This post from CIO.com should serve as a reminder to SMBs that they are not immune from the security perils of technology affecting larger enterprises.
One of the services we provide clients at On-Site Technical Solutions is that of virtual CIO, or Chief Information Officer. Larger companies with IT departments have this executive level position that reports either to the CEO or another senior executive. In addition to managing company technology, it is ultimately up to the CIO to ensure that the company is using technology efficiently, cost-effectively and in this case, as securely as possible.
Domain hijacking refers to changing the registration of a domain without the permission (and knowledge) of the original (typically the legal) registrant. Because domain hijacking works, expect it to continue to become even more frequent.
Here is the post:
and here are the four ways to protect your domain from the post:
1. Pick an enterprise-class domain name registry. Some domain name companies target consumers and small business. Consequently, they don't offer the security protections that corporate focused domain registrars provide.
"Companies often make a decision to go with the lowest-cost provider or with someone who's offering a special," says Mohan. "It may cost you $20, but the actual cost when your domain is hijacked is far greater." Adds Harvey, "When you're running millions of dollars through your website, you should have another level of security."
He notes that Coach.com was maintained at Network Solutions, a domain name registrar and hosting provider that, according to its website, targets small businesses. CIO.com tried to contact Network Solutions for this article; a PR person for the company said that corporate representatives couldn't speak with CIO.com in time for its deadline.
Some specific security practices you should seek out in a domain name registrar:
- Two-factor authentication or call-back authentication. Harvey says most hijacks his company has seen would have been prevented if the domain registrars had enhanced authentication in place.
- The capability to place various locks on your domain. Harvey says to make sure registry locks and registrar locks are on. Mohan says businesses can have their actual domain name locked down. Some registrars also offer lock downs to protect against domain hijacking, he adds.
- A registrar that automatically locks people out after entering, say, three invalid passwords and doesn't send log-in credentials to any email address.
2. Keep up-to-date with security patches. Make sure you apply the latest security patches to your web servers so that hackers can't exploit known software vulnerabilities. "If you don't," says Mohan, "you're asking for trouble. In that case, it's not a matter of if [your domain will get hijacked], it's a matter of when," as his client learned by not applying the latest MySQL patch.
3. Monitor where site traffic is going. If you see that traffic to your website is mysteriously going to a server in the Ukraine, as it was in the CheckFree case, you know something is wrong. Very wrong.
4. Request DNSSEC from your registrar. DNSSEC—which adds security extensions to your Domain Name System—won't prevent domain name hijacking, but it's the only technology known to guarantee that once a user clicks on a link to your website, he or she won't be hijacked between the time they click and the time they reach your site, says Mohan.
Meridith Levinson covers Careers, Security and Cloud Computing for CIO.com. Follow Meridith on Twitter @meridith
. Follow everything from CIO.com on Twitter @CIOonline and on Facebook . Email Meridith at email@example.com.
Visit On-Site Technical Solutions for information on how you can move to Google Apps or other Cloud Computing applications. Call us for all of your network computing and business IT needs. We can also help with your data security and mobile computing. Follow us online below. Call or text me at 1-949-212-2168.