Cyber. Original public domain image

The Cost of Not Securing Your Privileged Users: Lessons Learned from LastPass Breach”
LastPass, a password manager with 30 million users, is hacked! User password vaults, encryption keys, backups, and other sensitive data were stolen.

Here’s how it happened: The home computer of an Admin user was compromised > Attacker exploited a vulnerable 3rd party app > Installed a keylogger > Employee’s master key was stolen > Stolen key was used to access the corporate vault in the cloud.
A few takeaways from this incident:

1) Unmanaged devices are an easy entry point.

Why should a device that is not managed, that is not compliant and that does not have a set of security controls be allowed to access company data? Allow only healthy and managed devices to access corporate resources, deny the rest. 
2) Privileged admin users are on a hit list!

The targeted DevOps engineer is one of the only 4 admins who had privileged access to the corporate vault. Having privileged access to critical data comes with a hefty price tag: a target on your back! Even your home network and personal activity can be targeted.
3) Lock Privileged activity to PAWs
If you want to REALLY make it difficult for the attacker, use Privileged Access Workstations (PAW) for administrative tasks. Because these workstations aren’t used for regular activities such as browsing, email, etc. the chances of downloading malware would be significantly less, thus minimizing the attack surface to a great extent.
4) Leverage the full power of conditional policies!
After stealing the master key, the attacker accessed the cloud storage using that key from a different location and extracted all files. But if a conditional access policy was in place, limiting access only to trusted IP addresses, this could have been prevented! Most cloud providers offer these policies, but it’s up to the customers to configure them.
The keys to your kingdom are in the hands of your privileged users – keep them secure!

Leave a Reply

Your email address will not be published. Required fields are marked *