Today’s blog post reflects on a webinar held last week by .au registrar and brand services provider, CSC, Domain Security Best Practices for Australian Corporations. A panel of industry experts shared their insights on all things domain security, including guest speakers Ram Mohan, Chief Operating Officer at Afilias, Dr Bruce Tonkin, Chief Operating Officer at .au Domain Administration (auDA) and Jayce Yeo, Regional Director APAC at CSC.
CSC: Corporate Registrar and Brand Services Provider
Jayce started the session with a quote from Jonathan Walfisz from the June 2020 World Trademark Review, setting the scene for an engaging discussion surrounding the current domain security landscape:
“It is without doubt that domain security is of upmost importance to every brand owner. Without these measures, a brand’s website could be vulnerable to attacks that could cause incalculable harm to customer experience and consumer trust.”
Jayce gave examples of DNS hijacking, which is a malicious practice designed to point domain names to rogue IP addresses where data has been manipulated by an attacker. These included an emergency warning issued in early 2019 by the Department of Homeland Security in the US mandating all government websites take a series of actions to make sure their domain names and DNS were secure. DNS hijacking is an “old school tactic” that is still around today largely as a result of poor domain security practices, and it is something that organisations need to act on immediately.
Closer to home, Jayce reminded attendees of the recent attack on Australian Government and institutions in June 2020 which came with a security alert from PM Scott Morrison himself. For more information on the state of cybersecurity for Australian businesses refer to this blog post written by Afilias Australia and CSC in July 2020.
auDA: The administrator and Australian self-regulatory policy body for the .au ccTLD
Bruce discussed domain security from an auDA perspective, explaining the primary objectives of the .au namespace are to ensure:
As the administrator and Australian self-regulatory policy body for the .au ccTLD, auDA sets the policies for the confidentiality of information provided as part of the domain name registration process (e.g. name, address and contact information for registrants). Bruce explained that the .au registry ensures phone numbers and postal addresses are kept confidential. He noted that there is a lot that can be learned from a company’s domain security posture from their WHOIS record and addressed the importance of allocating a role-based email address as a domain name registrant contact to keep personal information private. Additionally, a role-based email can be used to forward an email to multiple people at the business to avoid reliance on a single person to read important emails about the business’s domain name. For example, in the instance that a business only has one person connected to an account; if that person was to leave the company suddenly or was sick or on holiday, it may be difficult regaining access to the domain name.
To protect the integrity of domain name information, Bruce suggested applying 2 Factor Authentication (2FA) to domain name accounts, using registry lock as an additional layer of protection and activating Domain Name Security Extensions (DNSSEC) to ensure that DNS responses aren’t faked, particularly during a DDoS attack. He explained the risks of poor domain security, noting that “somebody can use a Denial of Service (DoS) attack to substitute their own DNS answers on a network and redirect users to a different location altogether”. Once a user is redirected, they may be tricked via a phishing page to enter their credentials.
When it comes to availability, Bruce explained that many companies may invest in advanced protection for their website but neglect their DNS. He explained the importance of using high capacity global DNS servers to protect not just website services, but all services in a company that rely on a company’s domain name – such as email services, and internal applications. Bruce also recommended making sure company information and that of the legal domain name licence holder (registrant) is correct. In particular for .com.au commercial domain names, business’s should check that the registrant (or business) is a currently registered company at ASIC with an ACN (Australian Customer Number) or ARBN (Australian Registered Body Number), has an active ABN (Australian Business Number) in the Australian Business Register, or has a valid Australian trademark (if a foreign company).
Afilias: The .au registry operator and global registry services provider
Ram Mohan made sure his message was clear from the beginning: To ensure business-wide domain security is in place, the value of strong encryption and security needs to be recognised within the entire enterprise, so that the correct actions can be taken. He focused on 3 key areas for businesses to address when securing their infrastructure:
- Logistical and physical security (eg following security standards, training employees);
- Data in motion (eg use and promotion of DNSSEC, monitoring connections and registry traffic) and;
- Stored Data (eg ensuring secure connections to access data, audited policies on data access).
Like Bruce, Ram stressed the importance of making sure domain name contact information is accurate. He suggested good opportunities to check these details were during domain name renewal and as part of your business’s security audit process.
“Make the plan now when there isn’t a crisis. If you implement a plan when you don’t have security threats and make good processes standard, you will be much better prepared. The worst time to make a plan is when the house is on fire”.
CSC: Domain Security Industry Highlights
Jayce presented some interesting industry insights from a Domain Security Report recently conducted by CSC. Some of the more surprising findings revealed that:
- Global adoption of security measures such as Registry Lock, DNSSEC and Enterprise/Internal DNS management was low (17%: 3%: 51%), with APAC adoption falling even further behind (7%: 1%: 36%).
- When looking at specific industries on a global scale, banks ranked as moderate in the domain security maturity scale, considering they manage customer Personally Identifiable Information (PII) and many financial transactions.
- 58% of ASX 100 companies use a corporate registrar to manage their domain name as opposed to 47% globally.
Jayce concluded by reminding attendees that we all have a part to play in making the internet secure for all Australians. Each speaker emphasised the power of applying domain security best practices including registry lock, 2FA and DNSSEC, and acknowledged that it is our job as industry leaders to continually educate and create awareness within the community.
Have a question, comment or idea for a future blog post? Email us at firstname.lastname@example.org today.