Skip to main content

This article discusses some threats to company websites that have been gaining steam but are mitigated by two recently released technologies for .CA domain names. These two new features for managing secure websites are called .CA Registry Lock and DNSSEC (Domain Name System Security Extensions). While they are typically adopted at larger enterprises, they are potentially impactful for smaller companies as well as the technology trickles across the market.

For a typical small-office home-office (SOHO) or small to medium enterprise (SME), security for a website in 2014 can be a complex prospect. The very small shop can rely on the tools and technology from their hosting company and hope for the best. But what about the bigger, yet not big enough, company? The company that is no longer a SOHO (small office home office) and has graduated to SME (small to medium enterprise)? For a typical one to three person IT team in a small to mid-sized business it is close to impossible to stay on top of the constant emergence of new threats while also keeping the PC's working, the network running, the phone systems calling, the premise security system beeping, and even the lights turned on (and off). However, unlike their peers in large organizations, they are not insulated from the risk because they don't have support of third parties, like Mark Monitor or an in house individual whose job is dedicated to security and nothing else.

If something bad happens then the fault lies squarely on the IT managers' shoulders for both the problem happening, and the pain of solving it. This article isn't about helping to protect IT Managers from every type of attack out there. There are many very thick books already published to help you with that. It is to illustrate, in plain language, some domain related technologies (Registry Lock and DNSSEC) that are there to help protect a company website. This article focuses on domain related security and help technical people explain its importance to their managers.

Business Impact Assessment

Analysts and service companies will tell you that your web presence is the single most important interface you have to your customers. However, analysts typically work with larger companies and the level of assessment a larger organization needs to make is pretty deep. Your organization may need a deep assessment too, but if the time and resources aren't available, then at least a tacit understanding of the risk-versus-reward can be helpful. Every business and every piece of IT infrastructure has risk and some are worth managing closely, some are worth off-loading to others, and some are worth putting on the back burner. In all cases your company does have a reputation to think about. Your reputation can be damaged by a hacker who steals your customer data, inserts embarrassing content on your website, or redirects your visitors to another website. So the assessment is all about the cost to mitigate the risk versus the business and personal cost of something going wrong.

Type of Website Description Simple way to evaluate need
Online brochure Basic description of your products or services with links to contact via phone or email. Depends on the $ value of leads coming in and the cost of an outage
Content machine A site that has continually updated content and typically includes form elements that allow prospects and customers to interact or make requests. Depends on the publishing cadence, the daily revenue from clicks, or form completions per day
Storefront You are selling something. Every minute you are down you are not only losing customers but you are sending customers to your competitor. You also may hold juicy customer data on your network. Depends on the hourly profit from sales. Risk of customer data getting into the wrong hands.
Enterprise servicing Your web server hosts applications that your customers need to do business with you. Customer data is in your web applications. No need to analyze it, you need high security

Securing a Website

Most of the online risks that an IT manager faces are relatively easy to grasp by peers and non-technical managers. For example, spam filters, anti-virus software, and malware/spyware protection are things that most people deal with personally and professionally in their everyday lives. But when you get to issues of website security, most peers don't have a frame of reference. That can make it hard to get traction for implementing and maintaining critical security activities to avoid problems like injection attacks, cross-site scripting attacks, or security misconfigurations (note – this post by the Open Web Application Security Project provides a nice list of things to watch for in your web applications).

In terms of what steps can be taken before you are hacked, most of these risks are mitigated (but not eliminated) by planning, diligence, and continual patching and maintenance of existing applications. So this secures the website's applications, but what protects the pipes between you and your customer? The rest of this article will explain two technologies that help you protect your website from a domain security perspective.

.CA Registry Lock

.CA Registry lock is a simple service which provides an additional layer of security for your website address. To understand how a registry locked .CA website is different from a simple .CA website let's use the banking system as an analogy. If you are a good customer of the bank then you expect to get your chequing account for a nominal monthly fee (or even for free). Despite the fact that your chequing account is "cheap", you also expect that some stranger won't access your account and steal your money.

The bank has basic controls in place to reduce this risk. But when you really want to secure something important, like jewelry or a will and testament, then you pay a higher fee for a safety deposit box. A safety deposit box is like taking an extra step to ensure important things are kept safe and secure with a manual process that involves a physical key and human intervention.

Getting .CA Registry Lock is a little like this. It is a special key, in the form of a manual security protocol, that keeps your company's valuable website address safer by making sure that no unauthorized people can change anything in the registry. Here's how it works for websites with a .CA domain:

  • When .CA Registry Lock is applied to a .CA domain name, no attributes of the domain are changeable and no transfer or deletion transactions can be processed against the domain name
  • To unlock a domain name, significant authentication steps are required at the Registry level and coordinated through the Registrar (the company through which the web address is registered).
  • .CA contacts and hosts can also be locked (as long as they aren't shared with another domain name).
  • The service is sold on an annual basis and adheres to the expiry and renewal dates of its associated domain name.
  • The service auto-renews with the .CA domain name.
  • Like the other services provided by CIRA, the new service is available to .CA Registrants through .CA certified Registrars.

When you think about it, your domain name is a very important website address that runs your entire business and on which the business reputation relies. This domain name is something that typically has an annual cost that is less than lunch for two at a fast food restaurant. Even at this price point, registries and Registrars take herculean steps to help protect their customers. Unfortunately, those steps may still have potential failure points and adding Registry Lock is an easy way to mitigate one risk. To find out about setting up .CA Registry Lock, a .CA domain name holder needs to contact their Registrar to get this service.

A few high profile domain hijacking cases

The New York Times Successful attempt
Twitter Successful attempt
Facebook Failed attempt because Registry Lock was in place
Coach Handbags Successful attempt

 

DNSSEC

DNSSEC is an end-to-end security layer designed to ensure secure communication throughout the domain name system. DNSSEC provides a layer of authentication so that an end user has certain assurances that they are reaching the actual website they intended. Think of the Domain Name System (DNS) as the phonebook of the Internet. As bad actors in the Internet space become increasingly sophisticated, the breadth and impact of attacks increases correspondingly. These types of attacks come in many forms, the most common two being: ü DNS Spoofing, where a hacker gains access to a domain's DNS names servers in order to redirect visitors to a website of the hackers choosing. This could be a sight that maligns your company or, even worse, a site that attempts to mimic your company and steal your customer's data. ü DNS Hijacking, where a hacker can modify DNS information to gain control of the complete DNS information of the domain. Once this is done the impacts can be similar to DNS Spoofing in terms of what the hacker could do.

How does DNSSEC work for a .CA holder?

Once enabled, DNSSEC applies digital signatures to incoming DNS data to scan for authenticity and to verify its integrity. This is established through a process called a "Chain of Trust". What this ultimately means is that your DNSSEC enabled .CA domain is performing additional validation on incoming messages to help ensure that your domain remains protected from sophisticated attacks. Like the banking analogy used for .CA Registry Lock above, an illustration is useful for explaining DNSSEC technology; but this time it is a little bit harder because the solution is a little more technical in nature. Let's use the home buying process.

Does a prospective buyer work directly with the existing seller to prove that the seller actually owns legal title to the house? Do they work directly with the seller to transfer that legal title at the end of the transaction? Not typically. While it is true that legal work could be done between the two parties, there are better ways to ensure that the seller is not misrepresenting themselves. Most home buyers work with a trusted third party (such as a lawyer) who has access to the information and systems to quickly check the property's title and authenticate the ownership and the validity of its transfer from one party to the next.

For DNSSEC, picture this "authentication" as a legal transaction that happens electronically for every visitor to your website before they actually visit the content. It sounds like overkill, but it occurs at the speed of the Internet and ultimately is an important step in what could be a retail or commercial transaction. It is worth noting that this is quite distinct, but related, to SSL. Secure Sockets Layer (SSL) encrypts the data and authenticates the user sending that data, using a certificate authority with a third party which secures the session between the user and the website. It is what happens after the website is found. In a way they work like the proverbial belt and suspenders to keep you doubly secure.

A few high profile cases that are helped by DNSSEC

National Geographic Another malicious redirection
Alexa DNS pointed to altenative domain
Google Hijacking DNS by Turkish ISPs to point to local services

What can DNSSEC offer me?

Reliability: DNSSEC can help ensure that what you are presenting to the online world on your .CA has not been tampered or compromised at the DNS level, critical for those organizations offering secure online transactions. Also, seal of quality, enabling your .CA with DNSSEC is a clear sign that you take online security seriously.

The best website security is about a large number of best practices applied with a level of effort that is suitable to the risk of failure. The job of the IT professional serving the SME market is to do everything they can with a limited budget and even more limited time to secure the site. Implementing .CA Registry Lock and DNSSEC are two relatively low cost tools that can be used to help protect your business and deliver a more secure experience to your customers.