![]() Information like this can be used to remove overprovisioned permissions and lower the potential of sensitive data exposure.įigure 1: Normalyze Identity dashboard, highlighting a privileged user with types of access to a sensitive datastore 2. Figure 1 below shows that a user was granted read and write access to a sensitive S3 bucket three months ago but the permissions were never used. A better approach would have been an Assume Role-based architecture to access cloud resources.Īuditing and monitoring the usage of IAM users and roles helps identify dormant or abandoned priviliges. Also, the principle of least privilege may not have been applied to the breached engineer’s access rights. Cloud providers recommend the rotation practice as part of a shared-responsibility model, and not adhering to it could potentially violate LastPass compliance requirements. This suggests previously insufficient or unenforced measures were used to rotate long-term access credentials within standard timeframes of 60 or 90 days, particularly credentials for direct access to highly-sensitive data. A company statement on Decemaddressed security process changes, such as the rotation of compromised credentials. The company’s investigation found the original breach and data theft occurred between August 12th to October 26th, 2022. LastPass was unable to detect unauthorized access because the attacker used proper credentials. Attack vectors like these are difficult to detect and monitor proactively. The primary vulnerability was access to and use of a privileged user’s credentials for breaking into LastPass production cloud accounts. Better data access governance of privileged IAM users Based on the incident summary reported by LastPass, we learn three lessons that organizations can use to improve their cloud data security posture.ġ. Observers question the sufficiency and effectiveness of security measures established to safeguard cloud-stored critical data. The LastPass incident highlights severe consequences of a cyber breach of highly-sensitive individual and corporate user data. The notes may have contained access keys, private decryption keys, and other sensitive information that allowed the attacker to gain access and exfiltrate and decrypt customer data stored in LastPass AWS accounts. Captured data allowed the attacker to access the engineer’s corporate vault, which contained encrypted notes with LastPass production cloud environment access details. The new target was a senior DevOps engineer whose personal home computer was compromised with an installed keylogger. ![]() The new attack was a lateral move leveraging information captured during the first breach last August. LastPass disclosed technical details of a second breach, with major implications for critical datastores, including encrypted and unencrypted customer data in the LastPass production AWS S3 buckets. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |