Managing the risk of third parties has become a compliance focus for many large organizations. Companies even work with third-party service providers and external vendors just to manage this risk. The recent SolarWinds attack escalates the critical need for chief compliance officers to collaborate with their business counterparts to identify and mitigate potentially unknown threats that lie within third-party supply chains. Yet how can companies manage this risk when it’s not if but when you’re attacked?
To assess, we can look at the domain and domain name system (DNS) vulnerabilities within a company’s cybersecurity posture, as this is often a blind spot for many businesses. Companies manage their domain portfolios via two general categories of domain registrars: consumer-grade registrars and enterprise-class registrars. A consumer-grade registrar specializes in domain services, websites, and email for personal use, entrepreneurs, and small businesses that are just getting started. In contrast, enterprise-class registrars focus on corporations and brand owners that require increased security, advanced capabilities, and support staff.
The registrar that your organization uses matters. As my colleague, Vin D’Angelo, mentions in Infosecurity Magazine, consumer-grade domain registrars are not inherently malicious actors, but because of certain standard business practices, they attract bad actors that execute brand abuse, phishing attacks, and fraud. For example, on February 1, the PERL.COM domain, managed by the Perl Foundation, was hijacked by cyber criminals who redirected the URL to a domain parking site that may have been related to sites that distributed malware in the past. Bad actors had hacked into the PERL.COM account (whose domain registrar is consumer-grade Network Solutions) and the Perl Foundation found it for sale for $190K at afternic.com, a domain parking site.
As I mentioned in my blog “Four-Pronged Approach to Keep Your Domain Names and DNS Secure from Cyber Attacks,” working with an enterprise-class provider can help you develop the right compliance checklist for your organization to select the right registrar vendor. When it comes to working with your registrar, you need to work with a provider that has invested in protecting its own systems. In essence, it takes the right people, processes, and technology.
With all of the cybersecurity threats today, not only does your domain name registrar need to have the right technology — to protect itself and your company from a data breach — but it also needs best-in-class operations practices that put security at the forefront of its mission, and in how it engages with you. An enterprise-class registrar should have ISO 27001 accredited data centers, SOC 2® compliance, and third-party penetration and vulnerability testing. They should conduct regular security tests, including SQL injection and XSS.
While anyone can say they offer services that meet the needs of today’s global corporations, the onus is on you to do the homework to understand the differences between third-party providers. Companies need to understand how their choice of provider fits into decisions made about their organization’s overall security posture, along with concerns about compliance and risk.