Skip to content

Linux vDeployer Is Now GA

For more information on preparations and execution, please refer to https://customer-portal.vicarius.io/how-can-i-deploy-the-agent-remotely

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About VRX
VRX is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.

How Does Passwordless Authentication Fit With Zero Trust Security Models?

Will 2023 be the year we finally eliminate passwords? For the last decade, cybersecurity experts have both been pushing for and predicting that a passwordless future is just around the corner. However, while passwords have been declining in recent years in favor of more robust forms of authentication, an entirely passwordless future has yet to materialize.

But that all could be set to change with the increased adoption of zero trust security models. Zero trust does away with implicit trust and requires all users and devices, whether inside or outside the corporate network, to be continuously authenticated and authorized. And critically, zero trust is also starting to mean zero passwords. But why?

Let’s dive into why passwordless authentication is important and how it fits into zero trust security models.

What is Passwordless Authentication?

As the term suggests, passwordless authentication is a way of verifying a user’s identity with something other than a password. Common types of passwordless authentication include email-based or SMS-based one-time codes, multi-factor authentication, and biometrics.

Biometrics are increasingly favored over other types of passwordless authentication because they’re virtually impossible for hackers to imitate, and they reduce user friction. Some examples of biometric authentication include retinal scans, voiceprints, facial recognition, fingerprint scans, and biometric mouse movements.

As the term suggests, passwordless authentication is a way of verifying a user’s identity with something other than a password. Common types of passwordless authentication include email-based or SMS-based one-time codes, multi-factor authentication, and biometrics.

Biometrics are increasingly favored over other types of passwordless authentication because they’re virtually impossible for hackers to imitate, and they reduce user friction. Some examples of biometric authentication include retinal scans, voiceprints, facial recognition, fingerprint scans, and biometric mouse movements.

Why Use Passwordless Authentication?

Here’s what it comes down to; passwordless authentication is simply more secure than password-based authentication.

While businesses have relied on passwords for decades, they’re no longer considered a secure way to protect our accounts and corporate networks. For example, 44% of employees reuse passwords across personal and work-related accounts. Moreover, most passwords are extremely easy to guess – the top five passwords globally are “123456”, “Password,” “12345678”, “qwerty,” and “123456789”.

As a result, hackers have long favored password attacks to breach corporate networks or personal accounts. Many different password attack methods exist, but the most common are:

  • Brute-force attacks: This hacking method uses trial and error to crack passwords, typically using lists of common passwords or leaked passwords obtained from the dark web.
  • Surgical attacks: These are a type of targeted attack where the hacker researches the intended victim, scouring their public accounts to find key details like their birthday, favorite sports team, hobbies, names of their children, etc., that the user may use in passwords.
  • Phishing/Social engineering: Here, cybercriminals pose as a trusted entity like a well-known company or another employee and trick the target into sharing their login details via a fraudulent login screen. Other methods include sending emails with a malicious link that automatically installs key-logging malware on the victim’s computer.

But by opting for passwordless authentication, you can eliminate or vastly reduce the risk of falling victim to these types of attacks.

There are also other reasons to move away from passwords. For example, passwordless authentication is more convenient for workers because it leverages something the user has or something inherent to them, eliminating the need for them to remember anything. This also means employees can log into devices faster.

Rising Zero Trust Adoption

72% of organizations are in the process of adopting zero trust or have already implemented it. Moreover, an eye-watering 90% of organizations say that advancing zero trust is one of their top three IT and security priorities. But why exactly is zero trust becoming so widespread?

Adopting a zero trust approach can the cost of a data breach by approximately $1.76 million and offer boosted efficiencies that amount to savings of 40 manhours per week. Moreover, companies that leverage zero trust network segmentation (an element of ZTNA) are two times more likely to avoid critical outages due to security incidents.

Undoubtedly, the need for continuous authentication is rising as remote working, and distributed workforces become more common. Zero Trust Network Access (ZTNA) is a critical set of technologies and functionalities here, enabling remote users to access internal applications securely. ZTNA is fast becoming essential for businesses in the modern world.

Can You Have Password-Based Zero Trust?

Yes, and many organizations do. However, cybersecurity experts are now warning that password-based zero trust does not meet the defense demands of the increasingly severe cyber threatscape of today.

Why Passwordless Zero Trust Is the Way Forward

Here’s the bottom line. Passwords are not only weak forms of security, but they also make your zero trust program slower, more expensive, and less effective.

Passwords require more tools, which drives up costs. Additional tools demand more administrators, new user licenses, and often more training for users and the help desk. All of these factors result in a more expensive security program.

Additionally companies that use passwords in conjunction with MFA often still have security gaps. This is typically because legacy systems or otherwise awkward technologies don’t play well with some MFA tools, leaving specific corporate systems protected only by passwords. There can also be MFA gaps in workstation login, VPNs, RDPs, and VDIs or IoT devices where passwords are the default.

Lastly, there are resource constraints involved with managing robust password-based security. IT and security teams are often understaffed and overwhelmed, and the current cybersecurity skills gap exacerbates this problem. Moreover, rising economic uncertainty puts more pressure on businesses of all sizes to reduce their IT budgets and take cost-cutting measures.

In this increasingly severe climate, security teams are feeling the pains of passwords more than ever before. By taking passwords out of the equation, organizations can reduce the labor burden on already over-stretched security workers and give them more time to spend on proactive cybersecurity measures.

Final Thoughts

Credential stuffing may be one of the oldest attack methods, but it’s still going strong today. For example, credential stuffing attacks became so prevalent in the first quarter of 2022 that attack traffic surpassed legitimate login traffic in some countries. And equally concerning, the first half of 2022 saw more attacks against MFA than any previous year.

Simply put, cybercriminals are increasingly targeting our traditional defense measures, namely passwords and MFA. As a result, companies embarking on their zero trust journey need to move away from passwords and weaker forms of MFA in favor of more robust passwordless authentication.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Portnox
Portnox provides simple-to-deploy, operate and maintain network access control, security and visibility solutions. Portnox software can be deployed on-premises, as a cloud-delivered service, or in hybrid mode. It is agentless and vendor-agnostic, allowing organizations to maximize their existing network and cybersecurity investments. Hundreds of enterprises around the world rely on Portnox for network visibility, cybersecurity policy enforcement and regulatory compliance. The company has been recognized for its innovations by Info Security Products Guide, Cyber Security Excellence Awards, IoT Innovator Awards, Computing Security Awards, Best of Interop ITX and Cyber Defense Magazine. Portnox has offices in the U.S., Europe and Asia. For information visit http://www.portnox.com, and follow us on Twitter and LinkedIn.。

ESET Threat Report T3 2022: When war meets cyberspace – the impact of Russia’s invasion on digital threats

  • Since the start of the Russian invasion of Ukraine, ransomware has increased its destructive capabilities; in T3, several ransomware-mimicking wipers appeared in connection with the war, targeting Ukrainian entities.
  • RDP password-guessing attacks remained down in T3 2022, with daily averages oscillating around 100 million attack attempts (compared to 1 billion in T1 2022).
  • Despite patches having been available since December 2021, exploitation attempts of Log4j grew by 9% in T3 2022.
  • Cryptocurrency threats declined by 25% in T3 2022, with detections almost cut in half in a year-on-year comparison; while crimeware is decreasing, cryptocurrency-related scams are rising.
  • Banking malware detections more than doubled in a year-on-year comparison.
  • Android detections grew by 57% in T3 2022, with Adware, HiddenApps, and Spyware driving the increase.
  • Since the start of the Russian invasion of Ukraine, ransomware has increased its destructive capabilities; in T3, several ransomware-mimicking wipers appeared in connection with the war, targeting Ukrainian entities.
  • RDP password-guessing attacks remained down in T3 2022, with daily averages oscillating around 100 million attack attempts (compared to 1 billion in T1 2022).
  • Despite patches having been available since December 2021, exploitation attempts of Log4j grew by 9% in T3 2022.
  • Cryptocurrency threats declined by 25% in T3 2022, with detections almost cut in half in a year-on-year comparison; while crimeware is decreasing, cryptocurrency-related scams are rising.
  • Banking malware detections more than doubled in a year-on-year comparison.
  • Android detections grew by 57% in T3 2022, with Adware, HiddenApps, and Spyware driving the increase.

BRATISLAVAFebruary 8, 2023 — ESET released today its T3 2022 Threat Report, summarizing key statistics from ESET detection systems and highlighting notable examples of ESET’s cybersecurity research. The latest issue of the ESET Threat Report (covering October to December 2022) highlights the impact of the ongoing war on Ukraine and its effects on the world, including cyberspace. The invasion continues to have a major impact on energy prices, inflation, and cyberthreats, with the ransomware scene experiencing some of the biggest shifts.

“The ongoing war in Ukraine has created a divide among ransomware operators, with some supporting and others opposing the aggression. Attackers have also been using increasingly destructive tactics, such as deploying wipers that mimic ransomware and encrypt the victim’s data with no intention of providing a decryption key,” explains Roman Kováč, Chief Research Officer at ESET.

The war also affected brute-force attacks against exposed RDP services, but despite the decline of these attacks in 2022, password guessing remains the most favored network attack vector. The Log4j vulnerability, patches for which have been available since December 2021, still placed second in the external intrusion vector ranking.

The report also explains the impact of cryptocurrency exchange rates and soaring energy prices on various crypto-threats, with cryptocurrency-related scams experiencing a renaissance. ESET products blocked an increase of 62% in cryptocurrency-themed phishing websites in T3, and the FBI recently issued a warning about a surge in new crypto-investment schemes. Overall infostealer detections trended down in both T3 and the whole of 2022; however, banking malware was an exception, with detections doubling in a year-on-year comparison.

Other trends in T3 include increased phishing activity impersonating online shops during the holiday season and the rise in Android adware detections due to malicious versions of mobile games being placed on third-party app stores before Christmas. “The Android platform also saw an increase in spyware throughout the year, due to easy-to-access spyware kits available on various online forums and used by amateur attackers,” added Kováč.

The ESET T3 2022 Threat Report also reviews the most important findings and achievements by ESET researchers. They discovered a MirrorFace spearphishing campaign against high-profile Japanese political entities, and new ransomware named RansomBoggs that targets multiple organizations in Ukraine and has Sandworm’s fingerprints all over it. ESET researchers also discovered a campaign conducted by the infamous Lazarus group that targets its victims with spearphishing emails containing documents with fake job offers; one of the lures was sent to an aerospace company employee. As for supply-chain attacks, ESET experts found a new wiper and its execution tool, which they have both attributed to the Agrius APT group, aiming at users of an Israeli software suite used in the diamond industry.

Besides these findings, the report also summarizes the many talks given by ESET researchers in recent months and introduces talks planned for both the RSA Conference and Botconf.

For more information, check out the ESET Threat Report T3 2022 on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

Understanding the Ins & Outs of Cyber Risk Quantification

Introduction

In today’s digital world, cyber risk is high and growing. The best way to control this risk is with a proactive cyber security strategy that quantifies and measures your company’s vulnerability to theft, fraud, or data breach.

The cyber threat landscape is diverse, and there is a wide range of potential threats in this sector, such as intellectual property theft, ransomware, data breaches, DDoS attacks, and insider threats. As cyber criminals improve on new methods for making threats, it is therefore important for cyber security professionals to be on top of where the latest threats are to hide from evolving threats. But for a company to achieve this, it must first understand the risks of cybersecurity, be vigilant in its security stance, and be aware of its accompanying risks.

Cyber risk quantification (CRQ) is the primary route to understanding the cyber threat landscape and mitigating risks within a cyber security environment. Cyber risk quantification is also part of Cyber Security Risk Management and is a crucial part of an organization’s overall security posture. It involves assessing risks relating to various cybersecurity topics, such as vulnerabilities, threats and impacts. Quantification addresses measurement, tracking and reporting on the risks relating to specific topics to prepare for cyberattacks effectively.

Risk quantification is determining how likely a threat or attack is to be successful against your organization and then assessing the severity of such an event. Cyber risk quantification is a part of this process, and it pertains specifically to threats that target information on computer networks or in physical systems, like computer networks or smartphones. These include both internal threats (such as employees) and those from external sources (hackers).

Risk quantification is an enterprise tool to help them understand their existing cyber risk environment. It also enables them to devise effective strategies for reducing those risks by implementing appropriate controls.

 

What is Cyber Risk Quantification?

This process of cyber risk quantification has been described as a three-step process: identifying the “pen-testing assets”, counting vulnerabilities, and measuring the potential threats. These steps represent a holistic approach, allowing a comprehensive view of one’s cyber risk posture and its vulnerabilities, threats, and risks.

At its core, cyber risk quantification is not a specific set of rules or methodologies but rather a method for conducting a rigorous, in-depth analysis of subjecting any IT infrastructure. The intent is to obtain objective evidence to develop strategies for reducing risks and ultimately strengthening an organization’s cyber resilience.

Benefits of Cyber Risk Quantification

Cyber risk quantification is important in ensuring that cyber threats are understood and can help cyber security teams analyse vulnerabilities and risks and create cyber risk mitigation strategies. The following are the benefits of cyber risk quantification.

Provides Insights into Vulnerabilities

An analysis of the information technology assets allows companies to understand their cyber risk posture and quantify their security vulnerabilities. The process makes companies feel more secure in knowing they are not as vulnerable as they originally assumed.

Helps Identify & Mitigate Threats

Cyber risk quantification is a process that helps identify the number of potential threats within an organization. It helps determine what the company needs to do to prevent a cyber attack.

Provides Information for Basing Decisions

The cyber risk quantification process allows the creation of an actionable and detailed plan for organizations to make informed decisions about protecting themselves from cyberattacks.

Helps Identify the Need for Resources

Companies can use the cyber risk quantification process results to determine what resources are required to reduce or eliminate current organizational threats and vulnerabilities.

Risk Management Decision

After a cyber risk quantification process, one can better understand their current security posture and related cyber risks to well-informed decisions about reducing this risk.

Automating the Process

Can automate cyber risk quantification to save time and labour. It means that technicians will not have to spend time performing cyber risk quantification on each piece of information technology equipment.

Cost-Effective

The overall cost of implementing cyber risk quantification will not be much more than processing a security vulnerability assessment.

 

Determining the Company’s Cyber Tolerance

Can use the information obtained for identifying and developing cybersecurity strategies for the foreseeable future. It means that the consequences of an attack during this planning period are less severe than those that would experience after a cyber attack once an organization has planned out their cyber security strategy.

Determining the Potential Cost of a Cyber Attack

Companies can use cyber risk quantification to estimate the cost of a successful attack and use this to determine how much money should be allocated towards mitigating the impact of an attack.

Planning Effective Training Programs

The results of a cyber risk quantification process can be used to create more effective training programs and plan for an organization’s IT infrastructure training needs.

 

How to Leverage on Cyber Risk Quantification

Cyber risk quantification can be leveraged on the following levels:

Organizational Levels

The senior management of an organization needs to determine the organizational level of cyber risk quantification. The level at which this model is used will depends on how large and how organized an organization is.

For example, an enterprise with thousands of employees or many systems will benefit from applying this model at a higher level (e.g., enterprise-wide) than a smaller company that runs just one corporate system.

Site Level

Organizationally focused cyber risk quantification methods can be applied to each site. It is the level at which most companies are structured; they have one or a few locations and may have dozens of sites. The IT personnel at each site may also not have direct access to all the data needed for an effective cyber risk quantification model.

Process Level

Many organizations are involved in processing large amounts of data (e.g. processing credit card information or handling employee information). These organizations can apply the same data processing methodologies to cyber risk quantification and perform a different amount of manual data analysis.

Asset Level

Cyber risk quantification can be applied to a specific asset (e.g., a server, router, switch). It is an effective method for performing cyber risk quantification on small network environments or those with limited access to the underlying devices on a network.

Information System Level

This level is useful for the entire IT infrastructure. Most organizations would benefit from a more holistic enterprise approach to cyber risk quantification.

Individual Asset Level

Some organizations may have large network environments that do not need a holistic enterprise-level approach to quantifying cyber risk. Some systems are relatively small and easy to manage individually with minimal use of IT resources.

Application Component Level

An individual application component (e.g. a web server) is typically not a significant resource on its own, and it has unique vulnerabilities that need to be fixed. In most instances, cyber risk quantification of an application component will include looking at its counterpart components. It would be a rare occurrence for those performing cyber risk quantification on an individual asset level.

Challenges of Cyber Risk Quantification

Cyber risk quantification is a challenging task because of the numerous variables can have an impact on how risks are quantified. Some of the most common factors that have to be considered when performing cyber risk quantification include:

Data Visibility

The amount of data for analysis is often limited in the cyber risk quantification process. It means that the available data has to be collected from a relatively small number of sources and then analyzed using an automated method.

Can’t Calculate Risk

Cyber risk quantification could be a better science. Often, organizations will need a higher level of understanding concerning the vulnerabilities they are trying to quantify and the impact a successful cyber attack would have on their company.

Partial Remediation

Sometimes, a company can perform some level of remediation, but not all of its IT infrastructure components. It is often the case in smaller companies where policy and security costs can be very high.

Time Frame of Analysis

Cyber threat intelligence is always changing, and so is the level of risk for an organization, even for an asset within that organization. Cyber risk quantification models must be set up to keep pace with these changes.

Data Manipulation

The information is also analyzed against other data that has been manipulated and stored for analysis. While this does not mean that all data is manipulated, it does mean that some data may have been tampered with or changed to alter the analysis’s findings (e.g., personal information).

No Consistent Methodology

Cyber risk quantification is not an exact science; therefore, it cannot be performed consistently.

No Standardization

The model used for cyber risk quantification may depend on the organization and the structure of its IT infrastructure. It is challenging to translate results from one organization to another or even use it across various industries.

No Known Method

Studies have shown that industry and IT experts do not widely accept any known cyber threat quantification methodology.

 

Conclusion

Cyber risk quantification stands as an emerging field in cybersecurity, that will undoubtedly play an increasingly crucial role in the future of cybersecurity for assessing organizational risk before potential attacks occur.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Portnox
Portnox provides simple-to-deploy, operate and maintain network access control, security and visibility solutions. Portnox software can be deployed on-premises, as a cloud-delivered service, or in hybrid mode. It is agentless and vendor-agnostic, allowing organizations to maximize their existing network and cybersecurity investments. Hundreds of enterprises around the world rely on Portnox for network visibility, cybersecurity policy enforcement and regulatory compliance. The company has been recognized for its innovations by Info Security Products Guide, Cyber Security Excellence Awards, IoT Innovator Awards, Computing Security Awards, Best of Interop ITX and Cyber Defense Magazine. Portnox has offices in the U.S., Europe and Asia. For information visit http://www.portnox.com, and follow us on Twitter and LinkedIn.。

The LastPass Data Breach and How NordPass Keeps Your Data Safe

On December 22, 2022, LastPass announced that a data breach first disclosed in August 2022 was far more extensive than initially thought. The news sent shockwaves through the industry, leaving many password manager users — especially LastPass users — concerned about the security of their sensitive information.

The breach serves as a stark reminder that no online service provider may be completely bulletproof breach-wise. So today, let’s get into the LastPass data breach and what it means for NordPass users.

The LastPass data breach breakdown

Cybercriminal activity has been on a steady rise for the last decade, and it looks that the trend is not about to change. In fact, today, cybercrime is the most lucrative criminal activity and is estimated to cost the world $10.5 trillion annually by 2025.

So as our personal and financial information is increasingly getting stored online, it is critical that companies take all necessary steps to protect their customers’ data. Unfortunately, the recent LastPass data breach shows that even well-known companies can fall short security-wise.

The company’s latest statement explains that an unauthorized party was able to access LastPass’ cloud-based storage environment and copy customer vault data along with information from a backup of customer account information.

The extent of the breach is not yet clear, but it is likely that it included some personally identifiable data such as email addresses, phone numbers, and billing information for some users.

The response from LastPass to the breach has been met with criticism from both industry experts and customers. In fact, it has already led to a class-action lawsuit, with one plaintiff alleging that the data breach resulted in the theft of around $53,000 worth of Bitcoin.

Did the LastPass data breach affect all password manager users?

Let’s be clear — the LastPass data breach does not have any direct effect on NordPass, its users, or users data.

After all, we’re two different companies and products with completely different security approaches and mindsets. However, we admit that seeing a competitor affected by a breach of this magnitude is an acute reminder to stay vigilant and prepared at all times.

Is NordPass a secure place for your digital valuables?

Given the severity of the LastPass data breach, it’s only natural that people are questioning the security of their password manager, including NordPass.

First, one of the key elements of NordPass is that it is a zero-knowledge password manager equipped with an advanced encryption algorithm known as XChaCha20 to ensure protection of everything you store in NordPass.

This means that all data stored in the NordPass vault is first encrypted on your device and only then sent to the cloud-based server. Because of the way NordPass is set up, it is only you — the user — who holds the decryption key and has access to everything stored in their vault.

The NordPass team can’t see or access anything. The same principle applies in situations of breaches. Even if a bad actor were able to get their hands on your vault data, they would still need your device, which holds the decryption key, to access the actual contents of the vault data.

NordPass CTO Tomas Smalakys offers a more detailed explanation:

quotes

Each NordPass user has a unique public-key cryptography key pair. The Public Key is always stored in plaintext form. The Private Key, on the other hand, exists in plaintext form only on the user’s end device for a limited period of time and never leaves it.

When we need to store a user’s Private Key, it’s encrypted with secret-key cryptography (XChaCha20-Poly1305-IETF) on the user’s device and only then passed to us. While the app is unlocked, the unencrypted Private Key is stored in the secure memory accessible only to the NordPass application. When the application is locked, either by the user or automatically after a set period of inactivity, the Private Key is deleted from the secure memory.

For the user’s Private Key encryption, the Master Key is used. The Master Key is derived from the Master Password and a 16-byte unique-per-user cryptographic salt using the key derivation function (Argon2id). We ask the user for the Master Password every time we need to decrypt the user’s Private Key.

 

– Tomas Smalakys

NordPass CTO

Tomas further explains that in addition to the encryption principles above, every item (folder, password, credit card, etc.) has two types of data:

  • Metadata (title, website address, cardholder name, etc.)

  • Secret data.

For secret-key (symmetric) cryptography, we use an authenticated encryption algorithm:

  • XChaCha20 stream cipher encryption.

  • Poly1305 MAC authentication.

For public-key (asymmetric) cryptography, we use an authenticated encryption algorithm:

  • X25519 key exchange.

  • XSalsa20 stream cipher encryption.

  • Poly1305 MAC authentication.

User data is encrypted on their devices and never leaves the device in plain text. This means that when the data is in transit or at rest, it is fully encrypted. In the database, both metadata and secret data is encrypted. This means that if bad actors are able to get access to the database or any of its backups, no user data can be accessed.

Furthermore, at NordPass, we feel that due to the nature of our product, our security practices should be transparent. Both NordPass and NordPass Business have had their security posture thoroughly audited by Cure53, a renowned German auditing firm.

NordPass Business has also successfully passed the SOC 2 Type 1 Audit, which ensures that NordPass Business provides proper security controls to manage customer data and protect their interests with regard to privacy.

All these measures help to ensure that the sensitive data stored in NordPass vaults is protected at all times. However, these days bad actors are creative and no longer function as a one-person operation. So it’s always important to be vigilant with your own security and use strong, unique passwords for each account as well as enable two-factor authentication whenever possible.

Bottom line

It remains to be seen how the LastPass breach will impact the company and the password management industry as a whole, but one thing is clear: it has shaken user trust and serves as a cautionary tale for the importance of data security.

×

Hello!

Click one of our contacts below to chat on WhatsApp

Social Chat is free, download and try it now here!

×