone, and welcome to today's webinar, "The Foundation of Cybersecurity: Identifying and Securing Your External Digital Ecosystem." My name is Christy DeMaio Ziegler, and I will be your moderator.

Joining us today is Quinn Taggart. Quinn is a product coach for the Digital Brand Services and assists clients in the areas of online brand and cyber strategy. Quinn has been with CSC for over 20 years, and his wealth of experience and knowledge is appreciated by brand owners as he helps them to better understand their evolving digital asset portfolio and minimize their risk. And with that, let's welcome Quinn.

Quinn: Thank you, Christy. I appreciate everybody taking the time to join us today. We're going to try to keep this around a half an hour, and I've got it in my mind to make sure that I skip some of the slides a little bit faster than others. So we'll strap her in and let's get going.

Today's agenda is pretty straightforward. We're going to take a little bit of a base foundational approach, and we're going to look at domain name life cycles. Then we're going to get into enterprise-class versus consumer-grade registrars. This is an extremely important differentiation for most people that are managing domain name portfolios. And then we're going to look at optimizing your domain portfolio as a whole. And then we're going to get into some specific and generic pieces on domain security risks and measures.

So first up is our domain name life cycle. So most people understand when I go out and I register the domain name, and I keep up on the renewals. When I don't need it anymore, I let it go. It does cycle around. And one of the key things to remember, when you do that, is that you don't just chuck things into the garbage like you would if you eat a chocolate bar and throw the wrapper away, it doesn't come back. But in the case of domains, it's a recycling kind of affair. So as long as you keep up on the renewals, you can use that domain name and have it and utilize it for whatever purposes you want.

But once the domain name expires and it heads into the redemption grace period or the pending deletion phase, which may or may not exist depending on the extension, it becomes available again for anybody else to register. And this is why it's extremely important to kind of keep an eye on your branding needs. Really old domains might have some SEO benefits to them and so on. There's a lot of little factors that are going to come into play when you're evaluating your domain portfolio for rationalizing names in and out.

Now most people's portfolios haven't gotten to the state they're at overnight. It's happened over time. And most people have been working with their inventory of domain names for maybe 10, 15, 20 years. A lot of times people haven't gotten back to the point where they're reviewing things with a critical eye. So the habit is to we'll just keep renewing it because that's what's always happened.

COVID kind of changed that approach a little bit. So people started taking a little bit more of a critical eye to it in order to be able to save money. And so this is where people are starting to look at things and starting to pare down their portfolios a little bit in order to be able to handle things. And one of the critical elements with that is that it's not so much do you need it, but what could happen if a third party picks it up on the other side and then starts to use it for say a phishing attack or spam generation or a counterfeit product site or something along that line and what's the likelihood of that.

So when we start to look at the approach towards portfolio management and asset management right now, and trust me domains are assets. There's a lot of folks that are still looking at the domain inventories as a bit of a money pit and, as a result, that they're not really considering them true assets of the organization. And as a result, what ends up happening is that people don't give the domains the appropriate level of criticality when it comes to the portfolio.

So starting with this defense-in-depth approach and we'll start with the center, and that's where we're looking at advanced domain security features. And again, this is going to be one of those key elements in enterprise-level registrars versus consumer-grade or retail registrars. So we want to make sure that we're able to identify vital domains and engage some of the higher-level security elements that go along with that, like MultiLock or Registry Lock, DNSSEC, CAA records for authorized SSL deployment, DMARC for email security and the like. It's really critical to be able to engage, enable, and manage all of those security features through your registrar.

And then, the next layer out, in gray, is where you start to look towards your user permissions. Who in the organization has the ability to do what? And one thing that CSC's domain management portal is set up to do is to be able to granularize, if that's a word, user permissions and make sure that every user has only the rights to what they're supposed to be in control of. If you've got a gentleman that's IT related and they're only allowed to do zone file maintenance, we can set those permissions up. And then when they log in to the portal, they're only allowed to do those kinds of actions. They can't register domains. They can't transfer domains. They can't lapse domains. They can only do those particular functions. It's extremely important.

Now part and parcel with that is the next layer out, when we start looking at portal access, and, of course, two-factor authentication is a must nowadays. But there's other things, like IP validation and federated ID, that'll give people the ability to take advantage of their single sign-on credentials within their organization to also access CSC's domain management portal.

And then, of course, the all-encompassing layer on the outside is where the enterprise-class provider really comes into play. And you want to make sure that if you're looking at a provider, that you really take a deep dive and make sure that they're capable of handling all of the major security and relational elements that are going to protect your brands online.

So I'll head into the next slide here. And from our F2000 Global Security Report, this is a slide that shows different security features and the difference in enablement between those particular brands that are using an enterprise-level provider versus a consumer-grade. You can see that, for the most part, a lot of the folks that are using an enterprise-level registrar are much further ahead than those that are using the consumer-grade.

Now Registry Lock is one of the biggest gaps, as you can see, 44.6% to 5.3%. And a lot of that is because that particular process, the Registry Lock process in and of itself is a bit of a manual process. And, of course, the consumer-grade registrar are all about automation. That's where their price mark is, and that's why they offer things "cheaper." And the reason being is that if they can use automation and avoid the manual handling, then they can keep their costs down.

But, of course, a lot of the consumer-grade registrars just aren't going to offer the breadth and depth of extensions because some of the extensions that are offered on a global scale are manual and they require paperwork, or they require validation of some sort for local presence or trademarks or the like. They're just not equipped to be able to deal with that. And Registry Lock, as important as that security feature is, it's a manual process, and so they're just really not equipped for that. And a lot of the other processes are in the same boat. If they can't do things from an automated fashion, then that's where it's going to kind of fall over a little bit.

So why CSC? And I'll get salesy for a second. But typically, I affectionately refer to the next two slides as kind of like the spaghetti slides. And the typical corporate environment is kind of layered this way. The arrows might go in different directions, and some of the different stakeholder groups might be a little different. But essentially, what it comes down to is that there's a lot of lines and a lot of arrows and a lot of things going back and forth.

And depending on the organization, there may or may not be a dedicated domain name management person or group that's responsible for the domain inventory as a whole. Some companies will have a dedicated team that's doing that. But for the most part, it's usually one of those little corporate hot potatoes. It might be Legal this time around. And then when somebody packs up and moves on to another department, it may end up coming down to, all right, IT gets it this time around, or Marketing gets it this time around. It's unfortunate that it happens that way.

But one of the key elements for this is kind of let's streamline this communication process a little bit. And by interjecting CSC, one of the key elements for us, of course, is that we want to be partners with our clients, not just another vendor on the docket. We want to be able to partner with our clients, be part of their team. And we can interject ourselves in between as a buffer between a lot of these different stakeholder groups and as well working with outside counsel. We're not looking to replace your outside counsel by any stretch. But we want to be able to help and guide you in the right direction so that you can maximize the effectiveness of your outside counsel resource.

And by partnering or going through that particular methodology, where we want to be a partner and you can integrate us that way, we become an extension of your team. We can take on a lot of the day-to-day kind of tasks and so on away, and then it frees you up to be able to continue doing the job that you were probably originally hired to do so.

We've informally polled our clients over the years, and we kind of settled in on anywhere between 5% and 7% of people's days kind of end up with dealing with domain names, but 110% of ours is and so you know to take advantage of us to go and help you manage things on a day-to-day basis.

So when you're choosing a domain registrar, there's a couple of red flags, and most of them are proactive versus reactive kind of approach, right? So when a client comes in and brings their portfolio to CSC, we're going to take a bit of a deep dive into their different resource management security features as well as brand protection and the like, and make sure that we're in a position to be able to assist in all the different areas that you need us for. But like I said before, a lot of times consumer-based or retail-based registrars are going to be automation based. Anything they can't automate, then they probably aren't going to offer as a service or an extension.

One of the other key things too is how they handle the lapsed market or the aftermarket. And in a lot of cases, they'll monetize trademarked domains with pay per click upon registration. If you don't do anything with it, then they'll slap pay per click up. The other thing, of course too, is that if you lapse a domain name, some of the providers may push it into an auction style setup, a warehouse that they have available. And that's unfortunate that they'll take a trademarked name and then sell it off. And they're going to offer you low-cost domains and bulk registration services. I mean, that's their bread and butter. But it comes at expense, depending on your brands and how much turnover you have on your domain inventory.

So what we do at CSC's Digital Brand Services, so I work in our DBS services or Digital Brand Services Division. CSC has other business units that do a variety of different things. But in DBS, one of the key things for us is to be able to offer that enterprise-level domain management and security. We also offer brand protection and fraud protection services. All of these integrate with each other. There really should be some arrows between this to show you that these really do lay over against each other, such that we can take advantage of all of these other different services together and being able to offer you a little comprehensive, packaged deal that goes along with keeping up on your day-to-day domain management services.

So when we look at assessing and optimizing your domain portfolio, we kind of fall into four pieces of the plot here. You're going to register the domains, and we're going to evaluate the blocks. So if you haven't or are not familiar with blocks, within the new gTLD space and now even in the "regular" space, there are blocking mechanisms that are available not for everything, only pieces. But still blocks might be a cost-effective way to be able to utilize that. You want to be able to secure your assets, and centralizing them is a key factor and making sure that you've got everything all kind of centrally located so that you can keep an eye on all the different elements. And it's not just domain names. You've got SSL certificates. You've got your TMCH registrations, your blocks. All of those assets come together under one roof. It makes it a lot easier for you to be able to keep an eye on things. And then, of course, to be able to close the loop out, you want to be able to monitor and enforce your assets. And that's going to be really, really key.

Now we'll get into some granular details on an optimal portfolio management piece. So as I mentioned, we're going to head into the eight steps to a secure domain name portfolio. Now I'm not going to belabor all these slides. Certainly if you download the deck, you'll be able to kind of peruse these at your leisure. So I'm going to kind of not really speed through these, but I am going to take only a couple minutes per in order to kind of keep us on track.

So these are the eight steps to secure a domain name portfolio. We want to centralize.. We talked about that a second ago. We want to utilize automation as and where we can. We have to look at compliance because when you're dealing with domain names that are registered in certain jurisdictions and certain countries, they're going to have to utilize either local trademarks or local company names and you're going to want to make sure that you have that set up just right so that you don't run afoul of the local registries. Certainly you will want to integrate all the elements together.

You've got to have some flexibility when you're dealing with a domain name portfolio, and you might have to make up some plan B's on the fly as you go. The landscape keeps changing. There's always something new every day. I've been with the company about 21 years, and I've got to tell you it's never a dull moment when you're dealing with domains. There's always something coming up that's going to change the way you look at things. Monitoring enforcement, we talked about that as well. And then, of course, you really want to pay attention to your security posture, and we're going to touch a bit more on that later on.

So centralizing your domain portfolio is only one piece of the pie. There are a whole lot of digital elements that go together, and like I mentioned before, you've got SSLs, you've got your TMCH registrations, and everything else. But you want to make sure that you've got full control over your digital assets. Having them centralized with one vendor is going to make that a lot easier. If you have them spread out across a bunch of different vendors, it's going to make it complicated to not only manage basic things like renewals, but it might also make it complicated to manage things like pointing the names to the right places and making sure DNS and everything else is settled up as well.

You want to be able to renew things. Configured to your business needs. It's really, really important to make sure that you validate that the domain names are doing what they're supposed to be doing. Invoicing and the like is another key factor when looking at say a retail provider or a consumer-based provider versus an enterprise-level provider.

We're in the business of doing business with business. Therefore, we invoice our clients. You're not as good as your credit card, which is typical for a consumer-based registrar whereas you've got to put a credit card on the account. That's how you pay your bill. That's how you deal with things. For us, it's not like that. We're B2B, and that's the way things go. It's a little bit easier, of course, to be able to do things that way.

We're going to head into the second piece, which is automation. So there's a bunch of different things that are available to our clients. We have an API available so that your IT teams can utilize that technology to drive into the domain name management systems. It allows software components to interact. We have the federated ID, allowing you to use your single sign-on, and IP validation, things that'll help with the security between us and you.

Also too, when we look at process, right, it makes the client's vendor part of their larger workflow. No need to interrupt the workflow to log in to our system or send an email to our client service partner, right? So it gives you the advantage to self-serve if you like. APIs will give direct access into the databases. It's really important to be able to take advantage of those as and where your internal structure allows. But it also gives you the flexibility to know that, hey, this stuff exists. So is that helpful for you? Is there a way for you to improve your internal process?

Compliance, like I said before, we're looking at different things. There's a different WHOIS, restriction pieces, like GDPR, NIS2. You really want to make sure that you're reviewing things on a regular basis to make sure you've got the right company names and addresses, phone numbers, and email addresses on all of your domains. That WHOIS data is a critical element with dealing with the registries.

Integration, so combining the services together and it gives us the opportunity to be able to ensure that all of the elements are working together and that you have total control.

Flexibility, again, looking internally at how your business is structured, how you do business right now, who typically is going to ask for a new domain name, who's responsible for making sure that the domain gets pointed in the right direction. There's a variety of different things that are available for us to use with CSC's domain management system. We've got business units, parent/child accounts, user permissions, user-defined fields that are available to help with reporting and tracking different data elements. So there's a whole bunch of different ways that the system can be configured to help you out that way.

Again, changing landscape, .AI, it's for a country, but yet people associate it with artificial intelligence. The same with like .TV. People keep utilizing .TV as for television. But it actually relates to Tuvalu, which is an island chain in the South Pacific. I honestly couldn't find it on a map until I started working here. But that's the key is that power of association when it comes to looking at the digital landscape as it evolves over time. And what was relevant two, three, or four years ago might not be relevant today. Those are the kinds things you need to review on a regular basis. .TR, .MUSIC, blocks. Other registries are also looking at different blocking products as well. It's going to grow, but it's also in transition as well.

Monitoring and enforcement is a really key element when it comes to being able to deal with and use your portfolio effectively. You want to make sure that you have control over your brands online and that people aren't sliding in where you're not looking and trying to take advantage. Now not everybody is going to infringe on your brands with a nefarious purpose in mind. But even still, if somebody registers something looking to sell it, that still degradates your brand online.

And your security posture as well. There's a whole bunch of different things that kind of fly into security on a domain name level as opposed to a network level, but they're integrated as well. So there's a whole bunch of different things that'll fly into that.

So in summary, again, back to the steps, you want to centralize your assets. Understand if your organization can benefit from the automation that's available. Set up processes to benefit from centralized management. That's going to be key. Understand compliance issues. Use a provider that's going to help you navigate industry changes. And have a monitoring solution that tracks what you can't control.

So when we look at security risks today, it's all about balance. And so we really have to make sure that you're involving all the stakeholders within the organization. Everybody has got some skin in the game, pardon the cliché, when it comes to it. Legal is primarily responsible for brand protection online. The IT folks are looking to keep the lights on and the phone not to ring. Marketing, of course, is looking for traffic. And InfoSec is looking for overall security. So everybody has got a little role to play in all of this. But when we're looking at monitoring overall and enforcement from that, that's where the key is.

And then you've got to be able to identify the vectors that people are tapping into, whether it's DNS hijacking, whether it's domain name takeover, or if it's IP spoofing, phishing attacks, typosquatting, malware. There's a whole variety of things out there, and it's growing. The landscape is growing quite a bit when you start looking at how those threats are going to make it into your domain ecosystem.

We're seeing about 80% of the breaches are via external threats. And so when you're looking at internal threat data, that's one thing. But when you start looking at the external threats using a homoglyph or a lookalike registration to launch a phishing attack, those things are key.

So the attack surface kind of looks like the old solar system map. And as you think about the defense-in-depth approach as well, looking from the inside out, there's a variety of different spots where the bad guys can kind of fall in on you. And it's important to have a provider that's going to partner with you and identify and help you identify the ones that are going to mean the most to you, so that you can focus in on being able to deal with those threats as they happen.

So when we look at the types of risks, if you've got typosquatting, you've got malicious domain registrations, hijacked subdomains and the like, one of the key things that's come out of the woodwork in the last little while are dormant domains, so domains that are registered, but they don't appear to be live at the moment. Hey, but below the surface, they can still have an active mail set up on them, and they can be used for a variety of different delivery methods.

So a bunch of different security measures to help you mitigate some of these potential risks. CAA records is a big key. It ensures only authorized certification authorities can actually issue a certificate for your domain name. It's a free thing to go and set up. It's just a matter of getting things kind of configured. Registry Lock we talked about that earlier. And, of course, making sure that you have an enterprise-class registrar.

Subdomain hijacking is one of the newer things that kind of hits people's radar. And mindful of time, I'm not going to spend a lot of piece on this. But the idea from here is when you're using your subdomains to go and bring up microsites, sometimes you're done with them and you let them go and you don't take the records out. And this could lead to some very undesirable results at the end. And so we're seeing 21% of DNS records point to content that doesn't resolve, and that can leave you vulnerable to subdomain hijacking.

Sixty-three percent show 404s or 502. So these are not founds or bad gateway errors. And again, same sort of deal. Many of the names with these records, they're configured, but they're getting a bad response, and that could be a real challenge down the road if somebody was to slide in on that. And it's possible.

So just tapping into the 2024 Domain Security Report for a second, looking at homoglyphs and lookalikes and fakes, we've seen an increase in the use of mail records set up on those. That's where people can use those for malware delivery as well as spams and scams.

And then weaponizing, it's a strong word, but it's essentially what it comes down to when we look at these third-party domains. Generally, by the time we get to crafting the Domain Security Report, a lot of domains that were being used for bad actor methodologies, like ransomware or malware delivery, have probably been dealt with. So it's not as easy for us to be able to identify, right at the moment, domains that might be actively engaged in that kind of stuff.

But I encourage you to download the 2024 Domain Security Report and have a look at all of the different intelligence that it has for you.