LastPass seems to have dodged a bullet last month. In August, the password management company announced that one of their development servers had been hacked. Thankfully, because it was only the dev server and not the production server, no customer data was exposed. But did they really dodge that bullet?
It’s great news that no customer data was compromised, but that doesn’t mean LastPass — or its customers — can breathe a sigh of relief. And any organization that uses a similar approach to security should take note.
Let’s discuss why your company needs security attention everywhere — not just in high priority areas.
Should You Be Alarmed By the LastPass Breach?
It appears that LastPass may have taken an approach to their security stance that many companies choose to take. They focus much of their security and compliance efforts on their production environment, because that’s where the sensitive data is stored.
Let’s say you have 100 servers in your production environment — the machines that are actively running the business. Like LastPass, you have one product that you’re wanting to protect through a third-party assessment. That one product might be on 12 of those 100 servers you have in production.
Also in production, you have email servers and other web servers for other products that don’t presently go through a third-party assessment. There are 88 other systems sitting in the production arena, but they aren’t subject to the scope of the assessment.
Organizations will typically take that kind of approach to limit the scope of the compliance assessment. You’re saving costs on your assessment, you’re saving time and effort on compliance management, and you’re giving yourself additional options for putting various protections in place.
To be clear, there’s nothing inherently wrong with the approach — but it does have a risky downside, depending on the implementation approach.
The downside is that many of these organizations end up limiting or eliminating the cost of supporting the security oversight of those other environments. However, if they don’t focus on their staging, development and internal systems, that leaves those servers potentially open to exposure.
Which appears to be the case with LastPass. But what is the risk, realistically?
Why Are Closed, Internal Systems a Security Risk?
One of the questions that clients ask us fairly regularly is, “This is an internal system — it’s closed off to the outside world. So why the heck do I need to spend all this time, money, headache, and heartache focusing on that?”
Let’s say someone within your organization is connected to various internal devices such as a development system, file shares, or email. That employee happens to click on the wrong email or download some malware. Now, whatever that person is connected to is potentially exposed.
Any security vulnerabilities that are on those internal servers can now be taken advantage of by a hacker who was just let in through the back door.
Depending on the environment in question, whatever is on that box is fair game for the bad guys. If they happen to get onto your internal development server, and that server has a pipe to the internal development database server, the bad guys now have access to at least those two things.
And maybe a lot more, if they happen to gain connectivity to a user’s workstation and that machine has mapped drives to the file server. Now the hacker has access to all the files on the file server.
One of the biggest issues for organizations is when the bad guys gain access to the internal network, including local backup files as well as backup files stored on a secondary remote system. The organization thought they were in good shape with redundancy in their backups — meanwhile, the bad guys have used ransomware to encrypt the systems, local backups, and remote backup files!
How Hackers Can Use Dev Server Breaches
Here’s the problem with the LastPass incident. Normally, external actors don’t have direct access to an application’s code. They can’t see the guts to understand how a particular software works. However, if you get a look under the hood of a particular application, now you know how it functions. You can analyze the inputs and identify vulnerabilities in the code.
So even though no personal data was accessed in the LastPass breach, it opened up a series of possibilities for the bad guys.
You can see why security and compliance measures across the board are vital to your company’s protection.
If you don’t have proactive measures, like your patching, your monitoring and analysis tools, central logging, file integrity, then you can’t even detect that there’s a problem — let alone be able to tell specifically what happened.
Take your security seriously, across your entire environment. It’s commendable that you have your annual assessment and you’ve proven that the target environment has all the right stuff in place. But that’s just the tip of the iceberg.
Real Business Implications of a Dev Environment Breach
A seemingly innocuous breach like that in your organization could provide access to code that eventually allows bad actors to gain access to your clients’ sensitive data, using what they learned from your development environment. Or it could expose your employees’ data. You may have 400 clients, but each of those clients has their own customers. In the end, a breach of your development environment could lead to exposure of thousands of people’s sensitive data.
At that point, any concerns about reducing compliance costs are put in a stark perspective. The thousands of dollars that your organization saved in the short term very quickly turn into millions of dollars in disaster cleanup — not to mention the loss of customers’ faith in your security.
Security breaches like LastPass experienced can destroy companies — and they often do. Sixty percent of small businesses shut down within six months of discovering a data breach.
How to Protect Your Costs and Your Company
Having said all that, there is a way to reduce your costs on the annual compliance assessment, while also protecting your entire environment.
If your organization is leveraging TCT Portal, you can set up one track that covers your production environment, and create another track to cover the rest of the environment. TCT Portal has the capability to swing up multiple engagements, so it’s simple to use one security compliance engagement with the Assessor, and another engagement for internal tracking.
You can roll out solutions against your security compliance matrix across both of those focal points in TCT Portal. This approach allows you to reduce costs with your Assessor, but also to strengthen your overall security stance.
There’s no reason to risk your security — or your clients’ security — for the sake of greater flexibility and cost savings. Especially when TCT Portal can give you both. Find out how you can strengthen your organization’s security posture — contact TCT to start a consultation.