Previous month:
December 2013
Next month:
February 2014

January 2014

Data Privacy Day Reading List 2014

DPD_profile_icon (All Platforms)The National Cyber Security Association earmarks January 28 as Data Privacy Day, "an international effort to empower and educate people to protect their privacy and control their digital footprint". Data Privacy Day sponsors and volunteers dedicate time and resources to raise awareness of privacy threats and ways to protect one's privacy, as well as the confidentiality of one's business data.

Articles I've written about privacy also explain how each of us is often our own worst privacy enemy. These articles in particular remain timely and relevant:

There are only three true Internet privacy threats 

Privacy Awareness 101: Five easily remembered rules for protecting privacy

Are Your Data at Rest Also at Risk?

Metadata or Content: NSA is not the only data collector you should fear

Trusting Third-parties with your password

How much activity on the Internet is truly consensual?

Other resources you may want to visit this Data Privacy Day include:

Council of Europe Data Protection Day 2014

Online Trust Alliance - 2014 Data Privacy Day

Stay Safe Online's Mobile Privacy Tips

The US Federal Trade Commission's Privacy & Identity and Protecting Personal Information: A Guide for Business pages

Privacy By Design's Big Surveillance Demands Big Privacy – Enter Privacy-Protective Surveillance webcast

SANS Secure the Human Project

Safe reading!

 


Avoid Risks: Manage your DNS Portfolio

Some readers may be familiar with recent, noteworthy domain hijacks. Hijacks, however, are only one of several ways your online identity or brands can be misused or abused. If you fail to coordinate and monitor domain registrations, you may provide attackers or opportunists with much simpler means to tarnish or exploit your organization or brand.

Domain Registration Threat Landscape

Once you’ve established an online presence with a domain name, you should consider whether you are at risk should someone register domain names that are similar to or infringe on your identity or brand, or register your identity or brand in Top Level Domain (TLD) registries other than those where you’ve registered your organization’s domain names.  The kinds of risk you may be exposed to in these circumstances include a range of impersonation attacks,

  • Lampooning or defacement,
  • Phishing attacks,
  • Data exfiltration, or
  • Profiting off pay per click, searchjacking or other revenue opportunities when visitors land on the impersonators’ pages instead of yours.

The risk list also includes self-inflicted wounds. Organizations can cause their own harm when they fail to renew names and then lose the name to an opportunist, who registers and uses it to your organization’s harm or embarrassment by hosting competitive or objectionable content. A more catastrophic situation might occur should your organization fail to renew a domain name that you’ve used to name your authoritative DNS servers.

Domain Name Portfolio Management Basics

To reduce these threats, begin by conducting an inventory to identify all the domain names your organization has registered. Prepare and announce a policy for that establishes a process or workflow for domain name registrations to:

  • Bring all registrations under a common administration,
  • Manage all registrations and registration settings through a common registrar,
  • Process new registration requests for domain names,
  • Establish and maintain uniform, reliable authoritative name service (including naming conventions) for the organization’s registered domain names
  • Assure that all registrations have complete, consistent Whois data and in particular identifies administrative and technical contacts who are responsible for event/incident handling or inquiries,
  • Assure that all registrations are routinely monitored for (unauthorized) changes and renewal processing/payment, and
  • Assure that authoritative name service for all registered domains is routinely monitored for correctness and consistency.

At ICANN, we've implemented a process of this kind for our domain names. DNS operations director Terry Manderson explains, “this process gives all ICANN domain name assets a stable and professionally-managed name server set, a single point of handling for registration fees, ongoing monitoring to ensure that domain registrations don't accidentally lapse, and DNSSEC from day one”. Terry adds that requests for domains can be made by email and that turning on new domains is typically accomplished in a matter of hours. 

Benefits Beyond Domain Names and DNS

Name management of this kind can be implemented with a relatively light touch by small or medium organizations, e.g., those with tens or a small number of hundreds of domains. Large organizations, especially those with IP or trademarks, should consult internally or with brand online protection companies about infringement and attacks on brand.

The same management principles are becoming increasingly applicable for corporate social media identities or profiles. Begin by implementing name management for domains and DNS, then quickly turn your attention to Twitter, Facebook, LinkedIn, Google+, or wherever you imprint your organization’s identities.

This post concludes a three part series on DNS and domain registration risk and protection:

Part I: Are you monitoring your DNS?

Part II: Harden your resolvers: protect your recursive DNS for you and for everyone else

Part III: Avoid Risks: Manage your DNS Portfolio

Originally posted October 2013 at 21st Century IT.