News

    Three golden rules of domain security

    10.05.2022

    Security is an elementary requirement of corporate domain management. Unfortunately, many companies pay too little attention to it. But what exactly does domain security mean, and how can it be implemented sustainably in one's own company?

    We spoke with Daniel Strauß, Managing Director of InterNexum GmbH in Germany (part of CentralNic’s Brand Services Division), about current threats and the actual security situation. He explains the three golden rules of domain risk management.

    BrandShelter: Daniel, you have been in the domain industry for more than 20 years now and domain risk management is your daily business, but what exactly do you mean by this?

    Daniel: I understand corporate domain management as a holistic, integral approach to optimally designing the digital namespace for a company. This goes far beyond the mere registration of domain names or the administration of DNS and involves all stakeholders: Marketing, Legal and of course IT. I am talking about a balanced interaction of domain strategy, brand protection and cybersecurity.

    Domain risk management, in turn, is the sub-area of this corporate domain management that deals specifically with domain-related threats. This means potential risks for the domain itself, but also for all services directly or indirectly connected to it, such as email, web services or apps.

    It is about ensuring the primary goals of IT security: confidentiality, integrity and availability for the own company and as well as protecting third parties, i.e. also business partners and customers, from any damage.

    BrandShelter: Why should a company be concerned about the issue of domain security?

    Daniel: That's a very good question, but I think it's actually asked in the wrong way.

    Due to their importance, domain names have a particularly high need for protection. They are indispensable for business success, process flows and all internal and external communication. In terms of external perception, they also represent the digital identity of the company for business partners and customers, which is trusted to a high level.

    Any damage can extend far beyond the boundaries of the company. The consequences: considerable financial damage, loss of data and lasting reputation damage. In individual cases, there are also liability risks or legal consequences for managers and employees.

    The real question should be: How can a company not think of dealing with this issue?

    BrandShelter: Personal liability and legal consequences are difficult to imagine, doesn't this need legal regulations?

    Daniel: That’s correct. In 1998, German legislators laid down the obligation for corporations to identify risks at an early stage in the KonTraG. The StaRUG (Stabilisierungs- und Restrukturierungsrahmen für Unternehmen (Stabilisation and Restructuring Framework for Enterprises)), which came into force in 2021, goes much further and also includes small and medium-sized enterprises. The aim is not only to identify risks, but also to take appropriate countermeasures. The list of nationally and internationally applicable standards is long: the EU Directive on Network and Information Security (also known as the NIS Directive), the Basel Framework for Banking Supervision or the Sarbanes Oxley Act for securities traded in the USA are only a few examples.

    The requirements of the legislators become very concrete with IT security laws, which often cover critical infrastructures, but usually also have a spreading effect on other companies. And at the latest, when we talk about data protection, every micro-enterprise and every association is involved.

    BrandShelter: Okay, got it, but what can happen to a domain?

    Daniel: This is indeed the question I get most often, even from experienced IT people. Occasionally, they even point out that the domains were registered 20 years ago and nothing has ever happened to them before - to prove that nothing will happen in future as well. For me, this is just a dangerous assumption.

    Just imagine that your most important domain is offline or goes missing and perhaps belongs to someone else tomorrow. Or let's say that the website is redirected to a foreign server that spies on or manipulates data, perhaps even calls for criminal offenses.

    Or imagine that unknown third parties send emails to your business partners, customers and prospects to spread malicious code or phishing.

    BrandShelter: But that all sounds a little bit theoretical, what are the concrete risks?

    Daniel: To list them all would go far beyond the scope of this article. Basically, we distinguish between organisational and technical risks. A lack of guidelines, unclear processes or a lack of competence of key staff or service providers are examples of organisational risks. These can temporarily affect the functionality of services and lead to the permanent and irretrievable loss of the domain, either accidentally or intentionally.

    In addition, there are technical domain risks in connection with the used technologies. Cache Poisoning or DDoS attacks on the name server infrastructure use the DNS as an attack vector. Email Spoofing, CEO Fraud or Business Email Compromise, on the other hand, use the route of counterfeit emails.

    To put it in a nutshell: every day, we read reports about Malware Phishing or Ransomware attacks. The majority of these cyberattacks are spread via email. It's easy, cheap and extremely scalable. USB sticks or CD-ROMs, for those who are still familiar with them, are not even remotely competitive - aside from very specific attack scenarios.

    BrandShelter: Daniel, it sounds like these attacks are really easy to execute.

    Daniel: Let's put it this way: Forging an email sender is very easy. It only takes one line of source code and no access to the domain or the mailboxes to send messages with any sender.

    As a domain owner, however, I can protect myself from this abuse by taking specific protective measures so that business partners and customers can rely on the authenticity of my emails. There are also effective preventive measures for DNS risks to eliminate the risks of failure or manipulation as far as possible.

    The lack of these protective measures is easily recognisable. This increases the chances for the attacker and thus the risk of an actual attack.

    BrandShelter: By easily recognisable you mean that the thief sees an open window?

    Daniel: Yes, something like that, but often also a door which is wide open with a sign: "I will be back in a fortnight".

    In a non-intrusive study, we analysed 18,000 domains that can be assigned to the critical infrastructure sectors and are actually used more actively. Conclusion: less than 2% meet the requirements of basic IT protection. Only about 50% have taken any protective measures at all, but about 15% of these are not effective.

    So it is not a question if you become a victim of an attempted attack, it’s just when.

    BrandShelter: What exactly do you mean by basic IT protection, could you explain that in more detail?

    Daniel: Information security has three goals: confidentiality, integrity and availability, or in simple words: information or services should only be accessible to authorised persons, not be manipulated and not be lost or fail. The German Federal Office for Information Security (BSI) provides a solid foundation, guideline and working tool in its IT Basic Protection Compendium. It provides methods, instructions and recommendations on how companies or authorities can implement and ensure information security.

    For some institutions, basic IT protection is mandatory and for others it is recommended. For all others, it has a radiating effect. At the latest in an emergency, when an insurance company has to pay out, the questions come up: What was done to prevent the damage?

    BrandShelter: What can companies do to secure themselves?

    Daniel: To get started, it is enough to implement three things, I call them the 3 Golden Rules of domain security, for each there are three questions:

    1. Awareness: Create awareness

      What contribution do domains make to the success and smooth operation of the company? What specific risks is the company exposed to? What financial damage and loss of reputation am I prepared to bear?

      2. Prevention: Ensuring an optimal level of protection

      What organisational measures are necessary? What technical measures need to be implemented? Where and how can these measures be implemented, and what support is needed?

      3. Monitoring: Checking sustainable effectiveness

      What needs to be checked and in which regular intervals? How can the existence or effectiveness of protective mechanisms be assessed? How are observations, i.e. deviations from the target state or security risks, documented and further processed?

      BrandShelter: What do you think would be the first right step?

      Daniel: The most important thing is to evaluate facts objectively. "Nothing will happen" or "everything will work out" are not good starting points. I have to convince myself that everything is correct and as I expect it to be.

      For this, I have to be prepared in principle to build up know-how in the company, to apply new tools or to get help.

      BrandShelter: Daniel, do you have any expert advice for getting started with this topic?

      Daniel: I can recommend our IT Security Guide to everyone. It covers the basics of domain risk management and cybersecurity for companies. A selection of current and potential threats and scenarios are clearly explained and supported with practical examples from the past. Furthermore, detected and deductive methods for the risk identification are presented and the assessment of risks and their impact for evaluating the extent of damage are dealt with.

      If you are interested in analysing your domain for obvious and detectable vulnerabilities, you can determine a Domain Security Score (DSS) on www.domainsecurity.info. This value between 0 and 100 is based on the weighted analysis approach of our study. A DSS between 75 and 100 is desirable and indicates a good basic technical protection of the domain.

      BrandShelter: Thank you Daniel for this helpful information and the interesting conversation.

      Daniel Strauß is the founder and managing director of nicmanager, a brand of CentralNic’s Brand Services Division. He combines interdisciplinary competences and advises companies on the strategic orientation of corporate domain management. This includes its implementation as well as the identification, evaluation and reduction of risks. In the nicmanager.academy, which he has developed, he qualifies and coaches prospective and experienced domain managers as a trainer.

      At the Department of Computer Science at the University of Applied Sciences Zittau / Görlitz, Daniel Strauß gives lectures on the interdisciplinary significance of the DNS, current cyber risks and protective technologies.

      Daniel Strauß founded his first IT company in 1999. He began his professional career at MAN AG in Munich and continued at BMW AG. For Webasto AG, he was most recently responsible for group-wide risk management.

      As a risk management consultant, Daniel Strauß advised numerous international companies from various industries on the introduction and implementation of corporate risk management, including DAX companies.

      Contact Daniel Strauß directly for more information on corporate domain management and domain risks. To receive the IT guide "Domain Risk Management", feel free to send him a personal message with the subject "Domain Risk Management Guide".