Mon. Aug. 29th Update: CyberHoot isn’t the only one to caution about throwing the Baby out with the Bath Water when reacting to the LastPass password management company breach. Here is another excellent article from our friends at Naked Security (another great source of cybersecurity information and analysis) about this breach. They remain steadfastly in support of Password Manager Adoption. They even have their answers to the most commonly asked questions following this LastPass breach.
LastPass Breach Facts and Talking Points
- The LastPass product wasn’t breached, rather their corporate network was. No client data of any kind was stolen.
- No software ever written is perfect, including LastPass, Excel, or any other password manager. Compromises can and will happen.
- Studies and history have shown that companies that do not adopt a password manager have more breaches than companies that do (due to password reuse). (Source: Verizon Data Breach Report)
- Having experienced a breach is definitely a bad thing to happen at LastPass but their transparency about it is a good thing.
- LastPass has been independently verified to be following best practices for encrypting your data and salting and hashing your master password.
- Security experts have reviewed and verified LastPass does not have access to your encrypted data, master passwords, nor could they gain such access.
- CyberHoot stands by the security industry’s recommendation to adopt a password manager for the enhanced security it provides employees.
- LastPass has a bug bounty program to encourage white-hat hackers to report security issues responsibly in their products. This is a very good thing.
- Solarwinds, Cisco, Microsoft, have all had breaches in their products or their corporate network recently. Breaches happen.
- HaveIBeenPwned.com reports 11.9 Billion public accounts exposed online. CyberHoot estimates 5 to 15x more accounts are exposed on the dark web.
- Even security companies like Carbon Black, and RSA have had their networks breached and IP stolen in the past. Its not a question of if but when.
Given that breaches will happen at any company, including security focused companies, what should you be looking for in the companies whose software you purchase?
CyberHoot believes you should consider how transparent will each company be when facing a breach situation. LastPass, to their credit has been very transparent about security issues here and in the past.
Should I stop using LastPass?
CyberHoot Recommendations in Light of the LastPass Breach:
- Always enable MFA to access any Password Manager, including LastPass.
- Communicate this incident and your continued support of using a Password Manager to your users.
- Train your employees on MFA, phishing attacks, password hygiene, ransomware, and more. Make training a regular occurrence (monthly).
- Govern your employees with cybersecurity governance policies including a Password Policy.
- Build a risk management framework at your company to assess situations like this, and manage and mitigate risks to your business.
- Consider hiring a vCISO to assist you in building out your cybersecurity program and risk resiliency.