Emphasize user education on recognizing social engineering attacks.If you’ve identified users relying on LastPass outside of the IT control, work with them directly, and articulate the dangers of this practice. Conduct regular cybersecurity training and awareness campaigns for employees on the importance of using strong passwords and the dangers of reused passwords.Avoid SMS-based MFA, as it is less secure and vulnerable to cell phone number hijacking. Ideally, use hardware token-based MFA if the service supports it, or at least app-based MFA, such as Google Authenticator. Urge users to turn on multi-factor authentication (MFA) for all of their accounts, including those managed by LastPass, to add an extra layer of security.Implement a password manager that is centrally managed and controlled by the IT team, to enforce strong password policies and prevent password reuse.Adopt a risk-based approach to determine whether LastPass is the best password manager for the organization, or if a different solution is more suitable.However, it is possible to automate LastPass extensions discovery through scripting, which saves time and effort. Pay particular attention to identifying LastPass installations installed as browser extensions, since they are not detected by most remote monitoring and management (RMM) and endpoint management systems by default.Monitor your managed devices for installed plugins, as not all users follow cybersecurity (opens in new tab) news and may be unaware of the problem.They should also follow best practices for passwords and enable multi-factor authentication (MFA) where possible.įor sysadmins, the following recommendations should be considered: To mitigate the risk posed by the LastPass breach, all users are advised to reset their passwords site-by-site, as simply changing the master password now would not solve the issue. This puts both personal and corporate-managed users at risk, as the breach demonstrates the vulnerability of even well-established password managers. In fact, some data shows that 97% of the cloud apps used in the enterprise are cloud shadow IT.
In this case, system administrators cannot enforce password best practices or manage password manager software. Uncontrolled use of password managers: While not all companies use LastPass, many employees install browser extensions themselves and use password managers for both work and personal credentials.Unfortunately, 53% of people reuse passwords for both corporate and personal accounts, which means that even if different password managers are used for work and personal purposes, a breach can cause major damage
0 kommentar(er)
