World’s Largest Public Companies Lack Basic Domain Security Protections, Report
More than eight in 10 of the world’s largest public companies risk domain name hijacking and other malicious activities by neglecting to adopt basic domain security measures, a new report said.
Shortfalls in enterprise domain security practices put organizations’ internet-facing digital property at risk to threats, including domain name and domain name system (DNS) hijacking, phishing, and other fraudulent activity, CSC’s digital brand services (DBS) unit said in a newly released 2020 Domain Security Report.
The Wilmington, Delaware-based specialist, whose solutions defend businesses from targeted threat vectors at domain-related assets, said its data unearthed a wide disparity in domain security maturity. Industries such as materials and real estate are more susceptible to cyber attacks than information technology and media and entertainment organizations by failing to use available security controls, the report found. In sum, 83 percent of the Forbes Global 2000 risk domain hijacking, CSC’s investigation found.
With more companies migrating to internet-facing business models, particularly in response to the coronavirus (COVID-19) pandemic, executing proper domain security techniques has moved from important to vital, making the study’s results somewhat surprising.
“Domain security cannot be an afterthought, and there needs to be a conscious effort to make this an intentional and critical part of every company’s overall cyber security posture, especially as criminals evolve their attack methods,” said Mark Calandra, a CSC DBS executive vice president. “As companies move to more online business models, it’s essential to use defense-in-depth practices to proactively manage, secure, and defend the foundational internet-facing components of your digital brand presence.”
Additional highlights from the report include:
- Unlocked domains are vulnerable to social engineering tactics, which can lead to unauthorized DNS changes and domain name hijacking.
- 53% of the Forbes Global 2000 use retail-grade domain registrars, putting them at greater risk for phishing, social engineering, and attacks while complicating compliance demands. The management of the overall domain name portfolio by a reputable corporate registrar versus a retail registrar will make the adoption of domain security standards much easier to implement and monitor.
- Only 20% of Global 2000 companies use enterprise-grade DNS hosting. Lack of DNS hosting redundancy and using non-enterprise-level DNS providers poses potential security threats like resiliency to distributed denial of service (DDoS) attacks, as well as down time, and revenue loss.
- 97% of the Global 2000 don’t use DNS security extensions (DNSSEC), which means the majority of companies are prone to cache poisoning attacks. Lack of deployment of DNSSEC leads to vulnerabilities in the DNS, which could include an attacker hijacking any step of the DNS lookup process.
- Domain-based message authentication, reporting, and conformance (DMARC) use is only at 39% for the Global 2000 companies. DMARC is an email validation system designed to protect a company’s email domain from being used for email spoofing, phishing scams, and other cyber crime.
In what may be a tie-in, most companies on this year’s Global 2000 list have posted sub-par first-quarter earnings in what Forbes is calling the “Great Cessation,” a reference to the COVID-19 economic shutdown, Forbes said on its associated web page. But not all companies have been negatively affected by the pandemic. Large e-commerce players, such as Amazon, Alibaba and Walmart, are growing, prodded by the spike in online shopping. All three moved up on this year’s list. JPMorgan Chase is the largest U.S. company at No. 3, falling one spot from last year’s rankings, according to the web site.