Latest Report: The 2022 Gartner® Market Guide for IT Vendor Risk Management Solutions

LastPass Breach: 3 Best Practices for Third-Party Incident Response

Take these three steps and use our questionnaire to speed up discovery and mitigation of the latest vendor security incident.
By:
Scott Lang
,
VP, Product Marketing
December 27, 2022
Share:
Blog passwordstate breach 0421

On December 22, 2022, password management company LastPass announced that an unknown threat actor leveraged information obtained during an August 2022 security incident to access a third-party cloud-based storage service that LastPass uses to store archived backups. Although LastPass claims that the threat is minimal due to their data encryption methods, attackers could have access to:

  • Customer account information and related metadata, including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service; and
  • Unencrypted data, such as website URLs, as well as fully encrypted sensitive fields, such as website usernames and passwords, secure notes, and form-filled data

As a result of the breach, LastPass recommends that customers take an extra measure of caution and change their master passwords to prevent any potential downstream risks such as from a credential stuffing attack.

This incident is yet another example of how organizations can be impacted by a third-party vendor breach and events in their fourth-party ecosystem. This post reviews three practices to improve discovery and mitigation of vendor security incidents, and offers some basic questions to probe vendors on their exposure to the latest LastPass data breach.

3 Best Practices for Third-Party Vendor Data Breach Mitigation

Although it is not possible to eliminate all risk from every vendor relationship, your third-party risk management program can still deliver the visibility and automation to effectively find and mitigate the risk before further damage or disruption to your business can occur. Start with these three steps:

1. Identify vendors that could be using the impacted technology

Knowing which vendors use an impacted technology requires knowing who your vendors are in the first place, and that means building a centralized vendor inventory. You can’t accomplish this by using spreadsheets, or by delegating vendor management to line-of-business teams. It has to be done centrally in a system that everyone in the organization with a hand in vendor management can access. You should be able to import vendors from those spreadsheets or use an API connection to an existing procurement solution into a central system of record.

Once you have centralized all your vendors use vendor questionnaires supported by passive scanning capabilities to help you identify fourth-party technology relationships. In this particular breach case, this exercise would reveal which vendors use LastPass (and by proxy, the third-party cloud backup provider that was breached). Collecting information about fourth-party technologies deployed in your vendor ecosystem helps to laser in on organizations using the impacted technology so you can prioritize vendors to further assess.

2. Issue event-specific risk assessments

Once you have identified vendors with the impacted technology deployed in their environments, engage those impacted vendors with simple, targeted assessments that align with known security standards and best practices such as NIST 800-161 and ISO 27036. Results from these assessments will help you target needed remediations to close potential security gaps. Good solutions will provide built-in recommendations to speed the remediation process and close those gaps quicker.

Start your event-specific assessment with the following eight questions, weighting answers according to your organization’s risk tolerance:

Questions Answer Choices

1) Is your organization using LastPass?

Please select one of the following:

a) Yes

b) No

2) If the organization is using LastPass, have users’ master passwords or stored passwords been compromised as part of this breach?

Please select one of the following:

a) Yes

b) We haven't determined whether master and stored passwords have been breached.

c) No

3) Has the organization required users to change their master passwords and stored application passwords?

Please select one of the following:

a) Yes

b) No

4) What is the nature of the impact to the organization as a result of this cyberattack?

Help text: Consideration should be given to where the impact has occurred, alongside the level of impact.

Significant impact: The vulnerability has caused a loss of confidentiality or integrity of data.

High impact: System availability has been periodically lost, and some loss of confidentiality or integrity of data.

Low impact: No loss of confidentiality or integrity of data; minimal or no disruption to system availability.

Please select one of the following:

a) There has been significant impact to our critical systems or applications.

b) There is a high level of impact to our critical systems or applications.

c) There has been a low level of impact to our critical systems or applications.

d) The cyber-attack has had no impact to our critical systems or applications.

5) Have best practice controls been implemented to mitigate damage from this breach?

Help text: LastPass recommend the following steps:

1. Immediately log out of all active LastPass sessions.
2. Change your master password.
3. Update your LastPass account email addresses.
4. Review your account history.
5. Restrict your account to only trusted devices.
6. Restrict your account to only trusted locations.

Please select all that apply:

a) We have enforced changes to master passwords.

b) We have updated our LastPass account email addresses.

c) We have reviewed our account history for suspicious login activity.

d) We have restricted our account to only trusted devices.

e) We have restricted our account to only trusted locations.

6) Does the compromise affect critical services delivered to client?

Please select one of the following:

a) Yes

b) No

7) Does the organization have an incident investigation and response plan in place?

Please select one of the following:

a) Yes, a documented incident investigation and response plan is in place.

b) No, a documented incident investigation and response plan is not in place.

8) Who is designated as the point of contact who can answer additional queries?

Please state the key contact for managing information and cybersecurity incidents.

Name:

Title:

Email:

Phone:

Note: These are basic questions meant to expose some initial information and offer answer options that can help to weigh the risk to your organization. Your organization may choose to ask different or additional questions. Prevalent customers also have access to this assessment in their questionnaire libraries.

3. Continuously monitor impacted vendors

You have to be continuously vigilant not only for risks stemming from this particular attack, but for the next attack too. That’s why you should look for credentials for sale and for signals of an impending security incident by monitoring the Internet and dark web using continuous cyber monitoring.

Monitoring criminal forums, onion pages, dark web special access forums, threat feeds, paste sites for leaked credentials, security communities, code repositories, and vulnerability and hack/breach databases is essential. You can monitor these sources individually, or you can look for solutions that unify all the insights into a single solution, so all risks are centralized and visible to the enterprise. The latter approach enables you to correlate the results of continuous monitoring with risk assessment answers to validate whether vendors have controls in place.

8 Steps to a Third-Party Incident Response Plan

When one of your critical vendors is breached, being ready with a prescriptive incident response plan is essential to preventing your company from becoming the next victim.

Read Now
White paper incident response 0421

Next Steps: Activate Your Third-Party Incident Response Program

If a cybersecurity incident occurred in your vendor ecosystem, would your organization be able to quickly understand its implications to your business and activate its own incident response plan? Time is of the essence in incident response, so being more proactive with a defined incident response plan will shorten the time to discover and mitigate potential vendor problems. A more programmatic third-party incident response plan could include:

  • A centrally managed database of vendors and the technologies they rely on
  • Pre-built business resilience, continuity and security assessments to gauge likelihood and impact of an incident
  • Scoring and weighting to help focus on the most important risks
  • Built-in recommendations to remediate potential vulnerabilities
  • Stakeholder-specific reporting to answer the inevitable board request

For more on how Prevalent can help your organization accelerate its discovery and mitigation of third-party risks, contact us or schedule a demo today.

Tags:
Share:
Leadership scott lang
Scott Lang
VP, Product Marketing
Scott Lang has 25 years of experience in security, currently guiding the product marketing strategy for Prevalent’s third-party risk management solutions where he is responsible for product content, launches, messaging and enablement. Prior to joining Prevalent, Scott was senior director of product marketing at privileged access management leader BeyondTrust, and before that director of security solution marketing at Dell, formerly Quest Software. He can be reached on Twitter @scottinohio, LinkedIn and Facebook.
  • Ready to get started?
  • Schedule a personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo