The LastPass Breach: 3 Steps You Need to Take Immediately [Podcast]



LastPass

In August of 2022, LastPass announced that they had been the victim of a cyberattack. The hackers had penetrated their security and stolen some company information, including source code. But, they assured the world, no customer information had been accessed. Fast forward to November 30, and LastPass issued another statement: there had been another breach, and this time, some customer information appeared to have been accessed.

But nothing further. Until December 22, as everyone was leaving for the holidays. LastPass announced that this most recent breach (separate and distinct from the original breach, but likely by the same actors and using information stolen in the first breach) was bad. It turns out that the customer data that had been taken was, well, all of it. The hackers had stolen an entire backup of every user’s vault. Fortunately, LastPass said, the hackers did not have the decryption keys, which meant that the information in the vaults should be reasonably safe.

Except, as it turns out, even that statement of reassurance by LastPass wasn’t exactly… honest.

In this episode of the Fearless Paranoia podcast, we discuss what happened in the LastPass breach, including how the hackers appeared to gain access to LastPass’s user backups, and what kind of information they took. We also discuss what this breach means for LastPass users in general, and provide three things all LastPass users absolutely need to do immediately to keep themselves safe. Check out the episode:

For more information, resources, and a transcript of this episode, check out the original post.

What is Zero Trust Cybersecurity and How Much Does it Cost? [Podcast]



zero trust cybersecurity

Zero Trust is one of the most popular phrases thrown about by cybersecurity professionals and – more importantly – thrown into cybersecurity sales pitches these days. It’s obviously important, and it’s obviously something you want. But what is it? Is it really something you need?

And, critically, how much does it cost?

In this episode of the Fearless Paranoia podcast, we talk about what zero trust cybersecurity really is. We separate the reality from the storytelling and marketing pitches. We break down the three key elements of a zero-trust cybersecurity environment, and provide helpful ways to implement nearly the entirety of the zero-trust framework with little-to-no actual cost.

For more information, a transcript of this episode, and helpful resources, check out the original post.

Why Cyber Resilience is the Best Metric for Cybersecurity [Podcast]

cyber resilience

There are a lot of ways to measure the impact – and relative success – of a cybersecurity program. There are tests you can run to determine how effectively your employees are adopting defenses to phishing emails. There are table-top exercises to determine your ability to defend against an attack. There are even ways to compare the costs of your cybersecurity against others in your industry.

But the best way to measure the effectiveness of your cybersecurity is in your cyber resilience – how quickly, effectively, and completely you recover from an attack.

In this episode of the Fearless Paranoia podcast, we discuss what it means to have cyber resilience, including what it means to be resilient, and how you can focus your planning and procedures to make sure that resilience is a primary goal. Remember, even the best cybersecurity can’t guarantee to keep out every potential threat. Are you ready in case today is the day your cybersecurity fails?

For more information, resources, and a transcript of this episode, check out the original post.

What is a DDoS Cyberattack? [Podcast]

DDoS

The best way to make sure that you and your business are protected from cyberattacks is to employ a broad-focus cybersecurity strategy. In order to do so, you need to have a basic understanding of the threats your business faces from cybercriminals, hacktivists, and other malicious actors. One of the most commonly used weapon in the cybercriminals’ arsenal is the DDoS (or Distributed Denial of Service) attack.

The DDoS attack is a tool of disruption, and they are commonly used by cybercriminals and hackers at all levels – from the disassociated loner in his basement to those working for or on behalf of nation states and international conglomerates. Understanding the nature of the disruption, the resources it takes to maintain the disruption, and the services available to limit or eliminate the devices causing the disruption will help to protect you and your business. Do you have the right policies, procedures, systems, applications, and vendors in-place to neutralize a DDoS attack against you?

In this episode of the Fearless Paranoia podcast, we discuss DDoS attacks, including what they are, how they work, and how you can design your cybersecurity systems to limit your risk of being a victim and improve your resiliency if an attack occurs.

For more information, resources, and a transcript of this episode, check out the original post.

How Implementing Least Privilege will Protect Your Business [Podcast]

Least Privilege

The more access users have to your company’s data, the more vulnerable that data is in the event of a data breach. A malicious actor gaining access to one of your employee’s credentials gives them access to everything that employee is allowed to see. That’s why you need to restrict the access that users have to only what they need to perform their jobs.

We’re talking about implementing something called “least privilege.” Effectively, it means that users are granted the lowest level of access they can be given while still having access to the data they need to do their jobs. Nobody has admin privileges over their own workstation. Rank-and-file employees don’t have access to payroll data. Nobody has access to the password information for the entire business.

Yes, implementing least privilege will reduce your flexibility in certain situations. But requiring users to seek permission from a supervisor or manager when they need temporary higher-level access – a step that should add mere minutes to a task – is a small price to pay for how much more secure your business data will be.

For more information, resources, and a transcript of this episode, check out the original post.

Eufy’s Blunder – Don’t Promise what You Don’t Provide [Podcast]

eufy privacy blunder

Eufy made a name for itself as a video baby monitor company that provided peace of mind – in the form of top-of-the-line security to protect your privacy. It turns out their promises were more than a little bit hollow. When you promise things like end-to-end, military-grade encryption; when you promise things like no data stored in the cloud; when you promise things like only your device has access – those are all major security promises.

When you make those promises about a video baby monitor – one that not only involves a one-way video feed of your child sleeping, but a two-way audio feed (meaning you can talk to your baby from the other room), you had freaking well better know what you’re talking about! And when you’re given information that your security is falling short of those promises by a security researcher, maybe take them seriously.

Oh, and incredibly important extra point here – when a respected tech journal calls and asks for a comment, don’t flatly deny the existence of the problem and then disappear.

Those are all things that happened to Eufy, a subsidiary of the company Anker, this week. It’s bad.

For more information, resources, and a transcript of this episode, check out the original post.

Disaster Recovery: Forming Your Disaster Response Team

Disaster Response Team

If it seems like each step in preparing your Disaster Recovery Plan is the most important step, even more important than the one that came before it, I can’t blame you. That said, we’ve come to another really important step – creating your Disaster Response Team (the “Team”).

This is more like two separate steps, but for the sheer sake of time, I will combine them here. First, you’re going to need to identify all the roles and the structure of the Team. Then you’re going to have to fill those roles with people in your organization. It’s definitely two different steps.

(more…)

Pin It on Pinterest