It’s clear that COVID-19 is making a significant impact upon how people do everything, including e-commerce: The first seven months of 2020 saw $434.5 billion in online purchases with the pandemic driving an extra $93.9 billion since March, according to the Adobe Digital Economy Index.
In fact, there were only two days outside of the holiday season in 2019 in which online sales reached $2 billion. As of August, there were already 130 days this year that passed this milestone – and U.S. consumers have spent 14 billion hours shopping on the internet so far in 2020. That’s the equivalent of 1.6 million years.
Hackers, however, have taken notice of the accelerated pivot to e-commerce, sizing it up as an opportunity for Domain Name System (DNS) or domain name hijacking. In these incidents, cyber adversaries compromise domain names or DNS from organizations to ultimately gain access to the network and/or intercept internet data sent to the organization (such as emails and web traffic). In addition, they will reach out to customers posing as the organization to try to trick them into clicking on malware and/or giving up account information (such as their log-in/password credentials or credit card numbers).
To cite just one incident, in June Coincheck revealed that hackers took control over its account at a local domain registrar. They hijacked one of its domain names and used it to contact some of its customers to verify account information, thus causing Coincheck to temporarily pause all operations for an investigation.
More than four of five companies are at greater risk of compromising their DNS/domain portfolio because they have not adopted basic measures to prevent it, according to our recent research. The majority, for example, use retail-grade registrars instead of enterprise-class ones. Historically, cyber criminals have targeted retail registrars for attacks. An enterprise-class registrar will offer more value with superior technology controls, accreditation standards, operations processes, compliance practices, vulnerability assessments and penetration testing.
To ensure the deployment of enterprise-class registrars and additional best practices, organizations need to establish what we can call a “Domain Security Council.” Through such a council, chief information security officers (CISOs) collaborate with corporate C-suite members to identify, implement and continuously monitor/improve upon domain security policies and procedures.
For example, the Chief Compliance Officer would be very keen to understand the risk, and how to rate it. General Counsel would be concerned about IP rights and data privacy due to General Data Protection Regulation (GDPR). A Chief Marketing Officer would want to understand the business impact to a brand in the case of a cyberattack. There can be much at stake requiring a variety of stakeholders to weigh in.
The council would play a leadership role in taking the following essential steps:
Including domain and DNS compromises in their company risk register. Many companies use their risk register as a repository of all potentials risks for compliance and prioritization. This ensures that the organization will consider these attacks as known and serious risk components which merit constant attention, as opposed to an overlooked security blind spot.
Developing a multi-layered, defense-in-depth strategy. There is no “single way” to prevent domain and DNS incidents, so the council has to come up with a wide-ranging plan that includes user permissioning, two-factor authentication, IP validation and federated identity management for all entities seeking access to these assets. With this, SOC teams can monitor the changes to DNS records, user permissions and any shifts in elevated permissions, as well as the risk profiles of DNS providers.
There are also additional tools/tactics which enable registry lock, domain name system security extension (DNSSEC) and domain-based message authentication, reporting and conformance (DMARC).
With a registry lock, the registrar confirms all requested changes with the domain owner, to eliminate unauthorized modifications to the domain. Using encryption and keys, DNSSEC blocks malicious DNS data and/or validates digital signatures within the data – the signatures must match those stored in master DNS servers to proceed. DMARC focuses on email authentication, as senders and receivers share information to verify that a given message is coming from a legitimate sender.
Keeping up with the ever-shifting digital threat landscape. The best way to do this is to constantly review readily available threat intelligence reports from cybersecurity companies/consortiums, research groups, government agencies and other respected authorities. Cyber adversaries are always “changing their playbook” to circumvent new defenses. These reports will update council leaders and IT teams about current and likely future threats, and how to thwart them.
Establishing key performance indicators (KPIs). To constantly measure (and improve upon) progress, these should include “report card” measurements such as the percentage of vital domain names that have registry locks. By monitoring this, the organization has a very advanced line of defense against cyberattacks. In addition, a DNS health check should be required each year, where you would look at the number of providers, DNSSEC and DDoS protection. Lastly, domain security internal training can help build the knowledge base needed for this level of security.
In decades past, we turned to the Yellow Pages to contact a business, and there was never any reason to suspect that the listed phone number for a store would lead us to a criminal-planted place instead. Yet, while the digital age brings greater efficiencies and conveniences, it also introduces more dangers. For all intents and purposes, the collective DNS serves as the modern Yellow Pages, and companies which fail to recognize the possibilities for exposure here will do so at the risk of a compromised network, lost sales, brand reputation, customer loyalty, and more.
That’s why a Domain Security Council proves so critical. CISOs and their fellow corporate leaders must work together to recognize DNS as a potentially major source of threats; launch a comprehensive defense-in-depth strategy; educate themselves about present and pending attacks; and track progress via actionable, KPI-generated metrics. As a result, their domain names and DNS won’t be 100 percent fortified. But it will be so well-defended that hackers will grow increasingly frustrated in trying to hijack the “phone numbers” within, and move on to another, less protected victim.