Mitigate the LastPass Attack Surface in Your Environment with this Free Tool
The latest breach announced by LastPass is a major cause of concern for security stakeholders. As is often the case, we’re in a security quandary — on the one hand, as LastPass noted, users following LastPass best practices will be exposed to practically zero to extremely low risk. However, to say
that password best practices are not followed is a wild understatement. The reality is that there are very few organizations in which these practices are actually implemented. This puts security teams in a worst-case scenario, where the risk of compromise is almost certain, but the users who pose this risk are almost impossible to pinpoint.
To assist them during these challenging times, browser security solution LayerX has launched a free offering of its platform, helping security teams gain visibility across all browsers that have the LastPass extension installed and their environments. But LastPass minimizes the potential effects of the breach.
Notifying vulnerable users and requiring them to implement MFA on their accounts and, if necessary, a dedicated master password reset to eliminate the capabilities of adversaries to leverage a compromised master password for malicious access Start the process.
Recapping LastPass’s Announcement: What Data Do Adversaries Have and What’s the Risk?
According to the LastPass website, “the threat actor was also able to copy a backup copy of the client’s vault data from the encrypted storage container which is stored in a proprietary binary format containing unencrypted data such as URLs of websites, as well as confidential information fully encrypted”. fields such as website usernames and passwords, secure notes, and form fill-in data.’
The resulting risk is that ‘the threat actor may try to use brute force to guess your master password and decrypt the copies of data from the vault they took. Due to the hashing and encryption methods we use to protect our customers, it would be extremely difficult to attempt to brute-force master passwords for customers who follow our password best practices.
Not Implementing LastPass Password Best Practices Exposes the Master Password to the Vault
The last section about ‘best practices’ is the most alarming one. Password best practices? How many people maintain password best practices? The realistic – yet unfortunate – answer is: not many.
That holds true even in the context of corporate-managed applications. When it comes to personal apps, it’s not an exaggeration to assume that password reuse is the norm rather than the outlier. The risk LastPass’s breach introduces apply to both use cases. Let’s understand why.
The Actual Risk: Malicious Access to Corporate Resources
Let’s divide organizations into two types:
Type A: Organizations where LastPass is used as part of the company policy for vaulting passwords to access corporate-managed apps, either for all users or in specific departments.
In that case, the concern is straightforward – an adversary that manages to crack or obtain an employee’s LastPass Master Password could easily access the corporate’s sensitive resources.
Type B: Organizations where LastPass is used independently by employees (whether for personal or work use) or by specific groups in the organization, without IT knowledge, for apps of choice.
In that case, the concern is that an adversary who manages to crack or obtain an employee’s LastPass Master Password would take advantage of users’ tendency for password reuse and, after compromising the passwords in the vault, will find one that is also used to access corporate apps.
The CISO’s Dead End: Certain Threat but Extremely Low Mitigation Capabilities #
Regardless of whether an organization falls into type A or B, the risk is clear. What intensifies the challenge for the CISO in this situation is that while there is high probability – not to say certainty – that there are employees in her or his environment whose user accounts are likely to become compromised,
the CISO has very limited ability to know who these employees are, let alone take the required steps to mitigate the risk they impose.
LayerX Free Offering: 100% Visibility into LastPass Attack Surface as Well as Proactive Protection Measures#
LayerX has released a free tool that assists security teams in understanding their organization’s exposure to the LastPass breach, maps all the vulnerable users and applications, and applies security mitigations.
LayerX’s tool is delivered as an enterprise extension to the browser your employees are using and hence provides immediate visibility into all browser extensions and browsing activities of every user. This enables CISOs to gain the following:
- LastPass Usage Mapping: End-to-end visibility into all browsers on which the LastPass extension is installed, regardless of whether it’s part of the corporate policy (type A) or personally used (type B). The tool maps all applications and web destinations whose credentials are stored in LastPass. It should be noted that the visibility challenges for type B organizations are much more severe than for type A and cannot be addressed by any solution except for LayerX’s tool.
- Identifying Users at Risk: Leveraging this knowledge, security teams can inform vulnerable users and require them implement MFA on their accounts. They can also roll out a dedicated Master Password reset procedure to eliminate adversaries’ abilities to leverage a compromised Master Password for malicious access.