Did you know that a recent study conducted by SiteLock found that websites encounter an average of 94 cyber-attacks each and every single day? That’s right – and this report was based on an analysis of 7 million websites. So, with that in mind, we want you to take a moment to ask yourself – how is your domain security holding up?
As technology continues to evolve and cyber threats continue to become more and more sophisticated, business owners now more than ever must remain vigilant in their efforts to secure their domains and protect their brand. This article will provide you with 10 steps you can take to boost domain security and help better position your company against cyber-attacks in 2022.
1. Choose a domain registrar with a solid reputation
A domain registrar, much as its name implies, is a company which manages the registration of domains. There are countless registrars on the market, which makes it extremely important that you perform due diligence in singling out the ones with a solid reputation.
The easiest way to choose a reputable registrar is by focusing on ones which are accredited by the Internet Corporation for Assigned Names and Numbers (ICANN). Popular, accredited registrars in the United States include those such as GoDaddy, Domain.com, BlueHost, and NetworkSolutions. However, the list is far more extensive than this. When choosing a domain host, it’s important to consider reputation first, then to start reflecting on other factors such as features and cost.
2. Register your domain for the longest amount of time possible
A lot of times companies find themselves the most vulnerable to domain security threats when their domain registrations expire. This presents an opportunity for attackers to nick your brand’s primary and/or look-alike domains for the own dubious purposes.
As a result, it’s important to ensure that you minimize, if not completely eliminate any downtime between registrations. One great way to do this is to register your domain for the longest term possible. This significantly decreases the number of times your company will have to keep tabs on registration expiration and re-registration and as a result, provide you with a little extra peace of mind.
3. Add a security contact for your company
Adding a security contact for your company is another easy tactic that you can implement to get a leg up on domain security. In fact, this is something you could literally take care of as soon as you finish this article.
A security contact is an individual (ideally, a team or a department) that is capable of “evaluating or triaging” any potential notifications about threats, vulnerabilities, or compromised accounts regarding your brand.
Security contacts can be added, changed, or altered anytime at .gov registrar. Once a security contact is added there, the information is made publicly available in WHOIS (a public list of domain owners and their contact information) which streamlines the process of reporting and receiving threats regarding your company. It is also highly recommended to add your security contact information to your website to make it easier for people to contact you in the event an issue may arise.
4. Secure domain access
Another quick and easy way to get started on boosting domain security is to ensure that you’ve taken measures to secure domain access. In most cases, domain access is limited because most registrars require login credentials. However, when choosing a registrar, you’ll want to consider whether or not they offer any added protections such as two-factor authentication or IP validation.
5. Consider registering look-alike domains
Look-alike domains, much as their name implies, are domains that look very similar to your primary domain. A look-alike domain could simply contain a different top-level domain (i.e. .org vs. .com) than your website, or include a common misspelling (i.e. facebook.com vs. fcebook.com). Believe it or not, typosquatting is a very common threat and this is one of the main ways that your company can mitigate the risk of falling victim to it.
6. Remove your personal data from WHOIS
We discussed the importance of including a security contact for your company who is able to route any reports regarding potential or existing threats to your company’s domain. However, with that being said, we also want to make mention of how important it is to limit the exposure of personal data on the directory.
WHOIS is great when it comes to registering security contact information for a company, but keep in mind that this information is publicly available. As a result, it’s best if you don’t include any personal information such as your name, or an associate’s name and/or personal contact information such as phone numbers or email addresses. Instead, use department information to prevent potential instances of identity theft.
7. Create a vulnerability disclosure policy (VDP)
A vulnerability disclosure policy is a document which outlines the process your company takes when it comes to receiving and addressing vulnerability reports. When it comes to drafting a solid VDP, you may want to look into collaborating with a representative of your legal team. If you’re new to the world of VDPs – fret not – there are numerous reputable examples and templates you can refer to in order to get a stronger understanding of what they should and can entail.
8. Enable Registry Lock
Enabling registry lock is a quick and easy way to prevent unauthorized transfers or changes to your domain. This is especially effective in preventing domain hijacking – which is where an attacker is able to gain access to your registration data and ultimately, administrative control over your domain name.
Registry-level locking with a reputable service provider such as Verisign helps prevent this because it requires “additional levels of authentication between the registry…and the registrar of the domain name”.
For example, in the case of Verisign, any requests to make changes to the domain, must first be routed through and approved by the company. Part of the additional precautions taken to ensure such requests are legitimate include the creation of a security pin, establishing an authorized individual at the registrar, and phone call verification with Verisign.
9. Set your domain up for preloading
Another rather straightforward tactic you can implement in order to beef up your domain security is to set your domain up for what is called “preloading”. Doing so is as simple as submitting your domain for inclusion in a browser’s HTTP Strict Transport Security (HSTS) preload list. When this is done, web browsers such as Chrome and Firefox automatically use HTTPS to connect to your website (as opposed to the unsecure HTTP).
A great example of this is essentially any government website. If you try to log on to whitehouse.gov, and you do so without entering the protocol, or you perhaps incorrectly enter the protocol as HTTP, the browser will automatically route you to the HTTPS:// version of the website. Essentially, preloading your domain ensure that whoever visits your website is always doing so via a secure connection.
10. Use DMARC for email validation
DMARC stands for “Domain-based Message Authentication, Reporting and Conformance”. Yep – it’s a mouthful, but, it’s crucial when it comes to protecting your domain in email.
Before we get into the details of DMARC, we feel that it would be helpful to also provide a little context into the related technologies that are SPF and DKIM.
SPF stands for “Sender Policy Framework”. SPF essentially allows your company to detail which “specific IP addresses are authorized to send mail on behalf of your domain”. Once this information is recorded, a receiver authenticates an email message by “comparing the IP address of the sending email server against the addresses listed on the SPF record”. If they match with the IP addresses included on the list, then an email message is authenticated.
DKIM stands for “DomainKeys Identified Mail” and deals with the “cryptographic signing of individual email addresses”. With DKIM, a receiver authenticates the validity of an email message by cross-referencing the crypto signature embedded in the domain header with the one that the receiver calculates in order to ensure a match. If the two match, the message is authenticated.
DMARC is also an email authentication policy/filter and it essentially requires that at least the SPF or DKIM “pass…authentication checks” and are “in alignment with the domain” in the sender’s address.
All of this essentially helps to prevent email spoofing attacks by adding layers of authentication in order to make it difficult for attackers to carry out threats. If you’re interested in setting up this additional layer of protection, contact your developer, or check out this nifty guide on how to implement a basic DMARC setup.
There are countless tactics out there currently threatening the security of your domain. From, registrar hacking, to domain hijacking and spoofing, to typosquatting and DoS attacks – there’s almost too many to count. What’s worse, is that each and every day attackers become savvier with their techniques. Don’t make the mistake of putting domain security on the backburner. With these 11 steps, you can get started on fortifying your digital assets as soon as today.
Are you interested in taking the next step towards protecting your domain and improving website security? If you’re interested in learning how to get started, contact us today to learn more.