If your enterprise has a website (and one certainly would hope so in 2021!), it also has subdomains. These prefixes of your organization\u2019s main domain name are essential for putting structural order to the content and services on your website, thus preventing online visitors from instantly fleeing in terror, disdain, or confusion.\nLarge enterprises can have thousands of subdomains. IBM, for example, has roughly 60,000 subdomains, while Walmart.com has \u201conly\u201d 2,132 subdomains.\n\nWhatever value subdomains bring to enterprises--and they bring plenty--they present more targets for bad actors. Why, just last year the subdomains of Chevron, 3M, Warner Brothers, Honeywell, and many other large organizations were hijacked by hackers who redirected visitors to sites featuring porn, malware, online gambling, and other activities of questionable propriety.\n\u201cThis has been an ongoing problem for Azure-hosted sites,\u201d TechRadar wrote, referring back to\u00a0 March 2020, when exploit and vulnerability-alert service Vullnerability reported it found more than 670 vulnerable Microsoft subdomains through an automated scan. At fault, the company said, were Microsoft\u2019s poor domain name service (DNS) practices. (Fun fact: Microsoft has an astounding 122,571 subdomains.)\nSubdomain takeovers, Vullnerability wrote, can be enabled through expired hosting services or DNS misconfigurations. Once attackers have full privileges on the system after taking over the subdomain, they can upload files, create databases, monitor data traffic, and clone the main website. Worse, \u201cit is not possible to detect that the subdomain\u201d has been hijacked, leaving the enterprise\u2019s system vulnerable to different types of attack.\nIn a new paper to be presented at the 30th USENIX Security Symposium, researchers from the Vienna University of Technology explore \u201crelated-domain\u201d attacks and offer some tips for IT pros to protect against subdomain attacks.\nIn addition to DNS misconfigurations, subdomains can be exploitable if they are assigned to untrustworthy users, the paper says. \u201cDangling DNS records\u201d--that is, records pointing to expired resources--can be vulnerable to being taken over by unauthorized parties. Discontinued third-party services can provide entry into a system as well.\nThe consequences can be even more dire, including session-hijacking attacks, session-fixation attacks, bypassing all web security, and facilitating phishing attacks, the researchers say. Honestly, they list so many ways subdomains can be used for attacks, you\u2019ll just get depressed and possibly consider a career change. So let\u2019s just focus on the helpful advice they give on their website, https:\/\/canitakeyoursubdomain.name\/.\nTo determine which of your subdomains are vulnerable to being taken over, the researchers suggest \u201creviewing all the DNS records of type CNAME pointing to external domains, and all A\/AAAA records pointing to IP addresses that are not directly controlled by your organization, e.g., those of services and cloud providers.\u201d Should you determine that these are dead links, \u201cyou should remove the corresponding DNS entries.\u201d\nIf you want to protect your web applications from being exploited, the researchers say, web developers should \u201cwrite security policies according to the least privilege principle, that is, restrict the attack surface as much as possible.\u201d\n\u201cRestrict the attack surface as much as possible\u201d seems like pretty good advice, you have to admit!\nDevelopers also are urged to \u201cconsider the usage of the __Host- cookie prefix if the cookies set by your web application do not need to be shared with other related domains.\u201d\nDespite this advice, the researchers found that six months after they reported potential vulnerabilities to the owners of live websites they had tested, \u201c85% of the subdomains that we tested are still affected by leftover subdomain-takeover vulnerabilities.\u201d People! Do better.\nBottom line: It\u2019s easy to lose track of subdomains, especially if yours is a large enterprise. But you ignore them at your own peril.