The latest breach announced by LastPass is of great concern to security folks. As often happens, we face security limits. On the other hand, as LastPass points out, users who follow LastPass best practices are at virtually zero to very low risk. It is no exaggeration to say that The reality is that very few organizations truly enforce these practices. This puts security teams in the worst possible position of almost certain exposure, but it’s nearly impossible to identify the user who created this exposure.
To help them through this difficult time, browser security solution LayerX has made its platform available for free. This gives security teams visibility into all browsers that have LastPass extensions installed, mitigating the potential impact of his LastPass compromise on your environment. Notify vulnerable users, require them to implement MFA on their accounts, and deploy dedicated master password reset procedures where necessary to leverage compromised master passwords for malicious access Eliminate Adversary Capabilities (Complete this form to request access to free tools)
LastPass announcement recap: What data does the attacker have and what is the risk?
According to the LastPass website, “threat actors can use encrypted I was even able to copy a backup of the customer’s vault data from the storage container: fields such as website usernames and passwords, secure notes, and form-filled data.
The implied risk is that an attacker could use brute force to guess the master password and attempt to decrypt the obtained copy of the vault data. Due to the hashing and encryption methods we use to protect our customers, it is very difficult to brute force a master password against a customer who follows password best practices.
Failure to implement LastPass password best practices exposes the master password to the vault
The final section on “Best Practices” is the most alarming. Password Best Practices? How many people maintain password best practices? The realistic but unfortunate answer is not many. This is also true in the context of enterprise-managed applications. When it comes to personal apps, it’s safe to assume that password reuse is the norm rather than the anomaly. The risks posed by a LastPass breach apply to both use cases. Let’s understand why.
Real Risk: Malicious Access to Corporate Resources
Let’s divide the organization into two types.
Type A: Organizations using LastPass as part of a company policy to vault passwords to access company-managed apps for all users or specific departments. Then the problem is simple. If an adversary cracks or obtains an employee’s girlfriend’s LastPass master password, they could easily gain access to sensitive company resources.
Type B: Organizations where LastPass is used independently by employees (personal or work) or by specific groups within the organization can choose the app without IT knowledge. The concern then is that an adversary who manages to crack or obtain an employee’s LastPass master password could take advantage of users’ tendency to reuse passwords, compromising the passwords in the vault, and then gaining access. to find passwords that are also used. corporate app.
CISO Dead End: A Solid Threat, But Very Low Mitigation Capabilities
Regardless of whether an organization is classified as Type A or Type B, the risks are clear. What intensifies his CISO’s challenge in this situation is that there are likely (not certain) employees in his environment whose user accounts could be compromised. Yet the ability to know who the CISO is is very limited. It goes without saying that these employees take necessary steps to mitigate the risks they impose.
Free LayerX Offer: 100% Visibility and Proactive Protection Against LastPass Attack Surfaces
LayerX has released a free tool to help security teams understand their organization’s exposure to LastPass breaches, map all vulnerable users and applications, and apply security mitigations.
LayerX’s tools are delivered as enterprise extensions to the browsers your employees use, so you can instantly see browsing activity across all browser extensions and all users. This gives CISOs the following benefits:
- LastPass usage mapping: end-to-end visibility to any browser that has the LastPass extension installed. Whether it is part of corporate policy (Type A) or for personal use (Type B). This tool maps all applications whose credentials are stored in LastPass with her web destinations. Note that the visibility challenge for Type B organizations is much more acute than for Type A, and cannot be addressed by solutions other than LayerX’s tools.
 |
| LastPass Reports for LayerX |
 |
| LayerX notifications sent to vulnerable users |
- Identification of users at risk: Armed with this knowledge, security teams can notify vulnerable users and require them to implement MFA on their accounts. You can also deploy a dedicated master password reset procedure to eliminate the ability of an attacker to gain malicious access using a compromised master password.
Please complete this form to access the free tool.
