For this domain name forum, where the major registrars and registries are present, it would be very helpful if you can think along how to make Epik more secure, and also how other domain registrars, registries and domain aftermarkets can learn from this incident. This thread clearly shows the current risks and the rapidly evolving cyber threat landscape, which is useful for the domain industry. An industry that is at the core of doing business on the Internet. Technically, we can secure DNS against kaminsky attacks, we can do DNS qname minimization, we can do a lot. But we should think more about other attack vectors, like APIs, or registrars sending CSV's with EPP transfer codes using third party mail solutions instead of offering a secure download from their website. Just some examples, you get the idea.
Sure, I mean some of the most common ways:
1. Build out a comprehensive Information Security Program with multiple subteams, including but not limited to:
Application Security (Engineers)
Security Operations (Security Analysts, Endpoint Detection and Response Engineers, Malware/Forensics Engineers or Analysts)
GRC (Governance Risk and Compliance Analysts)
Fraud (Analysts and Engineers)
Red Team (w/Penetration testers and Offensive Security Engineers) OR the willingness to hire firms for at a minimum: quarterly penetration tests - and this has to be for ALL assets - network, web app, mobile, etc.
Network Security (Engineers and Analysts)
Vulnerability Management (Engineers)
2. Provide tooling and resources to subteams. There are too many tools to go through in this post but for instance, AppSec Engineers need to know how to implement and configure a WAF properly, implement tooling such as soft/hard gates that check packages or known resources to check code prior to prod push, SAST scanners for vulns in code, automated DAST scanning tools, bot protection, preventing web application attacks such as credential stuffing and disruption to the applications...I mean...the list is quite vast and that's one subteam.
Then you have other teams like SecOps, responsible for implementing endpoint protection such as antivirus on the host machines in combination with EDR tooling that can catch more dynamic malware outside of the simple-state of AV which is using a DAT file, investigating malware and triaging affected hosts or preventing network-level attacks, etc.
...you get the point. It's a gigantic effort, and it has to start somewhere.
3. Taking reports from hackers seriously, which it appears Monster is doing if he's going to be working with Bugcrowd.
Security is a GIANT incentive. This is why consultants, engineers, and analysts exist. If I could explain everything one needed to do in a series of posts, our field would be dead.