Domain Security Fundamentals – Understanding & Addressing Today's Domain Security Threats

Alison Simpson Laurel Fleming Product Marketing Client Partnership Manager MarkMonitor MarkMonitor 2 Agenda

. Domain Industry Update

. Understanding Today’s Threats

. Mitigating Risks

. Ongoing Best Practices 3 Poll

How many domains does your organization have under management?

Please select 1 of the options:

. Less than 200 domains . 200 - 400 domains . 400 - 5,000 domains . 5,000+ domains Domain Industry Update 5 Domain Industry Update

331.9 million 144.2 million Total domain names registered globally Total ccTLDs registered

Top 10 ccTLDs

Verisign, The Domain Name Industry Brief, Sept. 2017 6 New gTLDs

New gTLD Market Share

.top .xyz .top, 14% .loan .xyz, 11% .club Other, 43% .win .loan, 9% .online .vip .club, 5% .wang .win, 5% .site 7 Internet Users

3.7 billion 5.0 billion Internet users today Internet users by 2020*

Internetworldstats.com, June 2016; *ICANN estimate 8 Security Concerns in the News Almost Every Day

Hacked accounts Stolen credit cards Identity theft Understanding Today’s Threats 10 Today’s Threats

Hackers recognizing that domain security can be breached

Registries and registrars are exploited as technical vulnerabilities are uncovered

Attacks against domain registrants are resulting in compromised credentials 11 Registrar Vulnerabilities

. Lack of two factor authentication

. Social engineering attacks

. Login credentials disclosed and used to redirect sites

. Registrars need to evaluate how weak their human links are

. In many cases, a user ID and password is all that is needed

. Domains set to “Do Not Renew” 12 Registrant Vulnerabilities

. Sharing account login credentials across multiple users

. Unconsolidated portfolios

. Unlocked domains

. Domains not on “Auto Renew”

. Human error

. Targeted attacks 13 Cybersquatting

. Deceptive registrations of branded and misspelled branded domains

. 2016 was a record year for domain disputes . Trademark owners filed 3,036 cases under the UDRP

. 2144 cases filed 2017 YTD

Source: WIPO 14 Phishing Attacks

. Increase in both consumer and employee phishing attacks

. Many major breaches start as a targeted phishing

. Indicators of a phishing email: . Name and email address don’t match . Uses a real organization or company name but incorrect email address . Poor grammar . Misspellings . Unsolicited requests for personal information . Attempt to prove legitimacy using words such as ‘official’ 15 Malware

. Keyloggers track logins and passwords for corporate domain name management portals

. With this credential information, scammers can: . Unlock and hijack domains . Update name servers, or even change DNS settings . Effectively take sites down . Infect unsuspecting website visitors with malware 16 Domain Name Hijacking

Unauthorized access of a domain name without the consent of the domain owner . Redirect DNS . Domain Transfer 17 False Association

Registering domains to gather personal contact information from: . Financial fraud . Employment scams . Malware Impersonation on social media is a growing problem: . There are more than 2.5 billion active social media users . 68.3% of internet users access social media . 92% of marketers say that social media is important to their business 18 Distributed Denial of Service (DDoS) Attacks

Telecommunications Public Sector E-Commerce 2% 2% Media and 4% Entertainment 75% 6% Year over year increase in DDoS attacks

Financial IT Services / Cloud / 28% SaaS Every industry is a target. 58%

Verisign DDos Trends Report, Q1 2017 19 Inadequate Domain Coverage

Do you have relevant domain coverage for all of your trademarks?

Inadequate domain coverage can result in . Domain squatting . Missed opportunities . Costly domain acquisitions Mitigating Risks 21 Poll

What department within your organization is responsible for Domain Management?

Please select 1 of the options:

. Legal . IT/Security . Marketing . Compliance . Other 22 Consolidation

. Centrally manage domains and SSL Certificates

. Create corporate policy to centralize domain requests

. Gain visibility into entire portfolio and protect against loss due to expiration, disgruntled employees or erroneous changes

. Utilize Reverse Whois to uncover lost or forgotten domain names

. Identify and contact individuals within the organization who are registering names: . Legal, IT, Marketing, E-Commerce, subsidiaries, divisions, etc. 23 Utilization of Hardened Registrar

. Ensure that your registrar employs a “hardened” portal – one that employs constant checks for security and code vulnerabilities the same way the web security team does for your websites

. The registrar must have a track record of being able to stay on top of new exploits, and of researching and understanding new vulnerabilities

. In addition, the registrar must be able to demonstrate use of strong internal security controls and best practices. 24 Registrar Safeguards

. Operational policies supporting corporate-only clients . Logins, passwords or auth codes never revealed / sent automatically . Requests for domain and DNS updates validated prior to any change . All automated transfer-outs manually reviewed for accuracy

. Continual monitoring of systems . Intrusion detection of core systems . Notifications of unauthorized nameserver updates

. Dedicated support staff that is familiar with your specific account 25 Domain Management Portal Safeguards

. Require Two-Factor Authentication

. Portal access restriction by IP Address . Protects against lost, stolen or compromised login credentials . Ensures that portal access is limited to authorized networks only

. Password management . Implement forced password changes at 30, 60, and 90 days

. Secure account notifications . Receive e-mail notices of any changes made to domains through the MarkMonitor portal 26 Domain Safeguards

. Implement advanced domain locking . Registrar lock . Registry lock . Zone lock 53% Top trafficked sites do not utilize registry lock . Eligible domain names . High profile domains . Main websites . High traffic domains . Active e-mail address . Used as DNS server 27 Account Access

. Manage secondary user access . Who has access . Levels of access

. Single Sign On (SSO)

. Application Programming Interface (API) 28 SSL Certificates

. Establish Trust . Encrypts traffic between the client browser and your server 29 Who Needs SSL Certificates?

. Internal or external sites which require log-in or personal information . Domains used as email or name servers . E-commerce sites . Online banking . VPN access . Database and application servers

If you transmit the following sensitive information: . Social Security Numbers . Personal information . Login credentials 30 Domain-Based Message Authentication, Reporting and Conformance (DMARC)

Designed to: . Minimizes the incidence of and potential phishing . Fit into an organization’s existing process . Collect data on outbound email activity

Goal of DMARC: . Improve mail authentication practices of senders . Enable receivers to reject unauthenticated messages 31 Security Extensions (DNSSEC)

. Ensures end-to-end DNS responses are accurate and complete

. Asserts additional levels of authentication

. Attests to the validity of the address of the site you visit

. Consumers can be assured that they are going to your site 32 Internal Education

. Make education – internally and externally – part of your brand protection strategy

. Employee education . Never send passwords, bank account numbers, or other private information in an email. . Avoid clicking links in , especially any that are requesting private information. . Be wary of any unexpected email attachments or links, even from people you know. . Look for ‘https://’ and a lock icon in the address bar before entering any private information. . Ensure you are running an up-to-date anti-virus program. Ongoing Best Practices 34 Ongoing Best Practices

. Keep login credentials for your domain or DNS management portals secure

. Stay abreast of industry changes and TLD launches

. Review domains prior to setting to Do Not Renew

. Install appropriate SSL Certs for your websites

. Periodic account access review . Review of account users . Review of level of access . Make account deactivation part of employee exit process 35 10 Domain Security Best Practices

1. Lock core domains at the Registry level wherever possible 2. Employ 2FA for accessing domain management and DNS management portals 3. Implement DNS monitoring to identify unauthorized changes at the registry 4. Keep login credentials for domain / DNS management portals safe 5. Disable ability to edit core domains for all users 6. Continually manage and review secondary user accounts 7. Require mandatory password updates 8. Implement IP access restrictions 9. Receive automated notifications of every domain name update 10. Utilize a corporate-only, hardened registrar 36 SSL Certificate Management Best Practices

1. Utilize management solution that allows quick and secure ordering

2. Centrally manage certs and domains within a single secure online environment

3. Ensure visibility into all issued certificates and track expirations dates

4. Ensure consistency between the domain name ownership (WHOIS), the organization listed within the CSR, and the requesting organization for fastest order processing

5. Never give out private key

a. Track the Key Pairs “Movement” within an Enterprise; multi-server environments 37 Be Proactive

. Take proactive measures to protect your critical domain assets, including DNS and SSL Certificates

. Pre-emptive security measures can help reduce vulnerabilities

. Combine domain management strategies with a brand protection solution that allows you to quickly identify abuse and take appropriate action when necessary Q&A 39 Thank You!

For information on MarkMonitor solutions, services and complimentary educational events: . Contact via email: [email protected]

. Visit our website: www.markmonitor.com

. Contact via phone: US: 1 (800) 745 9229 Europe: +44 (0) 203 206 2220