We had a (thankfully brief) scare in our portfolio last week: one of our companies temporarily lost control of its domain. An overseas third-party “bad actor” was able to convince the company’s domain name registrar to transfer control of the company’s domain without the company’s knowledge. Fortunately, our company was able to regain control of its domain before any actual changes to its DNS settings were made.
After speaking to some people in the network security business and polling our own portfolio, it turns out that this sort of occurrence is far more common than one might suspect. In today’s world, a company’s domain name is literally its crown jewels. If a nefarious party gains control of a company’s domain, the potential damage is massive and it could literally destroy a company’s business if a cyber criminal were to implement a large scale phishing attack or simply shut down the company’s site. Every minute of downtime equates to lost revenue and an erosion of customer trust.
To further underscore the vulnerabilities around DNS, I noticed this morning an article on hackers in Brazil using a technique called DNS cache poisoning attacks on major ISPs in Brazil to redirect users headed to brand-name sites like Google, YouTube and Hotmail to malware-infected sites. DNS is crucially important to the functioning of the net, but unfortunately it remains vulnerable to various exploits, including the hardest to eradicate, “social engineering”.
Some attacks (like DNS cache poisoning) are not anything a single company can protect against, but there are internal controls and procedures a company can put into place to make their domains safer. One simple example is to conduct an audit of all your domains: are they controlled by a single individual within the company? Are there policies and procedures in place around renewing domain names, controlling DNS updates, etc.?
Many times, founders buy domains on their personal credit cards early in the life of their company. Often, this is forgotten about until there is some reason to make a change to DNS settings. Clearly this is an untenable position — a founder could depart the company, have their credit card on file with the registrar expire, simply miss the renewal emails, get hit buy a bus, etc., leaving the company scrambling to deal with this after the fact.
While many early stage companies are a bit allergic to “big company” process and procedures, this is one area where every company should exert some process discipline to make sure domains are controlled by the company, that the contact email addresses filed with the registrar are carefully monitored, that automation is in place to detect unexpected transfers of domain, etc.
I’ll follow up in a later post with a more exhaustive list of best practices around domain name management, but in the meantime take a moment to reflect on how your company controls its domains and whether your internal safeguards are sufficient to prevent what could be a catastrophic loss.
Update: turns out my partner Seth Levine also posted about this incident this morning. Read more here.