ICANN's Security and Stability Advisory Committee has published a Registrant's Guide to Protecting Domain Name Registration Accounts against compromise and misuse.
The report begins by describing a threat landscape for domain names. It explains why attackers are motivated to gain access to accounts that registrars provide for managing domain names and DNS configurations of these domains. It continues to explain how attackers use compromised accounts to facilitate other ecrimes (phishing, spam, hosting of illegal goods, and more).
The report next encourages readers to ask, How important are our domain names, what do we risk if we lose them, or what loss or harm will our organization suffer if they are misused? This is Risk Asssessment 101. The report offers sets of measures that organizations can adopt to mitigate risks and explains how these measures can be implemented “in house” or outsourced to contracted third parties.
The report concludes with lists of questions that organizations should ask registrars and registries concerning their registration processes and protection mechanisms. This may be the most important part of the report. Organizations can use the list to obtain information about registrar processes that will enable organizations to make informed decisions when choosing a registrar(s).
SSAC indicates that the report "specifically targets individuals or organizations that recognize that the operational value of a domain name in use is extremely or critically important." Frankly, any individual or organization who relies on web or other Internet presence will find something useful from the report despite it's densely ICANN-ese presentation.
For example, the report discusses how to
- protect domain name account credentials. Many of the recommended practices - password composition, protection, retention, and recovery - are measures that organizations apply as best practices elsewhere (such as corporate Wikis) but tend to overlook with a registrar account.
- integrate routine correspondence from registrars into a workflow that can eliminate human error that could result in the loss (expiration) of a critical domain name.
- organization can apply "intrusion detection" techniques by monitoring the WHOIS records and DNS configurations for their domain names.
- maintain accurate and sufficient information to recover a hijacked domain or lost/compromised DNS zone data in an emergency situation.
This report doesn't recommend policy change (although it's pretty clear from the report where policy change might best be applied). The report assesses the domain account threat landscape and the mitigations available from third parties and takes a pragmatic approach: if you want better protection, you need to manage the risk as you would for any other asset you hold, and here's how to do it.