Vayton white paper - domain names
-
Upload
vayton-brand-capital -
Category
Business
-
view
631 -
download
0
description
Transcript of Vayton white paper - domain names
Copyright 2011 NTLUX S.A. VAYTON Brand Capital - www.vayton.com
Pag
e1
Protect your Brand Capital:
Strategies for your domain name management
Effective branding strategies (from name creation to brand protection
and valuation) are essential to launch, grow and protect your
business. “Protect Your Brand Capital” is one of several
whitepapers produced by VAYTON. Brand Capital. The aim is to
provide up-to-date background information, trends, and implications
for your business in a digital, global marketplace.
In this whitepaper, seven best practices are presented for protecting
and optimizing the value of your Domain Name portfolio. But first,
you should be aware of current and emerging threats to fully protect
your brand capital.
The winds of change have dramatically altered the business and marketing
landscape. Whether you are a local business or a multinational corporation,
you will not be able to attract and sustain a healthy customer-base without a
strong, protected brand presence on the Internet. Paul Twomey (president
of ICANN – Internet Corporation for Assigned Names and Numbers) called
the new developments a “transformative revolution” and cited 1.4 billion
current Internet users with a projected 1.5 billion in the next two to three
years. Eurostat, the Statistical Office of the European Communities, reported
that in 2009 one person in two in the EU27 used the Internet daily. Those
countries with the highest proportion of daily access and use (three-quarters
or more) were Netherlands (90%), Luxembourg (87%), Sweden (86%),
Denmark (83%), Germany (79%), Finland (78%) and United Kingdom (77%) -
Eurostat news release, Dec. 8, 2009.
Copyright 2011 NTLUX S.A. VAYTON Brand Capital - www.vayton.com
Pag
e2
In the not too distant past, a company just starting up would go through the
process of creating a name and registering a trademark to launch and market
its business enterprise. Acquiring an Internet address came next, though
often as an afterthought. The company would scramble to find a domain
name (DN) that matched the brand name. The next step would be to register
and periodically update the DN account information. There seemed to be no
other considerations. The DN was secured and the company went live on the
web. Unfortunately, many companies failed to anticipate threats posed by
cybercriminals and neglected to protect their brand capital with a robust
Domain Name management strategy. Without a rigorous DN management
strategy and without cutting-edge technology to thwart cyber attacks, a
company places itself at risk. Loss of revenue, a damaged reputation, and
security compromises (for the business and the customer) are three of the
most severe consequences.
New communication technologies bring new marketing opportunities—and
new threats The Internet has pushed the marketplace into a global arena.
The innovations altering the landscape of business and marketing (such
mobile Internet and social networking) are at the same time ushering in
vulnerabilities. Multinational corporations are forced into registering
hundreds of DNs to prevent interruption of business and brand dilution.
Cybersquatters have registered hundreds and thousands of DNs with the
malicious intent of “domain hijacking” or strong-arming a company into
buying at an exorbitant price brand-linked domain names. Internet traffic to
a company’s website risks being redirected to a malicious site. Worse, the
cybercriminal can solicit private customer information under the pretense of
being the authentic website. Prospective consumers are using the Internet
not only to shop for products and services but to assess the brand promise.
Brand dilution happens when customers are redirected to malicious sites
seeking to damage the company’s reputation. It may take just one mistyped
letter when entering an Internet address to be redirected to a bogus site.
No one who has an Internet presence is exempt: including celebrities,
writers, and politicians. Immediately after the State of the Union Address by
U.S. President Barack Obama (January 2010), the official websites of the
members of Congress were attacked and defaced with anti-Obama
Copyright 2011 NTLUX S.A. VAYTON Brand Capital - www.vayton.com
Pag
e3
messages. The creator of Bridget Jones, British author Helen Fielding, the
fashion house Chanel and the Reuters news company all won cybersquatting
cases recently (Reuters News, March 15, 2009). Chanel won against an entity
using the DN chanelfashion.com and chanelstore.com in bad faith.
A cybersquatter case can be won if an entity has registered a DN that
contains a company’s brand name or a variation on the brand name and uses
that DN in “bad faith.” Complaints are filed under the Uniform Domain
Name Dispute Resolution Policy (UDRP), a quick and cost-effective dispute
resolution procedure administered by the WIPO Arbitration and Mediation
Center. According to WIPO, the top five sectors filing cases in 2009 were
biotechnology and pharmaceuticals, banking and finance, Internet and IT,
retail, and food, beverages and restaurants.
T H E N A T U R E A N D M A G N I T U D E O F T H E T H R E A T S
The Internet Corporation for Assigned Names and Numbers (ICANN) is an
international non-profit entity whose mission is to regulate Domain Name
registration and monitor domain abuse. The magnitude and severity of the
threat to a company is summed up by the ICANN Security and Stability
Advisory Committee (SSAC):
“Domain hijacking can disrupt or severely impact the business and
operations of a registrant [company], including … denial and theft of
electronic mail services, unauthorized disclosure of information
through phishing web sites and traffic inspection (eavesdropping),
and damage to the registrant’s reputation and brand through web
site defacement.”
These threats are possible because of vulnerabilities in the DN registration
system. The Domain Name System (DNS) works like an automated telephone
directory but substitutes the numeric Internet Protocol (IP) addresses with a
unique name (usually the brand name). Registrars require all prospective
Web site registrants (DN “owner”) to provide contact information, which is
then made available to the public on the Internet through a service called
Whois. Each top-level domain or TLD (.com or .eu for instance) has a registry
Copyright 2011 NTLUX S.A. VAYTON Brand Capital - www.vayton.com
Pag
e4
responsible for managing Domain Names and setting policy for the domain.
The registrant is responsible for keeping the Whois information current. An
expired registration for a DN means it can be bought by a third party with
“bad intent,” potentially harming the company or product.
The recent availability of new generic TLDs (21 to date) has increased the
chances of a company’s brand name being hijacked by a cybersquatter who
acquires a company’s Domain Names that have expired and tries to
re-sell the names at a high price;
registers a company’s brand/trademark with a different top-level
name taking consumers to a counterfeit site; and,
registers Domain Names identical to a company’s DN but with one
letter altered (known as typo-squatting).
The Anti-Phishing Working Group (AWG) monitors phishing attacks around
the globe. Phishers attempt to obtain private information (such as
passwords and credit card numbers) primarily through emails and social
networking sites. A Phisher will redirect the Internet user to a fake site that
mimics the design of an authentic site. When using the search engine, a
user may be fooled into accessing a site that mimics the authentic site.
TrendMicro, a security company, is already reporting in 2010 the risks of
users trying to find information about the new Apple iPad but being directed
to phising sites. The phisher will use a domain name that has one altered
letter in the Internet address or that mimics a brand-linked address. Social
engineering seems the preferred technique. The Internet user is tricked into
voluntarily providing private information.
AWG recently published Global Phishing Survey: Trends and Domain Name
Use 1H2009.
Major findings from the AWG report with implications for domain name
protection and management are cited here:
1. In 1H2009, the average uptime of all phishing attacks was noticeably
shorter than in 2H2008. This is an encouraging improvement, most
likely reflecting efforts by providers and responders.
2. The Avalanche phishing kit accounted for a whopping 24% of all
phishing attacks launched in 1H2009. This criminal operation is one of
Copyright 2011 NTLUX S.A. VAYTON Brand Capital - www.vayton.com
Pag
e5
the most sophisticated and damaging on the Internet, and targets
vulnerable or non-responsive registrars and registries.
3. The great majority of phishing is also concentrated in certain
namespaces – just five TLDs
4. The amount of Internet domain names and numbers used for
phishing has remained fairly steady over the past two years.
5. Anti-phishing programs implemented by domain name registries can
reduce the up-times of phishing attacks, and can reduce the number
of malicious registrations made in those TLDs.
6. The unique characteristics of Internationalized Domain Names (IDNs)
are not being used to facilitate phishing, and there are factors that
may perpetuate this trend in the future.
7. Phishers continue to use subdomain services to host and manage
their phishing sites. Phishers used such services more often than they
registered domain names via regular registrars. This trend shows
phishers using services that cannot be taken down by domain
registrars or registry operators.
The AWG report further noted that
“Of the maliciously registered domains, 1,098 contained a relevant brand name, variation, or misspelling thereof. This represents 25% of maliciously registered domains, and just 3.6% of all domains that were used for phishing. Placing brand names or variations thereof in the domain name itself is not a favored tactic, since brand owners are proactively scanning Internet zone files for such names. … Instead, phishers almost always place brand names in subdomains or subdirectories. This puts the misleading string somewhere in the URL, where potential victims may see it and be fooled. Internet users are rarely knowledgeable enough to be able to pick out the “base” or true domain name being used in a URL.”
The ICANN Security and Stability Advisory Committee (SSAC) posted a study
based on a series of incidents occurring from May 2008 through April 2009.
Copyright 2011 NTLUX S.A. VAYTON Brand Capital - www.vayton.com
Pag
e6
Below are several common characteristics SSAC listed in their review of
domain name abuse incidents. (Key points have been highlighted.)
1. Many organizations have domain name registration accounts that
contain high-value or business-critical names, domain names that could
be as valuable to the organization as any tangible asset, trademark or
intellectual property right the organization possesses.
2. Many registration service providers operate with consumer-focused
service objectives; i.e., the registration service is highly automated and
focused on serving very large numbers of registrants at a high rate of
transaction. Automation is extremely important in any business
endeavor that attempts to provide service in a timely and scalable
manner. Our study revealed that attackers have familiarized
themselves with registrar behavior and will exploit certain aspects of
automation; for example, knowing that electronic mail is the preferred
method of notifying registrants of contact and configuration changes,
renewals, etc., attackers often attempt to disrupt delivery to email
addresses by modifying DNS configurations.
3. Among the incidents we studied, the victims were frequently customers
with business critical domain accounts operated by registration service
providers with consumer focused service objectives. In some cases,
customers did not adequately assess the risk associated with the
possible loss of control or access to their domain registration account
until they were victimized; in other cases, the internal policies and
monitoring activities in place prior to the incident were not sufficient to
detect or block the attack.
Copyright 2011 NTLUX S.A. VAYTON Brand Capital - www.vayton.com
Pag
e7
A T T A C K E R S A R E C L E V E R A N D T E C H - S A V V Y
According to “Measures to Protect Domain Registration Services Against
Exploitation or Misuse,” (SSAC Report [English]; [French]), DN attackers apply
a variety of methods to hijack and maliciously use domain name account
information.
SAMPLE CASES REPORTED BY SSAC –
ICANN was victimized by a group of hackers accessing ICANN’s domain
registration account at Register.com. ICANN described the attack as
“sophisticated, combining both social and technological techniques.” The
attackers altered the DNS configurations of several domains (icann.net
iana-servers.com, icann.com, and iana.com). Visitor traffic was rerouted
to a defacement web site.
CheckFree (now FIServ), the leading global provider of information
management and electronic commerce systems for the financial services
industry suffered a DN attack. The attacker gained control of
CheckFree’s domain registration account and modified the DNS
configuration of several domains, including checkfree.com and
mycheckfree.com. Customers logging onto their accounts to make
online bill payments were “redirected to an impersonation web server in
the Ukraine that attempted to install a malicious code that contained an
Adobe Reader exploit.”
“Registrars have been and will continue to be targets for attackers. Just as customers of financial institutions may be victimized by attacks against an online banking portal, so may domain name registrants be victimized by attacks against registrar domain administration pages.”
Copyright 2011 NTLUX S.A. VAYTON Brand Capital - www.vayton.com
Pag
e8
The SSAC report cited vulnerabilities that registrars, registrants and
resellers of DNs should address:
1. All an attacker needs to gain control of an organization’s entire domain
name portfolio (and to hamper authorized access to that portfolio) is a
user account and password.
2. Attackers need only guess, phish, or apply social engineering techniques
on a single point of contact to gain control of a domain registration
account.
3. Attackers scan domain account registration and administration portals
for web application vulnerabilities (e.g., SQL injection). A successful
exploit of vulnerable application code can result in the disclosure of
account credentials for many domain accounts.
4. Email is the preferred and often the only method by which some
registrars attempt to notify a registrant of account activity.
5. Attackers can block delivery of email notifications to targeted registrants
by altering DNS configuration information so that email notifications will
not be to any recipient in the domains the attacker controls through a
compromised account (e.g., registrant’s identified administrative or
technical contact email addresses hosted in the domain).
6. Access to and the ability to modify contact and DNS configuration
information for all the domains in a registration account is commonly
granted through a single user account and password.
7. Even when unauthorized modification of DNS information is discovered
quickly, the process of restoring DNS information to correct for a
malicious configuration can be a lengthy one that is inherent in the
distributed nature of the DNS and related to time to live (TTL) values.
Copyright 2011 NTLUX S.A. VAYTON Brand Capital - www.vayton.com
Pag
e9
From the business point of view, the nature of the threats to Domain Name
security must be thoroughly understood to determine what actions should
be taken to prevent disruption and damage to the company, product or
service. VAYTON. Brand Capital offers the following recommendations:
The company should be informed about best practices in managing
Domain Name portfolios for optimal brand protection and valuation.
This should be followed by an assessment of the current Domain Name
portfolio management system benchmarked against best practices.
Finally, a corporation should decide whether it has onboard the
necessary expertise and resources to manage effectively and proactively
its DN portfolio.
Copyright 2011 NTLUX S.A. VAYTON Brand Capital - www.vayton.com
Pag
e10
S E V E N B E S T P R A C T I C E S F O R D O M A I N N A M E M A N A G E M E N T
“Best practices applied in provisioning management seek to assure that these operations are performed in proper sequence, by authorized parties, in a timely and auditable manner, with low probability of omission, intrusion or error.” - ICANN, SSAC Report, 2009
Once a business understands current and emerging threats to its brand, a
robust portfolio management system should be seriously considered.
VAYTON has identified the following seven best practices for protecting and
optimizing your brand capital. The practices cited below are based on
published literature on domain name management strategies, case studies
by Internet policymakers and VAYTON’s own experience developing and
managing domain name portfolios for a variety of clients in Europe.
View Your Domain Names as a Corporate Asset
Is the management of your Domain Name portfolio an integral part of your
total business management strategy? Is domain portfolio management in
sync with your corporate objectives and goals? If the answers are no, this is
your first clue that your company has failed to see your DN portfolio as a
valuable corporate asset to be protected and valorized. The risks are too
great not to have a comprehensive domain management strategy. And, the
opportunities to valorize this asset are too numerous to be ignored.
Centralize Domain Name Management
Choose a single, accredited registrar for your DNs to reduce costs and risks
and have a single-point of contact (corporate administrative contact). As
new top level domains become available and as the company builds its e-
commerce for products and services, the necessity of continuously acquiring
new Domain Names can result in too many opportunities to miss renewal
deadlines. You should not only have an effective management system but a
comprehensive strategy to protect and optimize your brands and
trademarks.
Copyright 2011 NTLUX S.A. VAYTON Brand Capital - www.vayton.com
Pag
e11
Perform Systematic DN Portfolio Audits
Audit all your Domain Names immediately. Do managers in different areas of
the company who control Domain Names have the same policies for
renewals and management? After an enterprise-wise audit is performed,
you should develop policies and procedures for systematic renewals and
acquisition of new domains.
Audit and Centralize Your Trademark Portfolio at the Same Time
Many countries require a new trademark or a local company to also register
a domain name. This is true for France. So, audit and centralize your
trademark portfolio at the same time you centralize your DN portfolio.
Monitor Domain Registration Information for Guaranteed Renewals
Take steps to ensure you have the resources and technology for guaranteed
domain renewals and control over the process. Failure to update Whois can
result in losing DNs to cybersquatters who will try to resell the DNs to you at
exorbitant prices or redirect Internet traffic to a bogus or counterfeit Web
site. Renewing your DNs for periods longer than the usual two years will
ease the administrative burden. However, with large portfolios, having
different initial registration dates for DNs, managing renewals can be an
administrative hassle leading to mismanagement of this valuable asset.
Stay Informed About New Threats
Do not wait until the crisis (the counterfeiting, the disruption of services, or
unauthorized access to company and consumer information) occurs to take
action. Devote resources to monitoring the threats on the horizon, assessing
the potential harm, developing a plan and taking action to protect your DN
portfolio asset.
Monetize Domain Names
The commercial and marketing use of domain names is a key element for
brand valuation; a well managed domain name portfolio can reduce the
advertising costs by several thousand Euros. This can largely compensate the
expenses of new domain names and the domain name management
expenditures.
Copyright 2011 NTLUX S.A. VAYTON Brand Capital - www.vayton.com
Pag
e12
R I G O R O U S D O M A I N N A M E M A N A G E M E N T F O R O P T I M A L
B R A N D P R O T E C T I O N A N D V A L U A T I O N
ICANN recommends that registrars “provide security measures to safeguard against the non renewal of the customer’s domain names due to technical errors or oversight, to protect the customer from domain name hijacking through unauthorized modification of registration records, and to prevent unauthorized, malicious DNS configuration. The business model for these registrars is focused on handling individual transactions with a very low probability of error.
VAYTON. Brand Capital has the expertise and cutting-edge technology for
managing your Domain Name (DN) portfolio and optimizing your brand
asset. We offer personalized, customized DN management services to
protect your intangible property—your brand value and integrity.
E X P E R T I S E - Outsourcing DN portfolio management to VAYTON may be
the wise choice for your company. A dedicated team of experts can ease the
burden of DN portfolio management at all levels: administrative, technical
and strategic.
C O M P R E H E N S I V E S E R V I C E S - You can count on a comprehensive
suite of services necessary to prevent brand devaluation and security
compromises. We will audit, monitor, centralize, renew and recover your
domain names.
C U T T I N G - E D G E T E C H N O L O G Y - We have developed technologies
and platforms to audit, monitor and centralize domain names. These
technologies are customized to answer decision makers’ as well as technical
team requirements.
3A bou lev ard du P r inc e H enr i , L - 1724 L ux embour g
t e l . +352.26.44.17 .93 f ax . +352.26.44.18.4 3 Contac t : N ic o las VAN BEEK
c ontac t@v ay ton. c om