Jan. 17th, 2022 – Final Update to the LastPass Breach
During a recent group discussion that CyberHoot participated in relating to the LastPass breach, Bradley Gross made a comparison between parachute manufacturing and password management. Parachute manufacturers have a low-risk tolerance, yet they still produce parachutes. Similarly, password managers are like parachutes that protect your digital identity. Just like in skydiving, where a backup chute, emergency training, and proper folding are essential for success, using a password manager is crucial in protecting one’s identity, which can have devastating consequences.
Using a password manager is essential in today’s connected world. However, in the event of a critical failure like the LastPass breach, it’s crucial to evaluate our criteria for selecting a password management vendor and how we operate the solution. It’s important to examine the implementation of our chosen solution to ensure its proper functioning, and to train for emergency situations since no software is perfect. Choosing the best manufacturer possible is also essential. This blog article outlines CyberHoot’s criteria for selecting a Password Management vendor which you can leverage for your business or your Managed Services Provider (MSP).
CyberHoot has chosen to transition to a new Password Management (PM) platform and has decided to discontinue recommending any specific password manager to others. This decision was made after taking into account the opinions of several cybersecurity experts, including Bruce Sneider, Brad Deflin of TotalDigitalSecurity, and Jeremy Gosney, a Yahoo security researcher, who have also suggested migrating away from LastPass following their recent security breach and inadequate communication about it. However, choosing the right platform and vendor can be challenging. So how do you choose?
CyberHoot has learned a lot about PM solutions during this latest event. We have researched the many challenges facing these vendors. They really are comparable to Parachute manufacturers. Therefore, CyberHoot suggests you follow our criteria for choosing your PM tool:
- First and foremost: given the criticality of data contained in your Password Manager, the fact that most products are cloud-enabled (providing a large body of attackers), and the fact that no software solution ever written was perfect, CyberHoot recommends you find a vendor that conducts multiple 3rd party Application Security Assessments, Penetration Testing, and audits of its platform, architecture, and codebase. You want a product that has been independently verified annually by more than one 3rd party (if possible). While this is not a guarantee that all bugs and vulnerabilities have been identified, it’s certainly better than not having them done at all. All other criteria are really of secondary importance.
- Many folks have argued that Cloud-enabled SaaS PMs are still viable and important for ease of use but some are also stand-alone solutions not synchronizing through the cloud (Internet). You will need to decide whether Cloud synchronized PMs are best for your business.
- A robust Bug-Bounty program is also a very strong indicator that the vendor is serious about finding and eliminating critical risks in their platform. It provides grey hat and white hat hackers the financial incentive to sell their zero-day bugs to the vendor instead of the dark web. You want a PM solution that documents its bug bounty program.
- Features, pricing, and functionality will be your next and final set of criteria to measure by. This is where most vendors are in quite close proximity to one another. The feature sets and functionality (browser plugin, mobile device support, technical support) are similar, with a few differentiating features between vendors. In this area, if you’ve satisfied Choice 1 and choice 2 above, then this is down to preference, ease of use, and your own specific needs. Consider reviewing these three Password Manager reviews from trusted technical advisors:
CONCLUDING THOUGHTS FROM CYBERHOOT:
In looking through the Password Manager reviews performed by ZDNet, Toms Guide, and PC Magazine, we did not find references to the critical criteria of vendors having contracted for independent 3rd party security audits, application security assessments, or penetration testing of their cloud architecture. Following the parachute analogy one last time, would you choose a Parachute manufacturer that said “trust us” we know what we’re doing, or one that was certified to ISO 9000 manufacturing standards annually by multiple 3rd party audits?
Therefore, CyberHoot went looking for vendor references to these software audits and testing reviews on vendor’s websites. Below you will find links to PM vendors 3rd-party reviews, audits, assessments, and testing. Review these carefully as they are all not equal. Many PM vendors made no mention of this line of testing and auditing on their product or architecture.
Let CyberHoot reiterate, given the LastPass challenges, criteria number 1 above needs to be your basic decision point that must be met before proceeding to criteria 2, 3, and 4 in choosing your password manager.
3RD PARTY AUDITS OF PASSWORD MANAGERS ACCORDING TO THE VENDORS
Keeper 3rd Party Security Audits (search for Audits)
Final Tip: You have a Master Services Agreement in place – right?
MSPs need to provide support for password managers to their clients. When the manufacturer fails, your Master Services Agreement should be in place to protect you from liability. Make sure you have an MSA in place with each of your clients that provide the appropriate protection for a potential “chute failure” by a software manufacturer. Don’t stop ski diving, just make sure you’re prepared for all the eventualities.