This blog originally appeared in Public Interest Registry.
U.S. Congress designated the month of June as the National Internet Safety Month and so there’s no better time to discuss how to keep organizations safe and secure online. To help raise internet security awareness, Public Interest Registry asked our team at MarkMonitor, one of the most experienced corporate registrars managing some of the most highly trafficked domains, to share some tips that will help nonprofit organizations stay safe on the World Wide Web, in particular when it comes to domain name system security.
While the industry has committed significant resources to ensuring the domain name system (DNS) is secure – such as the implementation of DNS Security Extensions (DNSSEC), there are still steps organizations can do to further bolster their domain security online, including:
1. Identify a Strong Registrar Partner: A first step for nonprofits is to ensure their registrar of choice employs a hardened portal that checks for security and code vulnerabilities on a regular basis. The registrar must be able to demonstrate strong internal security controls, have a proven security track record, and be committed to staying on top of the newest exploits and latest security vulnerabilities.
2. Set Up Multi-Factor Authentication: Many internal security controls require users to use multi-factor authentication, which can be cumbersome to set up and maintain but ultimately provides a strong, additional layer of security in the event that login credentials are compromised. Social media accounts should also have multi-factor authentication for logins. It is also critical that login credentials to any account – especially to domain, DNS, and website management accounts – are never shared, are reviewed on a regular basis, and have a limited number of authorized users. Finally, there are other security methods for organizations to consider that help prevent unauthorized logins, such as IP Access Restrictions and Single Sign-On.
3. Add an Additional Domain Lock: All core domains should have an additional lock applied, called Registry Lock. Registry Lock will freeze all domain confirmations at the registry level until the correct high-security protocol is followed as specified by both the client and registrar. This additional lock prevents erroneous nameserver updates, hijackings and social engineering attacks.
4. Use Extended Validation Certificates: To better build online trust, all websites should be available under HTTPS using SSL Certificates. Core domains should use Extended Validation certificates (EV) that give a visual indication in web browsers so users can be sure they are interacting with the right website. EV certificates reduce the efficacy of phishing attempts.
5. Check Email Security Standards: Ensure email providers adhere to the latest and strictest standards in email delivery such as setting up email signatures using DomainKeys Identified Mail (DKIM), and properly specifying Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting & Conformance (DMARC) records to help prevent phishing emails from getting delivered to users. Depending on the organizations email volume, they may also wish to choose a DMARC service provider to aid in secure email delivery.
Internet security is essential to anyone conducting business on the internet, especially nonprofit organizations. A core domain is often their most valuable asset, since many donors, volunteers, and others strictly interact with these organizations online. While it can take a while for a nonprofit to earn the public’s trust, it only takes one phishing scheme or social engineering attack to erode this trust. The good news is that nonprofits can easily implement these security enhancements to help keep information secure and maintain public trust in their organization.
Justin Mack also contributed to this article.