Modern security principles are stricter than ever.
Implementing security at several levels involves the admission that any system is vulnerable by default.
Defining the weak points of any electronic system, whether it is on the Internet or on intranets, is the fist step towards establishing a secure platform to launch customer-oriented services from.
As far as domain registrars are concerned, the idea is to build a system on a solid platform. Whether it’s Windows based or Linux, expert administrators must be used for the job of locking down and maintaining it.
The second layer up involves the use of code that adheres to strict security principles. Code must be audited and scrutinized for errors, omissions or rogue, mischievous circumstances of sabotage.
Physical access to servers and their controlling hardware must be restricted to authorized personnel, with zero access to anyone outside of that particular department. Even if you are the CEO, you should not be able to access the customer data without a recorded decision and authorization, just because you are at the company’s top.
Isolation of customer data and encrypted storage offline should be meticulous. No partial data should be exposed to the outside, in ways that could lead to accessing the full data, or crucial parts thereof.
Accounts should be non-sequential, to lessen any brute forcing potential, and a hashing system should link the usernames to the accounts, authenticating every access with extra measures present. These measures, should enforce a range of security add-ons, such as two way authentication, IP range authentication, account lockdown after a set number of failed access attempts and other layers of protection.
Domain registrar customer service should be made aware of the dangers of social engineering and other approaches that directly or indirectly would reveal vital account information to random persons. The use of credit card information to authenticate accounts is a no-no. Instead, the use of private PIN numbers, security questions and two-way authentication via apps or SMS should be enforced – no exceptions.
System auditing should be performed by authorized, licensed professionals that would systematically attempt to identify weak points across every security layer. Logs on everything, from customer account access to internal management of user data should be kept and audited periodically. Mechanisms that trigger alerts for mishandling of data or other breaches, internal or external, should be set in place.
A modern domain registrar is not unlike the United States Bullion Depository, where the gold is stored. So build it like Fort Knox, or bad things can and will happen.
Great write up. Let’s not forget one of the most commonly overlooked points of IT security failure. the employees. I recall many years ago working for a company where the website was hosted in house. My manager said “this system as secure as our staff… and we didn’t do a background check on anyone because they were all hired through internal referrals.”
Awesomeness 🙂
Very good article. Even I do not lost any domains, it is frightening to see what happened at Moniker. Any company can cut costs on anything but not on security investments and precautions.