The past few years have brought the home workplace into clearer focus and placed it under greater scrutiny. As more of the workforce has moved from the collective workplace and dispersed to different home locations, businesses have implemented several additional security controls and technologies to keep corporate data safe in less physically secured environments. These controls range from encrypted connectivity tunnels, such as corporate VPNs, to endpoint virtual containerization.
While these controls have provided greater flexibility for the workforce and have, in many instances, resulted in stronger operational revenue and yields, it is important that companies ensure the correct controls are in place and that they are also observed, appropriately, by company staff. One example of control mismanagement, recently acknowledged by LastPass, illustrates that the wrong controls (or lack of adherence to the right ones) can become a costly corporate incident.
This week, LastPass released a blog post that shared details on a new exploitation of key corporate data. Already suffering from the fallout from a highly publicized incident that took place in 2022, LastPass noted that an additional incident occurred when a threat actor successfully installed keylogging malware on the home computer of a LastPass DevOps engineer. Using the keylogger, the attacker was able to capture the employee’s master password as it was entered, after the employee authenticated with the corporate multi-factor authentication. The attacker subsequently gained access to the engineer’s corporate vault and exported vault entries and shared files, which contained encrypted secure notes with access and decryption keys needed to access LastPass resources. While it was not made clear to what extent the attacker was able to make use of the pilfered information, it was clear that they were able to leverage it, as the attack was not noticed until LastPass received warnings of anomalous behavior from Amazon, its hosting provider.
While LastPass has made it clear that several course corrective activities have taken place post-incident to prevent similar hacks, the argument that this type of exploitation was preventable persists. Specifically, one control that should be scrutinized is the LastPass Acceptable Use Policy (AUP). These important documents provide employees with a set of rules applied by the company that explain the methods through which employees may access or use corporate networks, devices or data. Many of these policies require that corporate data may only be accessed and managed on corporate systems. This specific provision allows the organization to control both physical and logical access to important information, such as business operations and client data.
As the business world has morphed with a more distributed and remote configuration, corporate AUPs require additional scrutiny as well. Specifically, companies should take a hard look as to the applicability of the Bring Your Own Device (BYOD) mentality and consider the security implications that could emerge through mismanagement. Specifically, when BYOD policies are implemented in a company, several factors are introduced into the environment that the company’s security team cannot control. Each endpoint brings unique configuration profiles, software builds and user characteristics into the organizational environment. While virtual containerization provides a certain level of security by enabling device monitoring and remote wiping, it is far from a silver bullet. Had LastPass restricted access of corporate data to company-controlled devices, which are only able to access data via a secure VPN, the engineer may have stood a greater chance of avoiding compromise.
Another consideration regarding the incident highlights the repercussions of violating the AUP. Consider the possibility that LastPass may, in fact, have stipulated corporate data access should only occur via company-controlled systems. Many AUPs indicate that violation will incur hefty repercussions, often including termination from the company. However, very rarely are individuals terminated for violating policies, and this most recent incident is no exception. Specifically, LastPass “assisted the DevOps Engineer with hardening the security of their home network and personal resources.” Without teeth, these policies are nothing more than flimsy liability mechanisms ripe for legal discovery.
The ever-changing corporate world requires security controls that can keep up with the times. This includes everything from updated technical configurations to relevant policy implementation. One way this can be done is through careful development, analysis and updating of enforceable AUPs. In doing this, the corporate world stands a greater chance of avoiding another LastPass exploitation.
