The domain name of an organisation is often the most recognisable and visible facet of its online presence. However, this same domain name can also be a major vulnerability for the organisation’s cyber security.
Domain names are relatively inexpensive to register, if available, and re-register annually. For example, a .com can cost as little as a few cents per year to somewhere around US$30.
The relatively low cost and wide range of providers offering registration services can belie the true value and criticality of a domain name.
In this post I’m going to discuss several basic means by which adversaries can use domain names to disrupt and damage an organisation. I will then talk about how to assess the risk a domain name can pose to an organisation’s cyber security, before finally rounding out with questions boards can ask of management to help satisfy themselves of whether the security in place is proportionate to the risk presented.
I will use ‘yourdomain.com’ in some of my examples in this post, but consider replacing it with your organisation’s own domain name.
What is a domain name and what does it actually do?
Simply put, domain names are memorable text-based labels that map to less memorable numerical addresses used by systems, services and protocols that underpin and run on networks, including the internet.
For example, to access the Google search engine, a user only needs to remember google.com, rather than 142.250.76.110.
And remembering an e-mail address like ted.lasso@gmail.com is a lot easier than ted.lasso@74.125.24.26.
These numbers represent “the system” that will handle a request, e.g. to return a webpage to your web browser or deliver an e-mail to a recipient on a mail server.
Public-facing websites and e-mail addresses are the most common and obvious examples of domain names in action. However, depending on your organisation’s use of technology, they may be used to identify and/or enable access to other services, sometimes by introducing a ‘subdomain’ element (also referred to as a hostname in some cases; the bit before the ‘yourdomain.com’ part), including:
- Remote/virtual access into corporate systems, e.g. remote.yourdomain.com
- Web-based access to e-mails, e.g. webmail.yourdomain.com or owa.yourdomain.com
- Access to a corporate booking system, e.g. bookings.yourdomain.com
- File storage, e.g. files.yourdomain.com
- Corporate firewall, e.g. fw001.yourdomain.com
Providing your organisation has the ability to manage your domain, it can manage the subdomain elements too.
Whilst more complicated in practice, essentially a global phonebook system exists that maps domain names, including subdomains, to those hard-to-remember numerical addresses, which are technically known as Internet Protocol (IP) addresses. The phonebook system is known as the Domain Name System (DNS).
Only specific users within your organisation should be authorised to manage the registration and associated mappings of the domain name, and any subdomains, to numerical addresses.
How domain names can be a vulnerability to an organisation’s cyber security
Inadequate security of accounts related to domain name registration ownership and domain name management can lead to the intended use of domain names being compromised, resulting in exploitation and undesirable outcomes.
Interference and alteration of mappings can result in undesirable outcomes such as the following examples:
- The e-mail servers to which e-mails should be sent can be changed, resulting in a malicious user potentially receiving all e-mails sent to addresses @yourdomain.com
- Rather than your website loading when someone types in yourdomain.com, a malicious website could be presented. Malicious websites could be used to serve up reputation-damaging content or harvest unsuspecting customers’ information.
- The record mapping a subdomain to a particular system, perhaps a critical system on your network, could simply be removed, effectively rendering the system unavailable.
An adversary doesn’t need to own a registration in order to tamper with mappings, they only need access to the account that provides the ability to update the mappings on the authoritative name servers. Authoritative name servers are like the “master phone book” for your domain name.
However, a domain registration can be “stolen”, effectively through transfer of the domain name to another entity. This is often referred to as domain hijacking.
With ownership of a domain registration, an adversary can change the authoritative name servers associated with the domain to be something they manage.
Regaining control of a domain name once it has been hijacked isn’t impossible, but it’s an experience best avoided.
Typo-squatting
Somewhat out of an organisation’s control, typo-squatting is another domain name related risk that your organisation can face.
Typo-squatting is where a malicious user registers one or more domain names that look similar to your legitimately registered domain name(s), but then use the illegitimate domain name(s) for improper purposes.
For example, if an organisation’s published domain name was qualityfarmfoods.com, a malicious user may register variations such as:
- qualityfarfoods.com
- qualtyfarmfoods.com
- a1qualityfarmfoods.com
- qualityfarmfoods.co
Note in the last example there is no typo; .co is another type of top-level domain. Country code top-level domain variations also exist, such as .com.au, .co.uk, .fr etc. Whilst a correctly spelled registration using an alternative top-level domain isn’t strictly typo-squatting, the opportunity for exploit is similar.
Typo-squatting enables subversive behaviour that leverages the reputation of a legitimate organisation.
Anyone who manages a domain name, no matter how similar or different it is to yours, can set-up services like e-mails and websites that look and feel as genuine as your own, that ultimately trick unsuspecting users into believing they are dealing with you.
Note that trademarking doesn’t automatically prevent someone from registering a domain name with trademarked text, but it can help if taking action to take down a website that is clearly intended to cause harm to your brand and organisation.
What level of risk does a poorly secured domain name pose to my organisation?
The answer to this question will depend on the types of consequences that matter to your organisation and the likelihood of them occurring if your domain name records become compromised, or malicious activities are conducted through typo-squatting that implicates your organisation.
Typical consequences of concern include:
- Financial
- Reputational
- Legal, contractual and political
- Quality of service
- Safety
If you have a risk management framework you should refer to that for further information on your organisation’s agreed settings.
Some scenarios that can give rise to one or more of the above consequences include:
- Compromised operation or availability of a website, app or other service with an online, public interface. Think e-commerce websites through which revenue is generated, software-as-a-service platforms for which service delivery agreements exist and e-mail based service delivery functions, for example customer support.
- Compromised operation or availability of a remote working system, through which staff access company resources, without which the productivity of staff is significantly impacted.
- Compromised interoperability of two or more systems or services that rely on accurate domain name records in order look each other up. Impacts can include services grinding to a halt entirely.
- Unauthorised exposure of sensitive data or information, for example through the redirection of e-mails or other information sources to a malicious user.
- Leverage of typo-squatting to distribute malicious software to trusting and unsuspecting users, which is perceived to originate from, or be associated with, your brand.
Note there are other cyber risks that can give rise to the same outcomes, independently of compromised domain name security.
Questions for boards to ask of their security management
The following four questions are a good starting point for discussion with management around your organisation’s domain name security practices.
1. What critical systems and services do we operate that require our domain name records to be readily available and of uncompromised integrity?
The more critical the associated systems and services are, the higher the value you should place on the domain name.
2. How is our domain name registration protected from domain hijacking?
You want to be sure that any attempt to transfer the domain away to another registrar by an unauthorised party is not possible, or is as difficult as possible.
Request your registrar put a transfer lock in place.
3. How do we manage access to our domain name registration and associated domain name servers?
You want as few people as possible to have access to the services used to manage the domain name. Typically the access details should be restricted to a limited few personnel.
Accounts holding registrations and management tools should use strong passwords and utilise multi-factor authentication.
4. How do we monitor for, respond to and protect our customers and operations against fraudulent use of intentionally similar but different domain registrations?
There is no simple solution to this problem. Proactively registering domain names similar to your own, if they are available, is one option. Vigilance, combined with taking action against sites that infringe on trademarks is also another line of defence.
—
Management should be prepared to provide comprehensive answers to all of the above, in the context of your organisation.
For more information on domain name system security for domain owners, which provides further technical information on some of the matters discussed in this post, refer to the following link: https://www.cyber.gov.au/acsc/view-all-content/publications/domain-name-system-security-domain-owners
Monthly cyber security insights, news and tips direct to your inbox
More information here. You can unsubscribe at any time. See Privacy Policy for further details.