The recent disclosure by the popular password manager LastPass left organizations scrambling to mitigate the potential fallout. Despite the claims of CEO Karim Toubba that the information inside customers’ vaults is protected by LastPass’s encryption of the master passwords, CIOs are not convinced and not leaving security up to chance.
“The [initial] announcement’s tone was simply ‘trust us, we have it contained’. What indicators give confidence that the situation is contained as LastPass claimed?” said Dave Hatz, Vice President of Technology at RoomReady.
The August disclosure indicated that limited information, such as emails and customer billing information, was all that was stolen. In December, LastPass’s investigation revealed that attackers had gained access to unencrypted data, including website usernames and passwords, in vaults protected only by an encrypted master password.
“The dribble of information and the couching of that information during the process made the overall outcome unacceptable,” said Dean Kier, Information Technology Executive at Lucas Tree Experts.
Password managers are an essential part of an organization’s IT program, and while not the only option, LastPass is one of the most popular. LastPass is used across 70,000 businesses and millions of individual users.
“All of our employees have LastPass accounts,” said Hatz. “We also guide our employees’ best practices for secure password management in both their professional and personal lives.”
But best practices may not be enough to protect sensitive information. LastPass warned that hackers could use phishing attempts and “credential stuffing” to gain access to users’ password vaults. End-user attacks like phishing are one of the most common ways attackers gain access to an organization’s system.
“We have worked with our users to ensure they are aware of the situation and helped many of them rotate critical passwords in their vaults,” said Hatz. “We also reinforced the importance of utilizing multi-factor authentication to our users.”
While the attack caught most organizations off guard, many are using the situation to refine and update existing plans, including reviewing security standards with external partners and strengthening mitigation playbooks.
“This breach has emphasized the importance of performing due diligence with our key IT vendors to ensure our security standards are met,” said Hatz. “We trusted LastPass more than we should have, and that’s on us.”
“We are in the process of building a new mitigation plan, and a plan B on top of that if the mitigation plan falls through,” said William Novak, Chief Information Officer at Meaden & Moore.
Aside from changing passwords stored in LastPass vaults, Novak, Hatz, and Kier said that their organizations are also exploring other password managers for their organizations. Bitwarden, 1Password, and NordPass are popular alternatives to LastPass.
“We did not have the option to use other applications for our employees until recently,” said Novak, who is still exploring alternatives for his organization.
Password tools are not going anywhere
Cybersecurity is a top priority for organizations across industries. Ransomware attacks are on the rise, and organizations are constantly evolving their security policies and monitoring vendor security to ensure their data is secure.
Password managers are still critical for organizational security, and the LastPass breach does not change that. As organizations increasingly rely on SaaS systems, keeping track of credentials without a password manager is unthinkable.
“Keeping systems safe or at least managed can’t have a human single point of failure or be stored in the Excel file of doom,” said Kier. “The sheer number of SaaS systems organizations use is terrifying. Single Sign-on can help reduce the exposure for end users, but an embarrassing number of SaaS systems still don’t offer single sign-on integrations.”
