COMMENTARY: Organizations prepare crisis plans for various risks, including physical emergencies, product recalls, and data breaches, but what about domain security incidents?
An organization’s portfolio of domains are critical digital assets that can cause substantial damage if not properly secured and managed. Unfortunately, not all organizations are set up for success when it comes to preventing a major domain attack—or to respond effectively when one happens.
[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
Domain security incidents extend beyond typical cybersecurity concerns like website hacks or phishing attacks. Threats to domain security can include more nuanced actions, such as unauthorized access or changes made to an organization’s domain, subdomain takeover attacks, and fraudulent domain registrations used for impersonation, all of which can have devastating effects on entire organizations if not handled properly from the start.
That’s why it’s crucial for organizations to proactively equip their teams with preventative strategies and incident response by understanding potential risks to the organization’s domain security, how to address them, and who’s responsible for them.
Here are three steps security teams can follow to guide the development of a successful domain security crisis plan:
Establish a digital governance council: Nothing complicates a crisis more than trying to identify stakeholders in the middle of one. It’s very important for companies to establish a digital governance council. This group serves as a cross-functional team with clearly defined roles for who’s responsible for what before, during and after a crisis. Part of the digital governance council’s responsibility should include “owning” domain security at the organization because this group will serve as a go-to resource for any security enforcement or domain takedowns that are needed when a crisis hits. Stakeholders to consider for the council include representatives from legal, cybersecurity, information technology, and marketing or branding teams. These people have unique expertise in managing the legal implications, security and technology impacts, and public perception following a crisis. For the council to succeed, the company has to promote open communication and prevent perspective silos.Create a map of domain compromise: The nature of a domain security incident typically determines how drastically it will impact an organization. When an incident occurs, it’s essential to first assess where the problem happened. Has a domain name server been compromised or changed? Was it an internal or external issue? Make sure security around the domain hasn’t also been compromised, which the team can determine by checking the history of any changes made to the domain to get an idea of the issue. Automating the regular collection of audit logs can offer great value for such assessments. After identifying where the issue occurred, assess the scope of the compromise. How broad did the compromise go and how broad can it go? Sometimes, a compromise happens at the domain registry, and if that’s the case, an organization would need to work with their registrar because the scope of the compromise is much wider than at the organization’s domain level. Assessing where the incident occurred and the scope of its impact ultimately creates a “map” of domain compromise, which lets the digital governance council plot their next move with a complete view of the situation. In an ideal world, teams can create multiple maps of potential compromise in advance so they’re mentally prepared with strategic next steps when an incident happens.Evaluate and strengthen security policies: It’s essential to review a domain security crisis plan on a regular basis to assess its effectiveness and whether any protocols need updating. Organizations should review over time how effectively they’ve been managing access and credentials, and also how well their third parties and partners are managing them. Some registrars still enable sharing of credentials or rely heavily on third parties, which could present a real risk for domain security. Investing in proper credential management can help prevent disruptions and compromises. The review process should align with how regularly security and policy updates are made, or as major changes to the organization take place. If an organization switches to a new domain registrar, or has completed a new acquisition, the team should revise the domain security crisis plan as those changes are made.
Many organizations prepare crisis communication plans with the hope that they will never need them, but a crises can happen when we least expect it. Emergency preparedness ensures a smoother response process, maximizes efficiency, and reduces avoidable mistakes that could worsen the situation.
Finally, by developing a domain crisis plan, companies put their organizations in a stronger position to prevent devastating attacks, financial loss, and reputational damage
Walt Fry, director of technology, Domain Products, CSC
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
