Imagine that your company domain name and your website is your kingdom. How would you defend your kingdom from outside attack?
Part I – Keys to the kingdom.
This first job is to prevent the “keys to the kingdom” from falling into the wrong hands. If this happens, the attacker takes everything away from you in “one fell swoop”. One day you wake up and find that you no longer have control over the company domain name. If this happens, an attacker will be able to control the company website and email. So, as the business owner ask yourself these two questions:
Where do the renewal mails for domain name registration go?
Who has the password for our domain name registration account?
If the answer to either of these questions is “I don’t know” then you potentially have a problem on your hands.
Even when domain name renewal is being handled correctly and the password is secure, attackers will still look for ways to access your domain name registration account.
Common attacks are:
- Password capture
- Compromising the “Forgot password” email address
- Social engineering (calling up the help desk for the domain registar and impersonating you)
Here the attackers will attempt to capture your password, either through the installation of a keylogger trojan or by tricking you into entering your password into a fake login screen.
To protect against password capture you need to assume that the attackers will one day be successful in capturing your domain name registration account password. With this in mind you should use a domain name registrar that supports 2-factor authorisation.
If your domain registrar does not support 2-factor authorisation change to one that does.
Compromising the “forgot password” email address
Many sites including most domain registrars provide an option to reset a forgotten password. It turns out that this can in fact be exploited if the attacker has managed to compromise the forgot password email address.
- Use a domain registrar that provides an option to disable the “forgot password” reset link.
- Use a dedicated and closely guarded email address for domain registration purposes.
- Ensure that the email address has 2-factor authentication enabled on it.
- Do not use an @example.com email address for registering example.com domain!
Here the attacker will call up the help desk and pretend to be you, they might know your birth date or your credit card number. This attack is one of the hardest to defend against.
- Register with your real name. It should be (in theory) much easier for you to prove that you are you rather than someone else.
- Limit access to information: if the attackers don’t have your birth date they can’t use it
- Call the helpdesk before the attackers do. Ask what protections are in place for this kind of attack and ask to speak with someone senior (if you are the business owner ask to speak to the MD). Establish a relationship with your domain registrar before the hackers do.
- Research the registrar and see if they have put in place policies for handling social engineering attacks.
- Make it hard for attackers to impersonate you by implementing SPF, DKIM and DMARC email verification and authentication protocols. Note that these protocols are also recommended for limiting Phishing attacks.
Next week I’ll talk about securing your application in Part II of this blog “Guards at the gate”.
Warren Howard is an infrastructure specialist with an interest in leveraging technology to streamline business process. He has delivered solutions for international clients such as Coca-Cola and Holeproof.