On December 22, 2022, password management company LastPass announced that an unknown threat actor leveraged information obtained during an August 2022 security incident to access a third-party cloud-based storage service that LastPass uses to store archived backups. Although LastPass claims that the threat is minimal due to their data encryption methods, attackers could have access to:
As a result of the breach, LastPass recommends that customers take an extra measure of caution and change their master passwords to prevent any potential downstream risks such as from a credential stuffing attack.
This incident is yet another example of how organizations can be impacted by a third-party vendor breach and events in their fourth-party ecosystem. This post reviews three practices to improve discovery and mitigation of vendor security incidents, and offers some basic questions to probe vendors on their exposure to the latest LastPass data breach.
Although it is not possible to eliminate all risk from every vendor relationship, your third-party risk management program can still deliver the visibility and automation to effectively find and mitigate the risk before further damage or disruption to your business can occur. Start with these three steps:
Knowing which vendors use an impacted technology requires knowing who your vendors are in the first place, and that means building a centralized vendor inventory. You can’t accomplish this by using spreadsheets, or by delegating vendor management to line-of-business teams. It has to be done centrally in a system that everyone in the organization with a hand in vendor management can access. You should be able to import vendors from those spreadsheets or use an API connection to an existing procurement solution into a central system of record.
Once you have centralized all your vendors use vendor questionnaires supported by passive scanning capabilities to help you identify fourth-party technology relationships. In this particular breach case, this exercise would reveal which vendors use LastPass (and by proxy, the third-party cloud backup provider that was breached). Collecting information about fourth-party technologies deployed in your vendor ecosystem helps to laser in on organizations using the impacted technology so you can prioritize vendors to further assess.
Once you have identified vendors with the impacted technology deployed in their environments, engage those impacted vendors with simple, targeted assessments that align with known security standards and best practices such as NIST 800-161 and ISO 27036. Results from these assessments will help you target needed remediations to close potential security gaps. Good solutions will provide built-in recommendations to speed the remediation process and close those gaps quicker.
Start your event-specific assessment with the following eight questions, weighting answers according to your organization’s risk tolerance:
Questions | Answer Choices |
---|---|
1) Is your organization using LastPass? |
Please select one of the following: a) Yes b) No |
2) If the organization is using LastPass, have users’ master passwords or stored passwords been compromised as part of this breach? |
Please select one of the following: a) Yes b) We haven't determined whether master and stored passwords have been breached. c) No |
3) Has the organization required users to change their master passwords and stored application passwords? |
Please select one of the following: a) Yes b) No |
4) What is the nature of the impact to the organization as a result of this cyberattack? Help text: Consideration should be given to where the impact has occurred, alongside the level of impact. Significant impact: The vulnerability has caused a loss of confidentiality or integrity of data. High impact: System availability has been periodically lost, and some loss of confidentiality or integrity of data. Low impact: No loss of confidentiality or integrity of data; minimal or no disruption to system availability. |
Please select one of the following: a) There has been significant impact to our critical systems or applications. b) There is a high level of impact to our critical systems or applications. c) There has been a low level of impact to our critical systems or applications. d) The cyber-attack has had no impact to our critical systems or applications. |
5) Have best practice controls been implemented to mitigate damage from this breach? Help text: LastPass recommend the following steps: 1. Immediately log out of all active LastPass sessions. |
Please select all that apply: a) We have enforced changes to master passwords. b) We have updated our LastPass account email addresses. c) We have reviewed our account history for suspicious login activity. d) We have restricted our account to only trusted devices. e) We have restricted our account to only trusted locations. |
6) Does the compromise affect critical services delivered to client? |
Please select one of the following: a) Yes b) No |
7) Does the organization have an incident investigation and response plan in place? |
Please select one of the following: a) Yes, a documented incident investigation and response plan is in place. b) No, a documented incident investigation and response plan is not in place. |
8) Who is designated as the point of contact who can answer additional queries? |
Please state the key contact for managing information and cybersecurity incidents. Name: Title: Email: Phone: |
Note: These are basic questions meant to expose some initial information and offer answer options that can help to weigh the risk to your organization. Your organization may choose to ask different or additional questions. Prevalent customers also have access to this assessment in their questionnaire libraries.
You have to be continuously vigilant not only for risks stemming from this particular attack, but for the next attack too. That’s why you should look for credentials for sale and for signals of an impending security incident by monitoring the Internet and dark web using continuous cyber monitoring.
Monitoring criminal forums, onion pages, dark web special access forums, threat feeds, paste sites for leaked credentials, security communities, code repositories, and vulnerability and hack/breach databases is essential. You can monitor these sources individually, or you can look for solutions that unify all the insights into a single solution, so all risks are centralized and visible to the enterprise. The latter approach enables you to correlate the results of continuous monitoring with risk assessment answers to validate whether vendors have controls in place.
9 Steps to a Third-Party Incident Response Plan
When one of your critical vendors is breached, being ready with a prescriptive incident response plan is essential to preventing your company from becoming the next victim.
If a cybersecurity incident occurred in your vendor ecosystem, would your organization be able to quickly understand its implications to your business and activate its own incident response plan? Time is of the essence in incident response, so being more proactive with a defined incident response plan will shorten the time to discover and mitigate potential vendor problems. A more programmatic third-party incident response plan could include:
For more on how Prevalent can help your organization accelerate its discovery and mitigation of third-party risks, contact us or schedule a demo today.
Effectively manage third-party cybersecurity incidents with a well-defined incident response plan.
09/24/2024
Why third-party breaches are on the rise, who is being affected, and what you can do...
09/20/2024
Use these 6 tips to improve your third-party breach response procedures.
09/17/2024