Logo
ICANN
ICANN
Filtered Search

Are you sure you want to sign out from http://www.icann.org?

If you want to sign out from both http://www.icann.org and ICANN Account, click here.

ICANN Blogs

Read ICANN Blogs to stay informed of the latest policymaking activities, regional events, and more.

Práticas recomendadas para o registro e a administração de portfólios de nomes de domínio (parte I)

30 May 2017
By
Carlos Alvarez

Carlos Alvarez

Trust and Public Safety Engagement Director

Carlos’s work is currently focused on helping the Internet community address abuse of Domain Name System resources, by:

  • Providing subject matter expertise on contractual and policy matters with potential anti-abuse and consumer protection implications.
  • Trust-based collaboration with worldwide cyber law enforcement and the operational security community.
  • Capability building, via training law enforcement and other constituents involved in the operation or the security of the Internet identifiers.

He served in the past in ICANN's Contractual Compliance Team where he managed the team responsible for processing all registrar-related complaints worldwide. He also provided key subject matter expert advice and guidance to ICANN's Contractual Compliance Audit Program and to the gTLD registry-related work of the Compliance Team.

Prior to joining ICANN, Carlos participated in the International Attorneys Program at Holland & Knight in Miami and served as the head of the Legal & Business Affairs Division at Sony Music for Colombia, Ecuador, Venezuela and Peru. While in this position he was a member of the Andean legal committee of the IFPI (International Federation of the Phonographic Industry).

He was a pioneer in Latin America in matters related to software anti-piracy, information security from a legal perspective and cyber crime, initially through his work with the local law firm of the Business Software Alliance in Colombia since 1998. His articles on piracy and terrorism, cyber crime, botnets, digital evidence, criminal aspects related to the use of honeypots, legal aspects of information security standards, the Budapest Convention, and other related matters have been published in Colombia, Venezuela, Argentina, Mexico and Spain. He taught computer law, legal aspects of information security and intellectual property in two universities in Bogota and has lectured before many different audiences in the Americas, Europe and Asia, from students to c-level executives, as well as government representatives, regulators, law enforcement, and military and intelligence personnel.

He maintains working relationships with law enforcement cyber units from different countries and while still living in Bogota was a member of the local Electronic Commerce Subcommittee of the International Chamber of Commerce. Carlos is a former co-chair of the Messaging, Malware and Mobile Anti Abuse Working Group (M3AAWG)'s Anti-Phishing Special Interest Group and is a co-chair of M3AAWG's DNS Abuse Special Interest Group.

Carlos is an attorney graduated from the Universidad de los Andes in Bogota. He holds a Master of Laws degree from the University of Southern California Gould School of Law, and has studies on networking with TCP/IP from UCLA.

null

É sempre bom lembrar das práticas recomendadas relacionadas ao registro e à administração de nomes de domínio, especialmente em relação a portfólios com dezenas ou centenas de nomes de domínio. A adoção de práticas recomendadas ajuda as empresas a evitar interrupções em suas operações on-line e também a perda do nome de domínio devido a expiração ou sequestro. Por outro lado, práticas ruins podem causar a interrupção dos negócios e a perda de confiança dos clientes, além de danos à reputação, entre outras consequências negativas.

Esta publicação é a primeira da série e contém três práticas recomendadas. Falaremos mais sobre isso em outras publicações. Vamos começar.

Manter as informações de registro atualizadas

No momento da criação do nome de domínio, o registrante fornece dados de contato ao registrador. Em seguida, essas informações são disponibilizadas publicamente através do serviço de WHOIS, o que permite que as empresas sejam contatadas por vários motivos, inclusive questões técnicas ou operacionais associadas ao domínio, interesse no conteúdo publicado no site associado, e preocupações de segurança.

As empresas devem garantir que os dados de contato exibidos no WHOIS estejam corretos e atualizados. As informações incorretas ou obsoletas podem evitar que os pesquisadores de segurança entrem em contato com os registrantes de domínios comprometidos ou que possíveis parceiros de negócios estabeleçam um contato que poderia levar a novas oportunidades de negócios.

Não usar endereços de e-mail pessoais

As empresas não devem permitir o uso de endereços de e-mail pessoais nos dados de registro de seus nomes de domínio corporativos. Essa recomendação inclui tanto endereços de e-mail usados pelos funcionários fora do trabalho quanto endereços de e-mail que identificam indivíduos dentro de uma organização, pois eles podem deixar a empresa vulnerável.

  • Não permita o uso de endereços de e-mail pessoais, como joaosilva@gmail.com ou joanasouza@hotmail.com.

    Os endereços de e-mail indicados como registrante e contato administrativo de um nome de domínio são muito importantes para sua administração. Quando são informados endereços de e-mail pessoais, nada pode evitar que esses funcionários sequestrem o domínio caso saiam da empresa.

  • Use endereços de e-mail genéricos da função ou do departamento, como admin_dominio@nomedaempresa123.com, em vez de endereços de e-mail com nomes de pessoas, como j.silva@nomedaempresa123.com.

    Quando o nome das pessoas envolvidas na administração de nomes de domínio corporativos aparece, elas correm mais risco de ataques de engenharia social e spear phishing voltados para a empresa. Em vez disso, use endereços de e-mail com nomes de cargos ou departamentos, de forma que as mensagens sejam recebidas por várias pessoas.

Evitar nomes de domínio em bailiados

Bailiado é uma situação que acontece quando uma empresa registra o domínio exemplo.com e depois indica os endereços de e-mail usuário1@exemplo.com e usuário2@exemplo.com no banco de dados do WHOIS.

Os invasores que assumem o controle de um nome de domínio em situação de bailiado podem redirecionar os e-mails substituindo os servidores de nomes legítimos por servidores de nomes operados por eles. Em seguida, podem adicionar um registro MX que direciona e-mails a um servidor que também é operado por eles, ou desativar totalmente os e-mails apagando o registro MX do domínio, de forma que nenhum e-mail seja enviado nem recebido pela empresa que registrou o domínio afetado.

As coisas ficam ainda mais difíceis quando o registrador não consegue se comunicar com a empresa afetada, pois ela não tem acesso ao e-mail corporativo. Essa situação exige comunicação de banda externa e uma comprovação para o registrador de que a empresa realmente é o registrante afetado.

Fique de olho nas próximas publicações com mais práticas recomendadas!

Authors

Carlos Alvarez

Carlos Alvarez

Trust and Public Safety Engagement Director
Carlos Alvarez

Carlos Alvarez

Trust and Public Safety Engagement Director

Carlos’s work is currently focused on helping the Internet community address abuse of Domain Name System resources, by:

  • Providing subject matter expertise on contractual and policy matters with potential anti-abuse and consumer protection implications.
  • Trust-based collaboration with worldwide cyber law enforcement and the operational security community.
  • Capability building, via training law enforcement and other constituents involved in the operation or the security of the Internet identifiers.

He served in the past in ICANN's Contractual Compliance Team where he managed the team responsible for processing all registrar-related complaints worldwide. He also provided key subject matter expert advice and guidance to ICANN's Contractual Compliance Audit Program and to the gTLD registry-related work of the Compliance Team.

Prior to joining ICANN, Carlos participated in the International Attorneys Program at Holland & Knight in Miami and served as the head of the Legal & Business Affairs Division at Sony Music for Colombia, Ecuador, Venezuela and Peru. While in this position he was a member of the Andean legal committee of the IFPI (International Federation of the Phonographic Industry).

He was a pioneer in Latin America in matters related to software anti-piracy, information security from a legal perspective and cyber crime, initially through his work with the local law firm of the Business Software Alliance in Colombia since 1998. His articles on piracy and terrorism, cyber crime, botnets, digital evidence, criminal aspects related to the use of honeypots, legal aspects of information security standards, the Budapest Convention, and other related matters have been published in Colombia, Venezuela, Argentina, Mexico and Spain. He taught computer law, legal aspects of information security and intellectual property in two universities in Bogota and has lectured before many different audiences in the Americas, Europe and Asia, from students to c-level executives, as well as government representatives, regulators, law enforcement, and military and intelligence personnel.

He maintains working relationships with law enforcement cyber units from different countries and while still living in Bogota was a member of the local Electronic Commerce Subcommittee of the International Chamber of Commerce. Carlos is a former co-chair of the Messaging, Malware and Mobile Anti Abuse Working Group (M3AAWG)'s Anti-Phishing Special Interest Group and is a co-chair of M3AAWG's DNS Abuse Special Interest Group.

Carlos is an attorney graduated from the Universidad de los Andes in Bogota. He holds a Master of Laws degree from the University of Southern California Gould School of Law, and has studies on networking with TCP/IP from UCLA.