Monday, June 15, 2015

LastPass announced a breach. Three lessons learned.

LastPass has the dubious honor of being the next in line to announce a data breach. While the company claims that there is no evidence that valuable data was taken, it is implied that there is also no evidence of the fact that it wasn’t taken. Their recommendation is that users change their master passwords sooner, rather than later.

LastPass is a commercial password manager with a strong enterprise representation and a rich feature set. By using password managers, people can choose difficult to guess, unique password for each application used.

Since password-reuse is a much larger problem than password guessing and modern users are heavily mobile, having these strong password stored in a central and well-protected location that is accessible from a variety of devices is generally a good deal.

LastPass is known to be fairly security-aware, and their basic premise is that they only store encrypted data WITHOUT storing the encryption key alongside it.  That, too, is an excellent idea. Storing encrypted data with the encryption keys right next to it defeats the purpose.

The fact that LastPass was breached is not unexpected. Frankly, given their customer base and knowing that the nature of the information that they store is extremely valuable, they make an interesting target. Consequently, the only surprise in this announcement is that it came from LastPass. It could have come from any other cloud-based password manager.

I am reassured by the fact that LastPass saw something unusual on Friday, was able to detect and contain the anomaly almost immediately, and that they were willing to notify their users by Monday. With a time delta of three days from compromise to detection, they are certainly well ahead of the pack.

From an overall information security perspective, three important lessons can be reaffirmed:

1) Everyone is a target, all of the time;

2) Having anomaly detection capabilities is paramount; no preventative controls are guaranteed to work perfectly;

3) Having planned ahead of time how to respond to an anomaly will limit damage in the long run. Incident response planning should, at minimum, include plans for analysis and containment, as well public relations strategies and law enforcement involvement.

In the end, I’ll give my money to a company that is able to do a good job a prevention, but is willing to respond, announce, remediate, learn from their lessons and grow.

My advice to most people has not changed. Continue using reputable password managers, even if they are cloud based. The ability to have a unique, randomly generated password for each website, and the ability for enterprise administrators to securely store (and share) credentials, is still worth it. This breach does not change that.

No comments: