It is still common for high risk organizations to allow their employees to use home computers to access corporate, sensitive, information. There are several justifications that are used to explain this policy but it typically comes back to the idea that these personal devices are merely being used to access some web portal to accomplish their work. Thus, the idea is that these devices are not capable of doing much harm to the corporate environment. However, criminals are more creative than many give them credit for.
LastPass has announced that an employee’s home computer was the source of a recent breach that resulted in the theft of a corporate data vault. Hear the explanation for how this took place:
“This was accomplished by targeting the DevOps engineer’s home computer and exploiting a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware,” LastPass officials wrote. “The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault.” (emphasis added)
This attacker was able to accomplish this attack despite the organization having MFA in place.
Corporate culture in the United States needs to change. Personal computers should not be used to access corporate data. Only devices that have their security managed by the organization should be accessing sensitive information. This keylogger would most likely have been easily prevented by a good endpoint protection program, the exploited vulnerability could have been remediated via a good TVM program, and both of those security solutions could have been provided had the user simply been using a company issued device.
We can help you design a more secure work from home solution for your employees. Contact us today!