Just listened to a Continuing Legal Education (CLE) put on by Brian Cesaratto from the law firm Epstein, Becker and Greene (@ebglaw) discuss DNS security and how often the Domain Name System (DNS) is overlooked as a piece of critical infrastructure when an organization looks at their overall vulnerability to data breaches, losses and theft. The one line that stood out to me the most was that the DNS is your brand on the Internet. And "If DNS is compromised, your Brand is compromised."
I have been working in the DNS industry for the past 25+ years or so from the aspect of protecting brands from cybersquatters and infringers. I have been involved in the creation of nearly every rights protection mechanism available through the Internet Corporation for Assigned Names and Numbers (ICANN), including the creation of the Uniform Dispute Resolution Procedure (UDRP), Uniform Rapid Suspension (URS) process, the Sunrise process and of course the IP or Trademark Claim Service. With respect to the latter, I have been called the "Father of the Trademark Claims" system as it was first introduced with the launch of .biz in 2001. I created that Claims process originally as an alternative to the Sunrise process for new gTLDs to consider as it represented the current trademark system which provides notice of an alleged trademark right that corresponds to a particular domain name without automatically giving one single trademark owner a right in gross over all domain names matching that trademark.
"DNS Abuse" has been one of the primary topics of discussion within the ICANN community. And although the topic within ICANN focuses on what we can "force" domain name registries and registrars to do, what this CLE focused on was what we need to do internally within our own organizations to provide reasonable safeguards to protect our own systems. Even if we can get domain name registries and registrars to take down domain names that are being used for phishing, pharming, bot-nets, malware, etc., we also need to take responsibility ourselves to safeguard our own systems to these threats and others. Of course, the safeguards we apply must be commensurate with the size of our organization and the overall risk that a DNS vulnerability creates.
As an attorney, we have an ethical obligation to keep all our our clients' information confidential in order to maintain the attorney-client privilege. Any disclosure of such data, whether intentional or unintentional, can waive that privilege and subject our clients' to a host of problems, not to mention subject us to disciplinary action. It is for this reason that we all must take reasonable steps to protect our DNS. This includes (a) locking our domains down at the registrar of our choice, (b) locking our key domains at the registry level as well (if offered), (c) protecting access to our e-mail and other systems through 2-factor authentication, and (d) implementing DNSSEC for our key domains especially those domains used in connection with our e-mail, e-commerce, or client portals. In addition, we need to make sure that we have SSL certificates for our sites as well. You can tell if your site has such a certificate if there is a "lock" that appears in the browser's address bar (if using Google Chrome).
These are just a few of the steps that should be taken. Over the coming weeks, I will offer other tips through this blog of reasonable steps that can be taken to protect your brand. Please subscribe if you would to get this information as it comes out. Also, do not hesitate to contact us at JJN Solutions to see how we can help you protect your brand online.
Picture courtesy of https://www.dlt.com/blog/2019/02/07/analysis-dhs-domain-system-breach-directive.