Use of personal equipment to access organisational resources

LastPass provides more detail on their breach

LastPass provided some more information about how they were breached.

Seemingly everybody has commented on the LastPass matter, being very quick to pass judgement from a distance. Certainly, for LastPass in particular, the bar was higher. So many things went wrong, and many other things were sub-optimal.

But we know that Information Security is hard. After a breach has been analysed and the entry vector, privilege escalation, lateral movement, etc has been identified, it’s all much clearer. The benefit of hindsight…

What can we learn

I won’t repeat all the things that others have written about, and there has been so much. I’ll cover one aspect: use of personal equipment to access organisational resources. All other issues aside, this was key.

Sure, it is very convenient for an employee to quickly check their email or something else via their personal laptop or mobile, but it’s just not a good idea. As an organisation, you’ve spent all this effort on securing your network, endpoints and user devices. That’s great. By now allowing personal devices to join to party, you’ve just massively expanded your scope, and along with it your problem space.

What about the security? You may be able to catch resulting unauthorised access due to credential capture or other malicious activity, but that’s things in or after the act, hopefully, instead of preventing.

Hang on, step back! Why try to “fix” this? It’s actually not a realistic scope to work with: enforcing certain processes on personal equipment will run into practical (who else in the household uses that device?) and possibly legal nightmares.

Conclusion

Any perceived need for personal device access must be investigated in detail, concluding in a thorough risk assessment, and held up against alternatives. Our basic best practice is this: if your people need to access company resources remotely, provide them with the hardware to do so - appropriately configured.

If the device uses for instance a VPN or virtual network to connect back, another device cannot simply take its place without the user going out of their way. People will still need to adhere to policies as not everything can be enforced through technology, but it puts the organisation in a much safer (lower risk) base position.