The US Federal Trade Commission issued an order to GoDaddy to implement robust information security practices, extending the techniques the government is using to improve cyber security in a broad-based fashion.
GoDaddy is not (yet) in a regulated industry, supplying DNS, web hosting and related services. In the complaint, the FTC indicates that: “GoDaddy’s data security program was unreasonable for a company of its size and complexity. Despite its representations, GoDaddy was blind to vulnerabilities and threats in its hosting environment. Since 2018, GoDaddy has violated Section 5 of the FTC Act by failing to implement standard security tools and practices to protect the environment where it hosts customers’ websites and data, and to monitor it for security threats. … As a result of GoDaddy’s data security failures, it experienced several major compromises of its hosting service between 2019 and December 2022, in which threat actors repeatedly gained access to its customers’ websites and data“.
This is a relatively new tactic being employed to increase the base level of security in otherwise unrelated areas. We have seen actions, threats, fines, against equipment manufacturers (e.g. D-Link, TP-Link), but this marks an expansion in the supply chain regarding securing small business.
Proposed order will prohibit GoDaddy from misleading customers about its security protections and require it to establish a robust information security program
A parallel government agency, the SEC, introduced new rules for disclosure and management of cyber security, introducing another push in the supply chain improvement of cyber security practices. This implies that there is a ‘full court press’ underway to improve cyber security at all levels, equipment, supplier, practices, large, small, etc.
In the case of GoDaddy, they have a very large market position, and, are directly or indirectly responsible for a large amount of risk in 62 million domains, 21 million customers. Consider the humble DNS. If i can alter/add records to your DNS, I can (this is not a comprehensive list!):
- take over your Microsoft Azure of Google Workspace setup
- Enable email sending as you via SPF, DKIM (and thus e.g. Business Email Compromise to your suppliers or customers)
- Remove visibility to spoofing your email via DMARC
- Issues SSL certificates in your name via CAA and HTTP-01 or DNS-01 challenge
- Read your email via changing your MX record, and thus take over most of your online accounts via a ‘password reset -> email flow’
- Inject malware into your e-commerce website to steal credit card info (via an AiTM proxy and the above SSL)
I would hazard a guess that most companies didn’t consider the ‘website hosting’ as a key part of their security and risk posture. Its a cornerstone pillar, an unlimited skeleton key to all your locks, all your SaaS, all your online activities, the security of your supply chain, etc.
Defence in Depth: its not just for others, look up and down your supply chain.