The latest breach announced by LastPass is a major cause for concern to security stakeholders. As often occurs, we are at a security limbo – on one hand, as LastPass has noted, users followed LastPass best practices would practically be exposed to zero to extremely low risk. However, saying that password best practices are not followed is a wild understatement, and the reality is that there are very few organizations in which these practices are truly enforced. This puts CISOs in the worst place, where exposure to compromise is almost certain, but pinpointing the users that create this exposure is almost impossible. To assist CISOs in this challenging time, we, at LayerX, have decided to launch a free tool based on our Browser Security Platform, enabling them to gain visibility and mitigate the potential impacts of the LastPass breach on their environments.
Recapping LastPass’s Announcement: What Data do Adversaries Have and what’s the Risk?
As was posted in LastPass’s website ‘ ‘The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.’
The derived risk is that ‘The threat actor may attempt to use brute force to guess your master password and decrypt the copies of vault data they took. Because of the hashing and encryption methods we use to protect our customers, it would be extremely difficult to attempt to brute force guess master passwords for those customers who follow our password best practices.’
Not Implementing LastPass Password Best Practices Exposes the Master Password to the Vault
And this section on the ‘best practices’ is the most alarming. Password best practices? How many people do maintain password best practices? The realistic – yet unfortunate – answer is that not many. And that holds true even when in the context of corporate managed applications. And when it comes to personal apps, it’s not exaggerated to assume that password reuse is the norm rather than the outlier. The risk LastPass’s breach introduces apply to both use cases. Let’s understand why is that.
The Actual Risk: Malicious Access to Corporate Resources
Let’s divide organizations into two types:
Type A: organizations where LastPass is used as a company policy for vaulting passwords to access corporate managed apps, either for all users or in specific departments. In that case, the concern is straightforward – an adversary that manages to crack or obtain an employee’s LastPass Master Password could easily access the corporate’s sensitive resources.
Type B: organizations where LastPass is used independently by employees (whether for personal or work use) or by specific groups in the organization, without the IT knowledge for apps of choice. In that case, the concern is that an adversary that manages to crack or obtain an employee’s LastPass Master Password would take advantage of users’ tendency to for password reuse and, after the compromising the passwords in the vault will find one that is also used to access the corporate apps.
The CISO’s Dead End: Certain Threat but Extremely Low Mitigation Capabilities
So, regardless of an organization falls into type A or B, the risk is clear. What intensifies the challenge for the CISO in this situation is that while there is high probability – not to say certainty – that there are employees in his environment which their user accounts are likely to become compromised, he has very limited ability to know who these employees are, let alone take the required steps to mitigate the risk their in.
LayerX Free Offering: 100% Visibility into LastPass Attack Surface as well as Proactive Protection measures
We have released a free tool to assist CISOs in understanding their organization’s exposure to the LastPass breach, map all the vulnerable users and applications, and apply security mitigations.
This tool is delivered as an extension to the browser your employees are using and hence provides immediate visibility into all browser extensions and browsing activities of every user. This enables CISOs to gain the following:
- LastPass Usage Mapping: end-to-end visibility into all browsers on which LastPass extension is installed, regardless of if it’s a corporate policy (type A) or personally used (type B), and map all applications and web destinations whose credentials are stored in LastPass. It should be noted that the visibility challenges for type B organisations are much more severe than for type A and practically can’t be addressed by any solution except for LayerX’s tool.
- Identifying Users at Risk: leveraging this this knowledge, CISO can inform vulnerable users to implement MFA on their accounts, as well as roll out a dedicated Master Password reset procedure to ensure eliminate adversaries’ ability to leverage a compromised Master Password for malicious access
- Phishing protection: While LastPass warned from a Brute Force scenario, the more likely and cost-effective path for attackers would be to launch phishing attacks to lure employees into disclosing it directly. LayerX’s tool can enforce policies that would detect and prevent such phishing attacks altogether, as well as detect employees that reuse their LastPass Master Password for other apps.
Are you interested in learning more on LayerX’s free tool? Fill this form asking for the download link and we’ll send it your way