Home M3AAWG Blog Beyond Basic Domain Management: Securing Your Brand

Authored by: Brands Committee Chairs

 

After the foundation is set and the brand has the basic security in place see Part 1 of this series https://bit.ly/3LRzW6s for more info and tips what are the next best steps to help further protect the brand? There are several quick wins that a brand can take to give that added extra line of defense.

Set up aliases for notifications
Use a role account rather than an individual’s personal account. This ensures that notifications will be seen even if the normal lead person is on sick or on vacation, or has left the company.

Decide how to handle authoritative DNS needs
This will require some research in order to know which is the right solution for the brand’s need. Will the brand run local authoritative domain name servers using free/open-source software? Or an on-premises commercial DNS appliance? Or a cloud-based authoritative DNS service? Partner with your registrar, to help make this decision. Whichever you select, audit your DNS configuration with free tools like https://zonemaster.iis.se/en/

Research and choose the right registrar
Different registrars specialize in serving different market niches. For example, some registrars specialize in budget one-off mass-market registrations for hobbyist domains; others may have features that are particularly attractive to efficient bulk domain registration by speculators. Others may target users with a particular first language (Chinese, French, German, Russian, Spanish, etc.). Consider registering your domain via a registrar that specializes in registering and protecting those critical assets. Also, there may be other domains that should also be registered for additional protection, production domains or core domains for example.

Register similar domains (defensive registration)
Domains that mimic the brand; brand.co.uk, for example, when your domain is brand.com. Create a policy for registration of high-risk domains that are not used for production. These can include "look alike", typo, common abbreviations or shortenings of your company name (e.g. BofA for Bank of America), combined with commonly abused terms like "login" or "account", or other vectors you have had to combat. You cannot register an infinite number of these, so prioritize and set a budget. Reevaluate based on ongoing experience. Such work should be coordinated with monitoring and malicious domain mitigation programs.

Combine SSL certificate management with DNS management
SSL/TLS certificates aren't, strictly speaking, DNS-related, they are often administered by the same team, and exhibit similar legal or technical challenges. Consider consolidating their management with the domain administrator or team.

Perform a risk assessment on all domain names
And then implement a service known as a “registry lock”. Registry locks allow registrants an extra out of band protection against unauthorized changes or accidental deletions. Some registrars also provide a registrar lock service, adding still another level of security above what registry lock offers. Registrar-locked domains require out-of-band confirmation before any changes are made.

Back up DNS configuration
Storing DNS configuration securely will mean the brand can always revert if settings are lost for any reason (e.g., account compromise). Develop a strategy for urgent restoration of domain name and DNS configuration as part of business continuity planning and table top exercises. Investigate whether business interruption and losses related to a domain name or DNS configuration incident are covered by the organization’s insurance policies. Incorporate domain name hijacking into incident response and business continuity planning.

Monitor for abusive third-party domains
Research to see if there are any third-party domains that may be causing problems for your brand.

These additional measures will help protect the brand and every extra step a brand takes will keep the fraudsters frustrated. Stop fraudsters before they have a chance to damage your brand.

In our next and final blog on domain management to protect your brand, we will cover attack vectors with recommended mitigations to help you maintain a strong security posture. More details and prescriptive guidance is also provided in our Domain Management Best Practices document, available here, www.m3AAWG.org/BPK-DM02-2022

The views expressed in DM3Z are those of the individual authors and do not necessarily reflect M3AAWG policy.