My company isn't nearly as high profile or security focused and we're not allowed to use our own computers for any work related purposes,and our work laptops run threat detection software and we have a whitelist of software we're allowed to install.
I'm surprised that LastPass's policies aren't at least that strict.
My company has what I think is a big hole in this policy in that we're allowed to use our own phone for email, a few corporate apps (like Jira) and our corporate password manager (not LastPass), but IT doesn't do any management of phones (other than being able to wipe them remotely if you're connected to the company email server). I suspect that the company doesn't want to spend the money on giving everyone a managed phone.
As much as LastPass seems to be trying to pin this on a single engineer, and not a broad vuln, the fact that they have such lax policies around access management, especially for a password management system, tells me enough I need to know never to use them again.
Waiting for the rebrand and the incoming lawsuits.
Yep. The symptom being that a problem of this scale can be caused by a single engineer, which points to the root cause being deeper and potentially systemic.
The question for future trust is: what's been / being done to prevent the same thing from happening again due to another single engineer?
Preventing this thing from happening costs a lot of $$$, so pretty much everyone just "accepts the risk" seeing that probability of something like this happening to your company (during your tenure) is still super low. All companies with somewhat robust security posture I know have had a string of incidents in the past, that seems to be the only thing that can motivate to put $ in security.
It's not really very expensive to issue employees a laptop (which costs a percent or two of an engineers annual salary) and tell them "All work must be done on the work laptop, no personal files/software allowed on the work laptop". For a little more money, they can add active management of the work devices, but just keeping work and personal device use separate would have prevented this.
There is, but in this case it was the employee's personal software that allowed the back door. It's ludicrous that LastPass allowed employees to put sensitive data (i.e. their password manager) on personal computers with, apparently, no restrictions on what software they run.
Closing the barn door doesn't guarantee that the horses can't escape, but when you don't even have a barn door, it's hard to blame the stable boy when the horses get out.
Yeah, this is the equivalent of blaming an intern for nuking the prod database. Maybe they were careless of maybe that shouldn't be possible to begin with.
If your company uses something like Duo they still can do some security posture on mobile devices like prevent rooted/jail broken devices or have a minimum iOS/Android version.
It’s also possible that the stuff mobile devices can access are walled off from the internal network with a DMZ or firewall.
The company I work for has a setup for a separate work profile on my phone, which I understand to have separation enforced at the OS level. The work profile has a separate set of apps installed that are limited to ones that the company sanctions, and even for stuff like web browsing, none of the state is shared if the same browser is installed in my default profile. From talking to coworkers with iPhones though, this doesn't seem to be an option now (not sure if iOS supports it but my company hasn't set it up or if this sort of thing isn't supported on iOS at all). This seems like a much better solution than giving people two separate phones or forcing people to hand over control of their devices to their employers, but I guess not enough companies want to do this enough for it to have become the norm.
How exactly can your IT department whitelist all software on your device? Are you using any build tools that install third party dependencies or are you using any development tools that do the same? Is your shell locked down so you can’t run command as a super user?
I assume your IT just has a whitelist for some stuff but I can’t imagine actually being a developed without super user privileges. Unless your doing some sort of very controlled software development.
I'm surprised that LastPass's policies aren't at least that strict.
My company has what I think is a big hole in this policy in that we're allowed to use our own phone for email, a few corporate apps (like Jira) and our corporate password manager (not LastPass), but IT doesn't do any management of phones (other than being able to wipe them remotely if you're connected to the company email server). I suspect that the company doesn't want to spend the money on giving everyone a managed phone.