Your organization is only as secure as your weakest employee.
The recent LastPass security incident is a prime example of why it is essential to secure your home network and personal devices - and those of the key individuals in your organization. Despite being a popular password manager with a registered user base of over 25 million, LastPass became a target for cybercriminals who gained unauthorized access to portions of the LastPass development environment, taking portions of source code and some proprietary LastPass technical information.
The attacker leveraged information gained during the August breach to gain access to a cloud-based storage environment used by LastPass to store archived backups of production data, where they copied customer password vaults. Even though the encrypted data was secured with 256-bit AES encryption and could only be decrypted with user master passwords, the attacker captured the employee's master password and gained access to the DevOps engineer's LastPass corporate vault. This attack is a textbook persistent attack where the attackers increased their foothold in stages and without rushing the process.
Finding the Soft Target...at home
This security incident highlights the importance of securing your personal devices, which can be exploited to gain access to your home network. Additionally this highlights the importance of protecting key individuals at your organization. The support system within an organization is just as important as the principle or top employees. The attacker exploited a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware via the employee personal device. Personal devices must have up-to-date software and firmware, strong passwords, multi-factor authentication, and limiting the number of accounts with administrative privileges. It is crucial to identify weaknesses and vulnerabilities in your network and devices regularly through vulnerability scans, prioritize your security efforts, and implement device and account hardening.
Opportunistic Targeting into Direct Targeting
Lastly, the drip feed of breach information eroded trust, especially since it took so long to determine that customer vaults had been stolen. Trust is paramount in the world of digital privacy, and there can be little doubt that trust is being tested hard right now. Therefore, it is crucial to remove as much personal identifiable information (PII) from the open web as possible. Cybercriminals can use PII to conduct social engineering attacks, where they impersonate a trusted individual or organization to trick you into giving them sensitive information.
Full Digital Executive Protection
In conclusion, the LastPass security incident highlights the importance of securing your home network and personal devices. Vulnerability scans, device and account hardening, and PII removal can prevent social engineering and persistent attacks in the home. It is crucial to stay vigilant, keep your devices and software up to date, and be mindful of the information that you share online. By doing so, you can enjoy the benefits of our increasingly digital world while keeping yourself, your organization, and your information safe.
360 Privacy offers a full suite of Digital Executive Protection Solutions. Get an exposure assessment from our experts https://www.360privacy.io/contact