Practical Steps for Protecting Domain Names
Patrick Jones, on behalf of the ICANN Security team
In the wake of high-profile hacking attacks against the New York Times, Twitter, Huffington Post, and others, we thought it would be useful to re-post the blog from November 2012 written by Dave Piscitello, ICANN’s Senior Security Technologist on What You Should Learn from the Diigo Domain Hacking incident. The post describes a set of practical steps that anyone who has a domain name registration can take to protect against domain hacking and related attacks.
Be aware that social engineering attacks may occur. Educate those who are responsible for maintaining domain name registrations and your web presence on the potential for attacks. Establish procedures for registering and maintaining domain names (and ensure that those procedures are followed). Use two-factor authentication. Ask your registrar about registrar locks, and use registry locks if offered by your registry operator.
These measures do not cover everything one can do to protect against attacks. We do suggest using the lessons from recent events to look at your existing practices and ask about additional measures one can take.