DFMag has obtained expert comment on the LastPass hack from Javvad Malik, Security Advocate at AlienVault.
For those not aware, hackers have attacked LastPass, the popular online password management service, and stolen data. https://blog.lastpass.com/2015/06/lastpass-security-notice.html/
Javvad comments as follows:
On the hack
“It’s not a matter of if companies get hacked, but when. Even security firms are not immune to being attacked, especially considering how much data can be accessed via them. We should stop being surprised when we hear of a company getting attacked or breached – that is not the measure on which to judge, but rather how they respond speaks volumes.”
On the LastPass response
“LastPass has done a very good job on several fronts. Firstly, it didn’t just rely on preventative controls, but had detection controls in place and were actively monitoring it to identify suspicious activity. Secondly, LastPass has communicated to the public very clearly about what it knows and what has happened via a blog and email. Thirdly, the @LastPasshelp (twitter support account) has been active in this period responding to many customer queries and complaints. They have also provided advice to customers as to what steps they should take and what additional security measures they’ve implemented.”
What companies can take away
“It is only by having adequate detection and response controls in place that companies can be prepared and efficient in times of crisis. Not only does this include technical response and recovery capabilities, but effective communication strategies to provide relevant information to customers, partners, law enforcement and other stakeholders informed.”
What LastPass (or similar provider) users should do
“LastPass has provided good advice in that users should consider resetting their master passwords and enable two-factor authentication if possible. Some people may choose to move to another password manager on the market, but this won’t change the overall risk of being hacked. For all organisations, it’s not a matter of if, but when they will be hacked.
“Users should bear in mind the complexity and scale of how many passwords are needed and stored by a password manager. Ditching a password manager for manual techniques (such as remembering your passwords) will likely lead to overall weaker passwords.
“Overall, we should reserve judgement until a post mortem of the incident has been concluded and more details are made available.”