Risk Management and Domain Names

Operationally, domain names are user-friendly identifiers that can be resolved using the DNS to determine the Internet (IP) addresses of hosts that provide services for that domain (e.g., web, mail, social networks, voice, etc.). The operational value of a domain name in use – specifically, the assurance that name resolution is highly available and that names in a domain consistently resolve as intended – is of extreme importance to most registrants. Consequently, domain name registrations should be considered as an asset and therefore included in business processes such as asset management, provisioning and risk management programs.

Models for asset management, provisioning and risk management typically include the following considerations:

  • Identify the value of an asset (tangible or intangible);
  • List the ways in which that value is threatened (loss, theft, misuse);
  • Determine how the threat can be realized, i.e., what makes the domain name vulnerable to attack or exploitation;
  • Determine the probability or risk that each threat poses;
  • Determine how the risk can be mitigated or reduced;
  • Determine the cost of mitigating or reducing the risk to an acceptable level of risk and cost; and
  • Determine the appropriate budget/priority and implement risk mitigation or reduction.

A domain name registration deserves the same rigor as other inventoried, valued, or sensitive digital or physical assets. Domain name registration management shares many characteristics of provisioning management in large-scale networks. For example, the primary operations in provisioning and in domain name registration are {add, delete, change}. Best practices applied in provisioning management seek to assure that only authorized parties perform these operations in proper sequence, in a timely and auditable manner, with low probability of omission, intrusion or error. Such best practices can be extended to include domain name registration management and registration services. It is ultimately the responsibility of the registrant to assess the risk of attack against domain names and DNS configuration and to implement protective measures that reduce the registrant’s exposure to attack to an acceptable degree. Registrants can implement certain of these measures directly. Registrars or other third parties may also offer services that obviate the need for the registrant to implement certain measures directly, or that complement measures the registrant implements, i.e., to provide redundant or multiple defenses against certain threats.

Domain names and DNS configuration are information assets. They have an inherent underlying value in enabling business to occur and communication to flow and without which individual, business or societal aims and objectives would be impacted to varying degrees. The specific value of domain name registrations and DNS configurations vary greatly across domain name registrants, within their portfolios, and over time.

To fully assess the risks against a domain name, registrants must consider the business impact of a realized risk (e.g., a successful attack resulting in the loss of operation or ecommerce presence), both in terms of quantitative and qualitative costs against their day-to-day business operations and ultimately their business objectives.

Business impact is not measured solely in terms of the replacement value of a domain name, but also the short, medium and long-term effect if a domain name or DNS configuration were to result in degraded or lost operation, for whatever reason, over any period of time. This impact may be in terms of lost revenue, increased expenses, loss of productivity, damaged reputation, or loss of goodwill.

We strongly encourages registrants to conduct a business impact assessment in order to understand how much of an interruption can be tolerated before the impact is material. Include a review of domain name assets a part of a predictable annual business process – a budgeting process, business planning, or performance review cycle – to encourage at least once-yearly attention to the assets. This business impact assessment approach is useful in that it focuses on the impact of a security related event, rather than the multitude of threats or vulnerabilities present in the environment.

Leave a Reply

Your email address will not be published. Required fields are marked *