It’s a digital world: Organisations and individuals alike rely on the internet for almost every facet of personal and professional life. Because of that, a company's digital identity is its primary identity.
How an organisation exists online defines how they're perceived and connected with. The digital identity, then, is arguably a company’s most valuable asset. Unfortunately, it’s also one of the most vulnerable.
- The best VPN service 2019 (opens in new tab)
The DNS under attack
Digital brand trust is constantly threatened by attacks that undermine the domain name system. With DNS hijacking, for example, hackers gain control of a DNS service and redirect traffic from intended online content to their own servers to execute potentially malicious actions. The worst examples of unintended destinations are fraudulent lookalike websites that can harvest user information, including personal banking data or other systems' access credentials.
These attacks can be cleverly constructed and executed without the brand network team being aware that customers are being redirected, causing significant brand damage as consumers fall prey to malicious actors. In one audacious example, state-sponsored hackers used DNS hijacking to target national security agencies in multiple countries. Their successful tactics place all organisations at potential risk.
A variation of this attack known as domain hijacking (or spoofing) targets just one website instead of the entire DNS. Hijackers divert traffic by stealing or appropriating an actual domain or, more commonly, a subdomain used by a brand. In other cases, malicious actors simply use misspellings like gooogle.com (versus "Google") or citybank.com (versus "Citibank").
Hackers can also appropriate or misuse orphaned domains — domains forgotten by administrators that still point to a company IP address — to imitate a brand’s identity. Spoofing attacks often succeed because hackers go to great lengths to make fake sites look real and trustworthy.
Cybercriminals employ similar methods in phishing attacks. Individuals receive fraudulent but authentic-looking emails asking them to provide login credentials or sensitive information. In some instances, legitimate email addresses are used to send fake emails so the request doesn’t raise red flags. Hackers leverage smart design, carefully worded copy, and subtle social pressure to ensure that the email recipient complies with the bogus request. Clever phishing ploys persist in their effectiveness despite corporate users being warned and trained.
Among DNS threats, the distributed denial of service (DDoS) attack is truly a weapon of mass destruction. Designed to knock a website offline, it can also be purposed by hackers more seriously to overload the DNS. In 2016, one of these attacks aimed at an enterprise-class DNS service blacked out thousands of websites. Experts observed a 16% increase in DDoS attacks in 2018, and the trend is expected to continue in 2019 and 2020.
Digital identities have always been at risk, but the threat is worse than ever. In 2018, the average business experienced more than nine DNS attacks, representing a 34% increase over 2017. Considering that each attack costs $1.27 million on average, securing the digital identity needs to be high on the list of priorities.
- VPN or Virtual private networks: What businesses need to know (opens in new tab)
The deep impact of DNS attacks
DNS and phishing attacks are common, successful, and damaging — and all companies with an online presence are vulnerable. When organisations underestimate the problem or overestimate their protection, they risk losing brand trust. That loss of trust can materially impact business growth and valuation.
Expressing the damage of DNS attacks in terms of dollars and cents does a poor job of explaining how consequential these incidents really are. While they cost companies literally millions of dollars each year, they do so in unexpected ways — and for longer than anyone would like. For example, a DNS attack targeted at a Brazilian bank rerouted traffic to a fake website designed to steal login credentials, infected ATMs with malware, and prompted customers to download malicious software. With those in place, hackers have continued to siphon funds from the bank and its customers.
Like the malware continuing to infect ATMs, the worst consequences of DNS attacks linger long after the attacks are resolved. Studies show that brands that experience this kind of breach suffer reputation damage that leads to lost revenue and reduced market share. Twenty-two per cent of companies report measurable business losses from DNS attacks.
Regulatory penalties are another consequence. With the passage of the General Data Protection Regulation in the European Union, brands can face fines when DNS hackers are successful. British Airways was recently ordered to pay $250 million when its customers were routed to a fake baggage claim website. California is set to pass similar rules, meaning DNS attacks could become even costlier for companies that don’t secure their digital identities.
Phishing attacks arguably have the worst consequences of all. Persuasively worded emails that appear to be genuine can easily convince recipients including company employees to hand over accounting information or login credentials. Armed with that information, hackers can steal directly from company coffers, break into the IT infrastructure, or wreak havoc across a network. After an IT meltdown at British bank TSB caused 80,000 customers to leave and led to £330 million in revenue losses, hackers used phony emails to victimise bank customers even further. Because the DNS was compromised, TSB was powerless to prevent the ongoing abuse of their customers.
Strategies for securing digital identity
Effective DNS security requires multiple, coordinated measures to defend against the most common and consequential types of attacks.
1. Consolidate Domains and DNS Services
DNS security often suffers because most companies employ too many domain and DNS services. Managing and coordinating security settings across multiple services is onerous and error-prone. DNS security vulnerabilities, many of which escape the notice of IT staff, are often the result of poorly administered DNS networks. Consolidating makes management easier and security stronger.
Companies should rely on no more than one domain registrar and two DNS services: primary and backup. Under a single vendor environment for each service, the risk of hijacking diminishes. A simplified, consolidated DNS operation, for example, makes the “orphaned” domains mentioned above much easier to spot and eliminate.
2. Unify Change Management
When domains and DNS settings are administered across multiple platforms, uncoordinated or unauthorised changes can compromise security. Moving to a single platform enables unified change management — a way to systematically manage access, monitor changes, and audit inputs for evidence of misuse.
A unified approach can also alert administrators when DNS settings are changed. If login credentials are stolen in a phishing attack, for example, hackers may temporarily gain access, but they'll be prevented from causing significant damage.
3. Deploy DNS Security
For consumers to trust a brand, they need to know that websites are both authentic and private. Delivering on both fronts requires a comprehensive list of DNS security features: HTTPS for website encryption, Domain Name System Security Extensions for DNS route lookup verification, and Domain-based Message Authentication, Reporting & Conformance and Sender Policy Framework for email authentication.
These tools are essential to DNS security, yet half of Fortune 500 companies lack even DNSSEC — an alarming statistic, considering the importance of their online identities. The U.S. government has recognised the importance of these tools and, as of 2018, has mandated that all agencies authenticate email senders using DMARC. Since then, phishing attacks have substantially declined, making a strong argument in favour of adopting DNS security features.
4. Apply for and Implement a Brand TLD
The Internet Corporation for Assigned Names and Numbers, also known as ICANN, allows brands to apply for and secure their own top-level domains. These domains use the company name in place of .com (e.g., .IBM or .Nike). Brands that are awarded their own domain extensions are the exclusive users, meaning that any user directed to a .IBM domain can be absolutely certain that the destination is authentic.
Top-level domains can also streamline how DNS security settings are applied and managed. They improve customer engagement because they are relevant, brand-reinforcing and authentic. To date, more than 500 major brands have applied for a brand top-level domain through ICANN.
Digital identity and brand trust are more important than ever. We put locks on our office doors and copyrights on our intellectual property; we must take similar measures to protect our digital identity. In the simplest terms possible, it's far better to invest resources to secure the DNS than to rehabilitate brand reputation and revenue streams after a DNS attack.
- Virtual Private Networks (VPNs): What businesses need to know (opens in new tab)
Peter LaMantia, CEO, Authentic Web (opens in new tab)