Cybersecurity Due Diligence: Secure Domain Name Registrars

When conducting cybersecurity due diligence, one of the most important steps is to find a secure domain name registrar. Cyber hijacking is an ongoing online threat that should be considered during the entire cyber due diligence process. It’s not just about protecting access to your web pages. You also need to be concerned about the security of the domain names your company purchases. Domain name registrars are one of the fundamental systems that your business relies on, and their service forms the foundation for everything from your main site to your social media outreach processes. 

Choosing the right secure domain name registrar is therefore critical for ensuring the security of your business.

Readily available resources for best practices to avoid hacker mischief fall short. An example is the manual published by the Federal Financial Institutions Examination Council (FFIEC), which includes a chapter on cybersecurity for financial institutions, but it never addresses due diligence in regard to domain name registrars. 

This is a fairly large omission.

The bottom line is you could secure domain names through an accredited ICANN registrar yet not have a clue as to what safeguards are in place to protect those names, meaning it's not a secure domain name registrar after all. Here’s why due diligence cybersecurity matters, and what you can do to secure domains and protect your registered domains from becoming a hacker’s playground. 

What is ICANN?

ICANN is the Internet Committee for Assigned Names and Numbers. One of the agency’s main tasks is to match domain names with the IP addresses related to them. This directory helps prevent duplications and provides information to ensure that potential buyers know when certain domain names are already held by other entities. 

How does this figure into the process of cybersecurity? ICANN issues accreditations to registrars, allowing them to approve and issue new domain names. While there are standards that accredited registrars must meet, they have little to nothing to do with security. 

ICANN accredited registrars are much more likely to be secure, but simply being accredited isn't enough to fully protect your domain name. Domain name registrars are critical gatekeepers between your domain name and the rest of the internet. They also hold a vast amount of information on the companies they provide services for, including sensitive data like contact details and banking details. If this information is stolen, it can cause so much damage that both the registrar and the companies it does business with have to close.

Perhaps you assumed that because an ICANN accredited registrar obtained your domain name, that you chose a secure domain name registrar. Secure domain registration alone isn’t enough, however. In fact, that registrar may or may not have sufficient protections to prevent themselves from being hacked or hijacked. In other words, your domain name could be at risk this very moment.

Secure Domain Name Registrars and Third-Party Partners

But that’s not all. There’s another layer of concern. Perhaps your firm isn’t dealing directly with an ICANN registrar. Maybe there’s a third party involved as an intermediary between the firm and the registrar. That adds an additional point of entry for a cyber attack.  The more points of entry for a cyber attack, the more vulnerable your domain name and website will become. 

This is called “surface area” in the cybersecurity community, and is a crucial factor in how vulnerable you are to cyberattack. The more systems you use, the more likely you are to fall victim to cybercrime.

What if the Intermediary Gets Sloppy with Security?

Several things can happen if the intermediary and/or the registrar don’t practice due diligence in protecting domain names. All a hacker needs is access to the domain name control panel. Once that is established, their fun begins at your expense. 

The most likely scenario is that the domain name is pointed toward a different web server. That server may be the host to a copycat site that looks a lot like yours. The users who end up on the copycat site may find themselves infected with malware or some form of virus. There’s also the possibility that the user ends up supplying data that the hacker can use for some other type of scheme, such as login information or credit card details. Whatever the end game, it’s your reputation that suffers. 

Additionally, the hacker may take control of what’s known as the administrative email address associated with the domain name. By visiting the original domain and attempting to log in, it’s easy enough to pretend that the current password was forgotten. Instructions to reset the password get sent to the administrative email address, allowing the hacker to make the change. 

Your administrator is now locked out and the hacker is free to collect or alter all of the data associated with the site. With financial sites, that means login credentials to customer accounts, data that can be used to steal identities, and whatever other creative malfeasance the hacker can dream up. 

Fortunately, there are things that can be done to increase domain security. A number of preventative measures are in the hands of the registrar or third-party partner, but you also have some control. Knowing what you can do to increase domain name security is definitely a topic worth exploring. 

How to Investigate the Intermediary’s Due Diligence

The most direct approach to finding out if you have a secure domain name registrar and what sort of security is associated with your domain name is to investigate the protections that the registrar and the third party have in place. One point to focus on is whether or not the party is SOC 2 certified.

What does that mean? The certification affirms that the party complies with standards needed to ensure a measure of safety to clients. Obtaining certification requires successfully completing an audit process. Keeping the certification requires subsequent audits to ensure the party remains in full compliance. 

What Can Be Done to Augment Those Efforts? A Cybersecurity Due Diligence Checklist

You can support the security efforts by making the best possible use of resources provided through the registrar and the partner. That might mean employing two-factor authentication that’s offered through the partner, as well as ensuring your firewall provides a second line of defense. This cybersecurity due diligence checklist e shows a few ways to increase security and avoid domain name hijacking. Secure domain registration is just a single part of the process.

1. Pay Attention to How You Create Your Domain Names: Domain names traditionally should be memorable, but it pays to make them different, while at the same time, sensible and easy to remember. The point here is to come up with a domain name unique enough that a hacker would have trouble incorporating it into pages for a fake site.
2. Register Using an Email Address That Doesn’t Include the Domain Name: Register with an email address that is unrelated to the domain name. If the name is hacked and the hacker changes the WHOIS data, it’s easier to convince the registrar that you were the original owner and that you were not the one who changed the email information. 
3. Follow Best Practices to Create and Update Passwords: A decade ago, creating passwords was easier, but today’s hacker with modern password-cracking software is too sophisticated for a simple password. Go for a password around 12 characters long, change it every few months, and use multi-factor, or two-factor authentication (MFA or 2FA).Too much for your brain? That explains the growing popularity of encrypted password management software that generates complex passwords, securely stores and supplies them when needed, and reminds you to change them at regular intervals. It’s the best way to stay a step ahead of the bad guys.
4. Put a Transfer Lock on Your Domain Name: Transfer locks prevent quick transfer of domains away from a registrar as well as a web server. Before the lock can be lifted, it's necessary to provide additional information.  Some domain name registrars even require an additional layer of security to transfer your domain name. Such as approval from the original registrant. If you are utilizing tip #2, the hacker would then have to not only obtain access to your domain name management console, but also your email account.  Unless the hacker can provide the data and approve the transfer, the lock remains in place.

AI is Your Friend

Artificial Intelligence is changing the way that many things are done in online environments. That includes how to protect domain names. Through a subset of AI known as Machine Learning (ML) that is increasingly built into cybersecurity tools, it’s becoming more feasible to stop attempted breaches. The ML can detect threats as soon as they are underway and take the appropriate countermeasures.

Apply Good ‘Ol Political Pressure to Secure Cybersecurity Due Diligence

Along with the measures that the registrar, the intermediary, and you should take, there’s still the need to put pressure on the FFIEC. Until the Cybersecurity Assessment Tool specifically addresses registrars and their efforts at due diligence, a number of business sectors remain unaware to varying extents of the danger related to lax domain name security. Be polite. Be annoying. Lobby by whatever means necessary for the inclusion of registrars in the manual. 

In the meantime, individuals and companies should take steps to ensure that they don’t fall victim to cybercrime via their domain name registrar. You should put in place all the mitigating tools that we’ve mentioned above, but there is only so much you can do to protect a system that is ultimately administered by a third-party company. So you should also ask your domain registrar what they are doing to protect you against attacks, and change providers if you don’t like their answers. 

About the Author:

**
**

Samuel Bocetta

Samuel Bocetta is a former security analyst for the DoD, having spent 30-plus years bolstering cyber defenses for the Navy. He is now semi-retired and educates the public about security and privacy technology. Much of his work involved penetration testing Navy ballistic systems. He analyzed networks looking for entry points, then created security-vulnerability assessments based on findings. He also helped plan, manage and execute sophisticated “ethical” hacking exercises to identify vulnerabilities and reduce the risk posture of enterprise systems.