That trend will likely continue and that combination of very capable attackers perceived as incompetent and lots of false assumptions about the actual risks is pretty dangerous a lot of people will not realize how exposed they are because HTTPS=secure, right? There may not have been any mass-takeovers of badly secured domains, but we've seen during the Log4J incident that a lot of people believe not being listed on Google means their services cannot be discovered only to find they're getting hammered with attacks, and that attackers have levelled up their capabilities a lot, with large-scale and surprisingly well-engineered attacks springing up pretty quickly. What needs to be covered will depend on a lot of factors, including how exposed you think you are. 1Password with their security teams and posture, then it's worth to at least try to have a complete picture and make conscious decisions on them. Not saying everyone will need to have cover all those bases, or that you couldn't or wouldn't just take some risks, but if the aim is to get better security than e.g. If you manage this for others, which is something that cloud services excel at, with rights management and the like: Are you ready to admin this for the long run, do "customer" service, etc.? What will the whole thing cost, both in terms of time and money? What about upskilling? What about machines that access Bitwarden or whatever directly – how secure are those? Do you keep all your machines on the same network? Can a smart lightbulb be an exploit vector? How do you know when automatic updates fail? How do you know you've been compromised? How do you keep abreast of zero days and critical issues in the exposed components? Is your OS hardened? What else is running on your critical machines? How do you keep everything updated, OS and the actual applications? How secure is your domain name? DNS? Your app may not warn you if the server answering isn't the one that answered yesterday.
If using a cloud or other IaaS you run similar risks to 1Password etc., same with "conventional" root server hosters. Sucks to be travelling and unable to get to anything because your Wireguard Raspberry Pi died, so you need to make sure you don't need that. Where do you host all that? If on your home network, then your availability is probably not going to be great. It may be trivial to throw something together that works (I think it's still pretty hard unless you do devops stuff a lot, which hardly anyone will) but it's not going to be very secure, at least not down the line.
0 kommentar(er)
