Meet the Expert: Vincent D’Angelo will speak at PrivSec Focus: Third-Party Risk

The one-day livestreaming event takes place on Tuesday April 26, and will feature a content-rich agenda of presentations, keynotes and panel debates.

Appearing exclusively at PrivSec Focus: Third-Party Risk, Vincent D’Angelo will be among the thought-leaders discussing best practice in the prevention of supply chain attacks. The experts will consider how the Solarwinds and Kaseya incidents showed how devastating such attacks can be.

Vincent is Global Director of Strategic Alliances, Partnerships and Corporate Strategy at CSC Digital Brand Services. He leverages over twenty years’ industry experience and has a deep understanding of the digital business ecosystem, specialising in areas such as brand protection, phishing, online fraud and the cybersecurity of domain names, digital certificates, and DNS.

Vincent is a recognised specialist in domain security, helping the world’s leading companies and most valuable brands mitigate related business risks with the development of best practices, policies, and strategies.

We spoke to Vincent to hear more about his professional journey, and the challenges and solutions that industry players need to be aware of in the continued struggle against supply chain attacks.

Could you outline your career pathway so far?

”I started my career at Register.com in 2000, which was one of the initial domain name registrars. In 2006, I joined Corporation Service Company (CSC) when they acquired my previous employer. I’ve spent most of my 20+ years in the industry helping some of the world’s leading companies and brands develop digital brand protection and domain security best practices, policies, and strategies.

I am an industry-recognised subject matter expert and thought leader, and I currently serve as Global Director of Strategic Alliances, Partnerships & Corporate Strategy at CSC Digital Brand Services.”

How did the Solarwinds and Kaseya attacks expose risk in supply chain security?

“Put simply, the Solarwinds and Kaseya attacks came about because of software flaws and vulnerabilities, which then impacted thousands of organisations relying on those platforms – hence the resulting heightened focus on supply chain security.

The recipe for success for the attackers was the trust associated with the platforms and the connected nature of the companies involved. Although the initial events made the headlines, it was the ensuing “copycat” phishing attacks that gave longevity and increased scale to the breaches.

This brings me to the reason why I am participating on the panel at PrivSec Focus: Third-Party Risk. The highly interconnected nature of domain names and DNS means that bad actors are keenly focused on that ‘front door’ access point to not only the target organization, but its supply chain of partners, software platforms and their consumers.

A single compromise can result in proliferating, lucrative returns for fraudsters – so unsurprisingly, this attack method is accelerating. For example, recent breaches at major cloud providers and domain registrars provide a glimpse of the magnitude of the impact a supply chain attack on the DNS can have, where millions of domains and associated subdomains can be weaponised via an attack on a single organisation.

Furthermore, CSC’s research also shows that 7 out of 10 domain names containing trusted brand names on the internet are fake. So, how do we start to address this global systemic cyber risk that no one’s really taking about?”

What are the main challenges that industries face as they aim to combat the threat of supply chain attacks?

“There’s one main challenge, which can become an opportunity if policy makers and stakeholders in cybersecurity, cyber insurance and enterprise risk encourage guidelines to address it.

This challenge is as follows: most cyberattacks, including ransomware and business email compromise, start with phishing. However, organisations tend to respond by implementing more sophisticated threat monitoring, detection, mitigation solutions and employee awareness training, yet routinely fail to implement basic domain security measures that proactively target phishing at the source. More information on this can be found at the realities of domain security.”

What practical steps can businesses take to begin reducing their risk exposure?

”Domain security is the first line of defence in any organisation’s Zero Trust model, preventing cyberattacks originating from:

• Malicious domain registrations
• Compromised legitimate domains
• Email spoofing.

Some of the steps organisations can take, include:

1. Leverage an enterprise-class domain registrar and DNS security provider and adopt a defence-in-depth (multi-layered) approach for domain management.

2. Consider using domain security protections like domain registry locks, Certificate Authority Authorization (CAA) records, DNSSEC, DMARC, and DNS hosting redundancy.

3. Domain security hygiene/controls are foundational in preventing legitimate domains from being compromised (i.e., domain/DNS hijacking, man-in-the-middle attacks, and phishing)

4. Implement multi-factor authentication for systems used to secure domain names, DNS records, and digital certificates to reduce the risk of compromise.

5. Defensively register the brand-related domains that could be high-value targets (e.g., homoglyphs, or country domains) to mitigate the risk of bad actors registering and using them.

6. Monitor domain and DNS activity on an ongoing basis to identify potential compromises where domains may be used for phishing, brand abuse and other fraudulent activity.

7. Leverage global enforcement mechanisms using a range of technical and legal approaches to takedown, limit, or block access to those domains.”