How Secure is Your Domain Name?
I don’t like to waste anybody’s time, so I’m going to get right to the point. Your domain name may not be properly secured. Statistically speaking, it probably isn’t. Luckily, you can read this short article and be on your way to a secure domain name. If the mere thought of going through a security procedure to you sounds about as fun as running from a swarm of killer bees, just Schedule an Appointment with us.
Before we begin, and even though it may seem obvious, let’s explain what a domain name is.
A domain name defines a realm of services or resources under an organization’s control, typically on the internet. It provides a simple way to reach services or resources you provide to employees, partners, and customers. For most companies, their domain name is their brand, and brand has serious value. For others, the domain name is the root of all accessible services provided on the internet, most of which impact revenue.
To acquire a domain name, one must go to a domain name registrar like GoDaddy or Network Solutions. The registrars all communicate with a central authority (ICANN) that keeps track of available domain names.
When you purchase a domain from GoDaddy, for example, you supply contact, payment, and technical information, such as your DNS servers and more. It’s at this point where domain name security typically starts to fall apart.
Why?
Because domain name weaknesses aren’t technical in nature; they are administrative in nature. Administrative errors can take an entire internet operation offline forever, cause irreparable harm to an organization’s reputation, hurt sales, and more. Security awareness is key.
How can all this happen with something so innocuous as administrative errors?
To answer this, let’s first look at who acquired the domain name. Often, it’s not the organization that owns it but rather an employee, a website designer, Uncle Moe, or some person nobody can seem to remember. Allow me to provide an example scenario.
Your company hires a web designer to build a beautiful website. This web designer buys the domain name for you and gets to work. He maintains all the DNS (technical aspects of the domain name) and administrative functions through GoDaddy. Years go by, and your company has a website, email servers, and a service portal that tens of thousands of people use daily. Everything is peachy, and cash falls endlessly from the sky, until one day, all your internet services stop working.
Not good. It’s okay to grab a convenience bag right now.
Several hours later, your IT manager squeamishly approaches you carrying a large shield in front of him. From behind the shield, his shirt soaks up his sweat like a dry sponge. You stare at him disbelievingly as he explains that the domain name you built up for years now appears to be directed to a porn site, and he has no access to the registrar.
Most immediate responses go something like, “What in the **** happened to our domain name?” Clinched fists and flush faces follow.
After a quick whois (nerd speak for a way to look at your domain name’s history and ownership), you determine that many months ago the domain name was never renewed by the web developer and a shady character picked it up past the grace period. At this point, damage control begins because the odds of recovering a domain name can be slim to none, or at the very least not immediate.
I’ll write up a future blog on how to recover lost domain names later. For now, let’s focus on securing them.
Sadly, these situations happen far more than you might think. And there are many more situations very similar. From disgruntled web developers to simply outdated contact information, the sophistication behind a compromised domain is next to nothing when you have administrative failures.
Rest easy, though. I’m going to provide you with a short list of Do’s and Don’ts. So, let’s get to it!
Do’s
Do securely document all your domain name registration information like the registrar, account information, access, authentication methods, privacy, etc.)
Do register the domain name with an authoritative person in the organization or at least somebody clearly documented in your “who manages the domain name” internal documentation.
Do register the domain name using the company address and company contact information.
Do register the domain name using an email address that remains alive or gets updated with turnover or email address changes in your internal documentation. Make sure you have a secondary email registered with an email address that has a domain not associated with your domain name’s account.
Do use two-factor authentication (multi-factor authentication, 2FA, MFA) using a company cell phone or third-party authenticator on a company cell phone. Ensure you have documented in a secure location your third-party authenticator recovery key and/or the cell phone in use.
Do lock your domain to prevent transfers.
Do setup calendar items for quarterly domain name review to ensure everything above remains accurate, including contact information. Did I mention internal documentation?
Do go to the Internet Registrar’s website directly when you need to login. This prevents phishing scams—a prime attack vector for domain hijacking.
Do know who has access to your domain name account.
Do setup domain privacy or whois lock.
Do use strong passwords for your registrar account.
DON’TS
Don’t leave the ownership of your domain name with a web development company, some random dude who does some web design, a hosting provider, or any third party outside of the organization. If your website designers acquired the domain for you, make sure they transfer the domain name to your own account.
Don’t set the 2FA/MFA to a phone number or email address that the organization doesn’t own.
Don’t set the 2FA/MFA to an application (Authy, etc.) without documenting recovery keys, etc.
Don’t click emails that claim to be regarding your domain name.
If you follow the above steps while keeping your internal documentation and credentials secure, you will greatly reduce the likelihood of domain name compromise or hijacking.
Even if you feel pretty good about your domain name, audit just in case. A famous guy once said: An ounce of prevention is worth a pound of cure. Sounds right to me, especially if you value your domain name.
LightChange is a premier technical solutions provider for Internet Service Providers (ISPs), Cloud Service Providers (CSPs), energy, enterprise data centers, financial institutions, medical facilities, universities and small businesses.