- by Andreas Soll -
Recent cases support the growing body of evidence that many domains are not secured effectively. As a result, some very recognisable domain names have been hi-jacked by third-parties. While there are a number of different attack vectors, more often than not, attackers misappropriate user credentials to gain access to the domain management portal and therefore gain control of the domain name.
Once in control, an attacker can initiate a domain transfer, DNS zone changes, website redirects, email forwarding or any number of other nefarious actions. In some cases, the ownership of a domain name has been changed and the domain has been offered for sale. Typically, hi-jacked domain names are changed to redirect to inappropriate websites. One well-known example of domain hi-jacking was when Air Malaysia’s domain name was redirected to a page with a top-hat toting, bow-tie wearing, pipe smoking lizard sporting a monacle.
So-called ‘man-in-the-middle’ attacks, which enable an attacker to capture login credentials, are often made possible by inadequate safeguards employed by the legitimate user.
The significant increase in domain attacks can largely be blamed on lack of, or poorly implemented, security measures on the side of registrants, less often on registrars or rarely registries, which make them a relatively easy target for attackers.
Especially for corporate domains, if a company website is redirected or compromised in other ways it can cause significant embarrassment but it can also have a significant financial impact – potentially running into millions of dollars in lost sales, and can even threaten its very existence to loss of consumer trust.
Such attacks can affect anyone, even global brands such as Google or Facebook were affected in the past.
Many of these attacks can be mitigated by simply deploying the right range of preventative measures. Therefore, when selecting a corporate domain provider, it is crucial to make sure that it offers a range of up-to-date security functions and even more importantly make sure that you deploy more than one of them when administering your domain portfolio.
„A system is only as safe as the person who operates it.“
Passwords still represent one of the biggest security risks. By using passwords that are too weak, easily guessable, or strings that do not contain a range of character types or passwords that have a direct link to the user, such as date of birth – users often make life very easy for attackers.
Using identical passwords for different service providers is also common practice. However, this means that the attacker only has to be successful with one service provider and can then access all other services as well. So what should a secure password look like? The correct handling and a longer combination of numbers, upper and lower case letters and special characters play an important role here.
Normally, your provider will not allow insecure passwords and should require at least 12 characters, upper and lower case letters, numbers and special characters. No smaller minimum size should be set for passwords. You should never send or receive your passwords unencrypted by e-mail or store them in plain text anywhere. Please throw away any post-it notes stuck under your keyboard now!
Consider using a "password manager" and secure it with a strong password. Use the built-in functionality to generate complex passwords. So you can use any number of secure passwords without having to remember each one individually.
2) IP ADDRESS ACCESS PROTECTION
Another way to thwart attackers is to use IP address access protection. Limit access to only a small range of IP addresses or physical locations from which you can access your domain interface. Your administrators can tell you which IP addresses or IP ranges to set. However, you must be aware that after activating this protection, you can only access your domain portfolio when using a specific IP address range, which can make administering a portfolio challenging while travelling or working from home.
3) TWO-FACTOR AUTHENTICATION
To protect your account, and yet allow you access wherever you are, you can use two-factor authentication. This security measure requires you to combine a regular password with a second factor something you possess, such as a mobile phone with a one-time password generator app. The reason for using a physical device in two factor authentication, such as a mobile phone, is that with a physical device it is usually obvious if it has been tampered with or has been stolen.
Even if an attacker could gain access to your password, he would not be able to log in without physical access to your smart phone. Your provider should also allow you to secure specific processes such as domain updates, domain deletions, changes to permissions, etc. with two-factor authentication.
4) USER MANAGEMENT WITH PERMISSIONS
Not all users need to perform all tasks. Modern domain management portals allow user-based or role-based permissions. Permissions should be allocated using the "Need to know" principle. For example, a person from accounts needs access to domain invoices, but should never need to configure domains or DNS zones. So ensure that only those users that need to perform a function have the rights to perform that function.
5) SEGMENTATION INTO BUSINESS DIVISIONS
Dividing your domains into different business areas not only helps you to maintain an overview of your entire portfolio, but will allow you to permit individual users to access only those business areas that are really relevant to them. Thus, a user still has the ability to manage domains directly related to them, but cannot access domains from other areas.
6) DOMAIN LOCK (REGISTRAR)/REGISTRY LOCK
After registering or transferring a domain name into your portfolio, it should always be automatically blocked against a transfer. Additional protection is provided by setting a block against deletions or against any changes to a domain (e.g. DNS settings). All reputable domain management providers should offer such blocking. However, it is important to know that a registry lock is not supported by all registries. If available, these locks can be set or removed at any time by authorized persons.
For strategic, valuable or business critical domains make sure to set a registry lock if it is available. After the registry lock has been set, a manual procedure must usually be initiated before the domain can be changed. The protection includes the modification of all Whois data, name servers as well as transfers and deletions.
7) CONFIRMATION PROCEDURE
Another way to reduce risk safely is employing a confirmation procedure for domain related activities. Here, changes are only permitted and executed after they have been confirmed by at least one other user. This is similar to the four-eyes principle still used in banks, where more than one person must authorise an action.
Unlike the four-eyes principle, a confirmation procedure can be carried out asynchronously. Users have the option of rejecting an request. With this procedure, internal authorisation workflows can included multiple roles and departments such as marketing, domain management, IT and legal.
Authentication codes (authcodes) are among the most important pieces of information that belongs to a domain. The authentication code of a domain entitles the user to transfer the domain to another registrar. Since there is no need to keep authcodes permanently available and display them in the interface, your domain provider should provide you with authcodes on request via a secure channel. All reputable corporate domain management providers should have this function integrated in its interface.
9) CONSOLIDATION OF THE PORTFOLIO
Consolidation of a portfolio should be an integral part of a professional domain management process. It is important to keep track of which domains you own and to get a centralized overview of all domains of your subsidiaries and divisions. A good corporate domain provider should support you in managing worldwide portfolios and enable domain registration under all country-specific TLDs (ccTLDs). Centralization is one of the key factors in corporate domain management.
10) DNS SERVER/DNSSEC
For strategic or business critical domains it is essential that 100% availability is guaranteed. Check the DNS systems of your provider and its service history. Does your provider use external DNS providers if so which ones? Does it offer you a robust Anycast DNS network, with DNSSEC capabilities and sufficient number of geographically distributed locations and DDoS protection?
Since DNS with high availability can sometimes be costly, your corporate domain management provider should also offer a range of solutions for domains which are not business critical. For example, domain names which have been registered for defensive purposes don’t necessarily need to run on high availability DNS. It should be possible to select from a range of different DNS solutions for each domain depending upon its availability needs.
In order to provide the optimum protection for your corporate domain portfolio, you should select a competent corporate domain management provider to work alongside you. Only by deploying the right range of protection measures can you achieve the best possible protection for your domains.
Consider the access options to your domain management portal, use a password manager, mandate strong passwords and make use of other protection options. Contact your provider and ask for a workshop to work out the best possible strategy for your domain protection.
If you have any questions on this topic or are interested in a professional consultation, please do not hesitate to contact our team.