You might've tried collegial verbal dialogue with them first.Ĭorporate INFOSEC has a lot of nonsense, the CISO is often the predetermined fall-person when something inevitably goes wrong, and a paper trail that looks like the CISO made an oops despite being warned isn't a great situation for the CISO.įortunately for the CISO, mess-ups by vendors like LastPass are commonplace in enterprise software, and people routinely go unscathed for much obviously worse corporate purchasing/deployment decisions. On corporate politics, your paper trail letters to the CISO could be awkward. > I'm starting to suspect that the CISO is getting some sort of kickback from LastPass, because he's doubling down with every breach on a bad decision.Ĭorporate Occam's Razor says that either the CISO thinks that reverting the LastPass move right now would be a business mistake, or that ordinary big-company politics is a factor (in either doubling-down to protect from political fallout, or having to do things delicately behind the scenes). What risk is bigger? That a homebrew setup is falling to an untargeted mass exploit? That someone will target you with something more sophisticated? That 1Password is breached and keeping data they say they don't? That LastPass keeps data they everyone assumes they don't but never publicly said they don't, and get breached? If anyone knows, I'd like the details of their analysis, because to me it doesn't seem straightforward at all. People are presumably trying to breach 1Password all the time and so far they seem to hold up well, though LastPass hasn't. That no one has targeted self-hosted Bitwarden instances on a large scale so far is no guarantee that no one ever will. That trend will likely continue and that combination of very capable attackers perceived as incompetent and lots of false assumptions about the actual risks is pretty dangerous a lot of people will not realize how exposed they are because HTTPS=secure, right? There may not have been any mass-takeovers of badly secured domains, but we've seen during the Log4J incident that a lot of people believe not being listed on Google means their services cannot be discovered only to find they're getting hammered with attacks, and that attackers have levelled up their capabilities a lot, with large-scale and surprisingly well-engineered attacks springing up pretty quickly. What needs to be covered will depend on a lot of factors, including how exposed you think you are. 1Password with their security teams and posture, then it's worth to at least try to have a complete picture and make conscious decisions on them. Not saying everyone will need to have cover all those bases, or that you couldn't or wouldn't just take some risks, but if the aim is to get better security than e.g. If you manage this for others, which is something that cloud services excel at, with rights management and the like: Are you ready to admin this for the long run, do "customer" service, etc.? What will the whole thing cost, both in terms of time and money? What about upskilling? What about machines that access Bitwarden or whatever directly – how secure are those? Do you keep all your machines on the same network? Can a smart lightbulb be an exploit vector? How do you know when automatic updates fail? How do you know you've been compromised? How do you keep abreast of zero days and critical issues in the exposed components? Is your OS hardened? What else is running on your critical machines? How do you keep everything updated, OS and the actual applications? How secure is your domain name? DNS? Your app may not warn you if the server answering isn't the one that answered yesterday. If using a cloud or other IaaS you run similar risks to 1Password etc., same with "conventional" root server hosters. Sucks to be travelling and unable to get to anything because your Wireguard Raspberry Pi died, so you need to make sure you don't need that. Where do you host all that? If on your home network, then your availability is probably not going to be great. It may be trivial to throw something together that works (I think it's still pretty hard unless you do devops stuff a lot, which hardly anyone will) but it's not going to be very secure, at least not down the line.
0 Comments
Leave a Reply. |