Name: Top Strategies to Block Unauthorized Login Attempts
Uploaded: 2024-10-09T17:59:14.744Z
Duration: 58 min 28 s
Description: Top Strategies to Block Unauthorized Login Attempts

Transcript for "Top Strategies to Block Unauthorized Login Attempts": Hi, everyone. Thank you for joining us today. I'm just gonna give everyone just another 30 seconds here to join. I see a lot of people coming in as we're speaking, so welcome. Happy Wednesday. Hope everyone is having a great day. I'm just gonna go over a few housekeeping items before we start this presentation. So we are recording this webinar, and we will share it out in a follow-up email that you all will receive later this week. We will also be sharing that deck within the email. And as we are going through the webinar, please submit your questions. We will have time for q and a at the end, so any questions that you have throughout the presentation, drop them in the chat and be sure to stay to the end to see if we answer your questions. And with that, I'm gonna pass it off to Stephanie and Alex. Know and need to know about threats, here at the company are involved with that. So, pretty fun job. Definitely something that we look forward to every day. Get to get involved with all kinds of stuff, and this is an example of one of those. So we will go ahead and get started. Alright. Next slide. Okay. So we're gonna talk about what is unauthorized access, common methods of unauthorized access, some of the consequences that can occur, you know, when this unauthorized access occurs, case studies, and then prevention and mitigation. Next slide. Okay. Unauthorized access. What is it? You know, it's it's pretty simple. Right? Unauthorized access is when someone, internally or externally, gains access to a computer system network or data without permission. Why does this matter? So unauthorized access is essentially the beginning of all of these breaches you see. You know, when you see x company was breached, you know, for SaaS and such and x data was taken, that always starts with unauthorized access. Right? There's always an initial foothold that involves somebody on a computer that they're not supposed to be and then sort of moving from there. So, you know, we see data breaches, we see theft of, sensitive information. You know, we see system compromised. You know, in some cases, the bad guys will just go in for espionage. Right? They wanna just kinda keep track of what's going on and make sure that they're aware of, how a firm is operating or an agency is operating and and, you know, being able to make decisions off of that espionage. Next slide. Common methods to gain unauthorized access. These should be pretty familiar to the audience, but I'll go through each of the each of them so you guys understand. Weak or compromised passwords. Right? The days of using password 123 or fluffy or your mom's name or what have you as your password are long gone because, you know, what we see now in the in the criminal underground, in the cybercrime underground is, you know, these huge collections of passwords. Right? You've probably seen some of the press recently where you've got 3 40000000, you know, password lists that have been posted on the Internet. So those weak and compromised passwords are out there, and they're absolutely used by the bad guys to get into things. Credential reuse. Right? This is a big one, especially for a password manager. Right? A lot of people will pick a single password. Maybe it's a great password. Maybe it's something really complex. And then they'll reuse it across all of their properties. The bad guys understand that, and they understand that if I get access to one password, there's a high likelihood that you use that password for other things. And the ultimate source or the ultimate goal of of that sort of password reuse would be to get access to something like an email address. Because if you think about all of the things you do with your email address, reset passwords, you know, access information, all of that stuff, that's the crown jewel. Right? That's that's the goal for credential reuse from a bad guy perspective. Let me get into your email address. Brute force attacks. Right? That is I'm going to take one of these giant password lists. I'm going to try to authenticate as you with these giant password lists over and over and over again until I get access. It you know, that's that's a low tech way of of doing things. Still pretty successful. There's a lot of mitigations around being able to, prevent an application from allowing you to brute force like that. But again, it's it's something that's still in in pretty wide use. Poor access controls. Maybe the system is just not secured in a way that makes sense. You know, you've got a one password is being used by a bunch of people. You know, you've got somebody that's got, more privileged to a system than they should have. All of those things play a part in the poor access controls and giving that person the ability to to to give the bad guy the ability to get into that, into that account. SaaS app exploitation. Everything's about the cloud these days. Right? Software as a service. Right? That's, you know, I'm going to go up into the cloud and do my business with this software package or this vendor that does cloud operations. The challenge there is that is not your computer and, you know, maybe you don't have the same security on it. Maybe you don't have the same process around securing it. Maybe, you know, the access control is weird. You know, maybe something is is not secured in the way that you would do it. And because it's managed by a third party, you have that compromise as well. Compromise, avenue as well. Insider threat. You know, this is a difficult one and and also a great example. Maybe there's somebody there that has, a bone to pick with the company. Right? Somebody that's gonna be involved in a layoff or hasn't gotten a promotion or gets mad for some reason. You know, they can have unauthorized access, and the criminal hackers and nation state hackers look for these sorts of people, right, that have that enhanced access. And maybe they'll reach out to them and kinda work with them and say, hey. I know things aren't going so well with you at the company. You wanna help me do something? And, you know, those sorts of things can can kind of recruit an insider into, helping, further a criminal or a nation state attacker's goals. Phishing. Probably the most common of of these from, people that, you know, deal with the sort of, situation day to day. Phishing is huge. Right? You you can pull up your email address at any given time and have a notion of phishing, attacks. It's it's really one of the most common. You've heard the, you know, the term business email compromise. That's an example of of phishing. I'm going to pretend to be a business person. I'm going to interact with you, you know, from a business sense. But my goal is to get your creds or get access to the systems you have access to. Credential stuffing. So this is one that's sort of related to brute force. And the way credential stuffing works is I'm going to get a huge list of username password pairs. And then I'm going to use a distributed, say, a botnet, a bunch of different computers to try each of those passwords. But I'm gonna do it, you know, from each of these distributed, machines separately. And what that does is it makes it harder for the good guys to detect somebody's brute forcing because all they see is username, passwords coming from different systems. And if you think about it, that's how that would occur, you know, in a general sense when you're actually doing legitimate business. So, that's really, really popular, very difficult to block, and, you know, something that the, the good guys are kinda looking out for and the bad guys are taking advantage of. And then the last one I wanted to mention was was social engineering. Right? That should be pretty obvious. Right? Sometimes it's as simple as me calling you up and saying, hey, I'm Alex and I'm on the help desk. We need to fix your computer. Can I get remote access? A lot of people will be like, okay, Alex. I recognize that name. You know, that is the help desk. Okay. Let sure. Right. Maybe that's a bad guy. Maybe he's trying to get access, you know, from a help desk standpoint. You know, it it can be as simple as that. It can be as complex as, you know, infiltrating another company that does business with you and then pretending to be that company from a social engineering standpoint, coming from those systems and doing those things that will, you know, allow you to give up access. So those are the common methods to gain unauthorized access. There you know, there's obviously a big a big picture here, of all kinds of ways, but it all comes down to getting access to machines that you shouldn't have access to from a bad guy perspective. So next slide. Alright. Consequences. You know, I talked a little bit about some bandwidth, but, you know, data theft. Right? That's that's the big deal. That's that's most of the time what these folks are looking for when they go to breach. You know, if you look on the cybercrime perspective, it's like, data theft from a ransom, standpoint and ransomware deployment. Right? So get on unauthorized access, find some information that's valuable, deploy some ransomware, and then go, hey. Pay the ransom, and we'll give you access to your computers back or pay the ransom, and we won't release your data. So it's kind of a double hit from a bad guy perspective. System disruption. Right? So this is, your, you know, your your kinda typical DDoS, maybe destructive attack. If we look historically at, the way that some of the nation states have attacked, you know, Iran, North Korea specifically, a little bit for Russia, we see deployment of destructive malware to enemies especially when we're talking kinetic conflicts or cyber operations related to wartime efforts. You know, so you might see destructive malware deployed at a energy company to take them down. You know, destructive malware deployed at some defense organization to prevent the military from being able to operate correctly. All of those system disruption things play a part in in furthering the mission and, you know, one consequence of of unauthorized access. And then, you know, reputational damage. Right? Reputational risk is huge. I mean, you can have zero business impact, you know, from a attack standpoint. But if the news gets out that you were a victim of an attack, sometimes that can play a part, you know, and that can affect your firm, you know, from a business sense. And that's all just reputational damage. Right? It's something that not a lot of people will think about. You know, typically, when you think about a cyber breach, you're like, what data did they take? Did they get PII? Is it gonna affect my ability to run business? You know, is there ransomware or something down? But then people go, oh shoot, you know, this is gonna get out and the press is gonna talk about it and that could be bad. Right? So that's, you know, their reputational risk. So so there's some basic consequences. You know, pretty common. Should be fairly obvious, but again, something you need to worry about. Next slide. Okay. I'm gonna pass it to Steph now, and she's gonna go over some case studies. We're gonna give you some examples of some of this stuff that I talked about. So Steph, go ahead and take it away. Alright. Thanks, Alex. So to illustrate a lot of these points that Alex just covered and to do a little bit deeper of a dive, we wanna look at a couple of recent attacks and highlight for you all. So this year, there's been a lot of password spraying or credential harvesting attacks that have led to massive impact. So from a cyber threat perspective, these really highlight, you know, what we're concerned about when we talk about the threat from credentials. And Snowflake is a great example, in terms of, you know, exposed credentials, and third party risk and exposures. So the cloud service provider Snowflake's possibly one of the biggest data breaches of this year so far, and we still don't even know the full impact of the number of companies that were affected yet. So in May, a threat actor began advertising data from Ticketmaster and Santander, for sale in a cybercrime forum. They claimed that they had breached Snowflake, which is a cloud data warehousing platform. So it turns out, they didn't necessarily breach Snowflake, but, Snowflake wasn't enforcing, multifactor authentication or MFA. So a lot of people just had a simple name and password to log on, to that platform. And what ended up happening is a lot of companies got popped with info stealers, and they didn't know it. So that info was out there on the dark web. And info stealers, by the way, are really quiet. They're very widespread, and they're responsible for a lot of the data that's available on the dark web. So, I think the latest figure that I've seen is a 165 companies, with credentials related to Snowflake, got popped. And, this attack really had a pretty significant impact. Actually, AT and T was one of the companies that, suffered a massive breach, related to this. And it's actually the first time, in the US we've seen a massive breach announcement postponed specifically due to national security, protections. There's a concern, that national security information was leaked because once you know someone's phone number, you can do telephony analysis on that, and do a lot of bad stuff. So next slide, please. Just kind of diving into, the kill chain, just briefly, you know, from reconnaissance and, you know, finding the exposed credentials online, the threat actors then were able to just simply use those, credentials to log in. And MFA was not enabled, and so that's all that they needed to to get access. And then after they gained access, the threat actors identified, you know, available data using a custom utility and a publicly available data management utility. They were able to compress, the, you know, data that they were after into a zip file and then exfiltrate that. Next slide. So I think a couple of key points, from the Snowflake, breach. You know, the core issue here is the exposed legitimate credentials. And there are a few reasons why this attack occurred. Again, so going back to MFA, the infected accounts weren't configured with MFA, and that's just low hanging fruit. Successful authentication only required a valid username and password, which allowed the threat actors easy access to targeted accounts. You know, nothing fancy there. And, some of the credentials identified in infosealer malware, output had been for sale on the dark web for years in some cases and were still valid, which means that those credentials hadn't been rotated or updated in quite some time. And in the case of the snowflake attacks, companies were popped with infostealer that stole the login credentials of the snowflakes customers' users through those infected devices and then access customer accounts and data stored on the platform. I think this example also demonstrates, you know, that companies need a solution to both, manage passwords while also monitoring, for potential exposure on the dark web, whether that's, you know, via info sealers or other means and just knowing, you know, what does the attack surface look like that's out there, where are my vulnerable points, and then address those. And I think it also highlights kind of the need to monitor for 3rd party vendor issues and address those business connections to them quickly. So whether that's, you know, changing, credentials, quickly. In the event of a credential stuffing campaign like this, I think these are all things that, you know, I think we all need to be aware of and and take action to to kind of limit our exposure to these types of attacks. We have a second case study as well, and this one is, is really interesting. Scattered spider is, kind of at the top of the game when it comes to social engineering. They're known as ONC 3944, and this is a cybercrime group, motivated by financial gain. They've been around for a while, active since at least, May 2022. And, they're really known for its elaborate social engineering attacks. They're really good at it, and they use those to infiltrate organizations. They've also made a name for themselves by targeting high profile companies like the, identity management company, Okta, as well as the casino giant MGM Resorts. So Scattered Spider uses various tactics to gain initial access to networks. These include using stolen credentials, that they get from, SMS or text messaging phishing operations. Also using social engineering tactics. They're well known for, you know, doing phone calls and text messaging and Telegram messages, impersonating IT staff to then trick victims into providing credentials on a phishing site, or downloading and installing attacker controlled remote management tools. And then once the group gets access to the network, they can do a variety of actions, but, we see them, you know, steal data, deploy ransomware, encrypt all network devices, and also, you know, use the stolen data to extort victims. Next slide, please. So I just wanted to give you kind of, just a little TTP or, tactics, techniques and procedures kind of timeline here. You know, over the last several months, we've seen scattered spider really evolve their TTPs, partially in response to the government attention, that they've received, due to their high profile attacks, and they're also trying to remain, you know, effective. There was a sizzle alert published, in November of last year. They've also drawn a lot of scrutiny from law enforcement. They've they've, you know, suffered from some recent arrests from their members and leadership. So, you know, they're they're kind of continuing along, this path and and continuing to conduct attacks, but, you know, they're kind of finding themselves up against a a wall a little bit. But, they're continuing to find ways to conduct attacks and and remain effective. So we started to see a shift, to targeting of cloud environments starting in May of this year, along with new targeting reported against banking and insurance companies. And then we've started to see them kind of pivot again to, like, software as a service, TTPs soon after that. So kind of highlighting the, recent attacks targeting, financial and insurance sectors. Next slide. We're seeing we've seen some targeted, sophisticated phishing attacks against financial insurance companies. They're aiming to steal high level permissions to cloud based environments to ultimately, their main objective is to deliver ransomware, and and to, you know, coerce, their victims into paying, that up. So the latest campaigns had the usual hallmarks of scattered spider attacks, like I mentioned. You know, they're using SMS and voice phishing, aka smishing and vishing, to target high privileged accounts like IT service desk administrators, as well as cybersecurity teams. And then the attackers can then use, you know, stolen credentials to compromise cloud based services and gain access to, to victim environments for ransomware attacks. We saw the attacks targeting high cloud based services like, Microsoft IntraID and Amazon Services Elastic Computer Cloud, as well as software as a service platforms like Okta, like Zendesk, VMware Workspace 1, and they deployed phishing pages that, you know, again, closely mimic single sign on portals. So, you know, tricking people to think that they're, you know, logging into a a legitimate login portal and that that's actually controlled by the threat actor. And this has potential for follow on, you know, SIM swapping attacks that, can leak sensitive corporate data. And after, the attackers get access to credentials, they're able to then gain access to the cloud and on premises environments to conduct a whole range of activities like I mentioned, earlier. They also exploited vulnerabilities to terminate security software and avoid detection. This is more sophisticated. They're, you know, trying to understanding, that security teams are looking for certain things, to prevent an attack, even before it happens or in its early stages. And they're kind of trying to get around those detection tools and demonstrate a deep understanding of the Microsoft Azure environment and built in tools. And this attack these attacks also have a pretty efficient, efficient leaning to them as well. Scatter Spider has, been able to swiftly deploy its infrastructure and and conduct these attacks in just a few hours of time. So that does not leave, a whole lot of time for security teams to respond and take action, you know, once once these attacks are underway. So, you know, I think these are, you know, a couple of examples, but there are so many, case studies out there, you know, when it comes to unauthorized access. And, you know, just kind of, I think coming back to, you know, what steps can I take to avoid being a victim, of these types of attacks? Right? And I think it all sums up to just having really good cyber hygiene. There are very, you know, concrete steps that you can take to to protect yourself and your company. And these are just a few here. One is strong password policies. You know, implementing complex frequently changed passwords. You know, like Alex mentioned, you know, password 123 isn't gonna cut it, you know, variations of pets' names. You know, those are very easy to guess. And, you know, so making sure that you're setting policies for all users requiring a certain password length, a mix of letters, numbers, special characters, to make those passwords harder to guess, more secure. And then also providing an enterprise password management tool that locks down employees' passwords with the added convenience of password storage. Second is multifactor authentication. You've heard me talk about that a lot. But this just adds an extra layer of protection to prevent attacks. You know, you're able to set up MFA by requiring tokens like a phone before granting access to your systems. And this really helps prevent those simple attacks, like in the case of Snowflake where threat doctors can just find these exposed credentials online, plug it in, and and then it's just off to the races. 3rd is, just conducting regular security audits. You know? Know where the where the doors, windows, locks are. You know, conduct regular monitoring and security audits to identify any, like, anomalies, anything that's off or weaknesses, and address them, fix them before it's too late, and a threat actor finds a way to get in through those. And, you know, having, you know, an up to date, you know, vulnerability, patch kind of program, and, again, yeah, having an awareness of what's going on in your network, and taking quick action to address those. And then, 4th, last but not least, is training and education. You know, educate users about phishing. Talk to them about social engineering tactics. A lot of, security researchers consider humans to be the weakest link in the cybersecurity chain. You know, it doesn't really matter if you have, you know, a fortress, but, you have one employee who's willing to unlock, you know, the castle gate and and let the threat actor in, you know, whether it you know, if it's unknowingly or not. You know, 9 out of 10, data breaches incidents are caused by employee mistakes. And a lot of times, they they just accidentally click on a malicious link or, you know, are trying to be helpful doing their job as a IT desk, help person. So, and and they wanna they wanna help the person, the caller, you know, and and and help them through. So, you know, just getting employees the right training and tools to avoid falling for attacks, like the ones by Scattered Spider, you know, and just, you know, targeting those, IT help desks, targeting folks, you know, through through their social engineering techniques. So with that, I will pause and, hand it off to my colleague, Jerome Ferrara, who will speak to you about, more about, you know, our password management solutions and how that can benefit you. Yeah. Thanks, guys. Happy to join you here. I am, Jerome Ferrara. I'm a product specialist with the LastPass team. I've been working with LastPass, for about 9 years at this point and been using this service, closer to 15. I think it's crazy. But, I've been a long time user of the service and, I'm happy to be able to be here to walk you through the tool and how to take advantage of it and get the most out of it. So I guess we should start with a little bit of a of a high level overview because obviously we're laying down the facts that, reusing of passwords and not using a multifactor tool. All that can all, you know, create this great risk in the environment. So LastPass has set up a system that allows you to, you know, log in to a tool. Our LastPass tool with a which is a browser based application also works on your phone and tablet. You can have access to these credentials anywhere. But you log in with your username and your master password. That master password is the is the only password you need to memorize. Everything else is going to be stored in your vault. And so in your vault, we can create these long complex passwords. So I saw someone wrote earlier that, hey, you could use passphrases with characters. Well, with LastPass, we're actually able to generate passwords that are 99 characters in length and, you know, use special characters, uppercase letters, lowercase letters, numbers. It's just, you know, nothing that you would want to necessarily remember yourself. It's just easier for you to be able to store this into a service where LastPass can populate that as opposing to trying to memorize that and use it over and over again or or use it just 1 or 2 places. Like, obviously, you want the issues being that these companies are getting, breached and their password your password that is stored with them is getting is getting become found and being used by these bad actors. So if we can use a unique password everywhere, a unique key to unlock all those different applications, then that's not going to impact you anyplace else. So again, LastPass is a browser based application, works on all major browsers that are out there. You can actually again, have it on your phone or tablet. Works on all major mobile devices there as well. So in here, I've already logged in using that username and master password. It gives me access to the vault, but I'm gonna show you the business version of LastPass because I wanna show you not only the ability to create these long complex passwords, but I want to see how you can use it in a business environment. One of the things that Stephanie mentioned was the fact that we could set these, it's good to have policies in place. In the business version of LastPass, we give you the ability, which is what we can access here through this admin console. The admin console gives you access to, set these different policies for your organization, look at detailed reporting for auditing purposes, and do onboarding and offboarding as well. That way, if someone leaves the organization, they're not leaving with all their passwords either. So in order to take advantage of LastPass, you can actually search up a password. So I can look up PayPal here and actually launch this right from my browser plug in. But 9 times out of 10, I like to go to the website and say, hey, I'm just going to log in to this application. I hit that login button and sure enough, LastPass recognizes they have a username and password and fills that information in for me. So you can upload all these passwords into LastPass or if this is your first time using the tool, you can simply just log into the service as you normally would. LastPass would pop up something on your page here that would say, would you like to save this password to your vault? You would say yes. And the next time you come here or if I just refresh the page, LastPass would recognize that this you do have a credential for this application and, and allow you to log in and and keep it there. As I mentioned before, we do offer up the ability to use a password generator that can be injected into that process as well. So if you are looking to sign up for a new site, Last Basketing, recommend a password for you and make sure it's saved in your vault and populated when you need it. Now, we have an ability to save an unlimited number of passwords in your vault. So I'm going to open up the vault right now and show you a little bit more how you can manage these credentials as an individual. So I am logged in as a business user here. I'm logged into my business account. I'm a business admin, but it gives me access to all these credentials that I need for a business process. Again, there's an unlimited number of credentials can be stored here, but we know that most people have north of 40 or 50 different passwords they need for their job in a month's period of time. We want to make sure that you're using those unique passwords across the board. LastPass does allow you to organize these in a folder structure and create as many different folders as you like, or you can save any type of application or I should say any type of credential into your LastPass account. Some people use this for Wi Fi passwords, for databases and servers. Obviously, a lot of people use them just for, you know, for websites as well. And we can, again, launch this right from the LastPass, application here. So but I know that a lot of people also need to use LastPass for sharing. So one of the things that we're talking about in the embarrassment of having your site breached is that you can actually have multiple people trying to log into a site for, let's say, social media. Right? So I'm scrolling a little bit quickly here. But social media, like a lot of people need to maybe 15, 20 people on your social media team need access to that same Twitter password. So LastPass wants you to be able to share that password in a secure and trackable environment. So another good example could be that we're doing this with sharing of credentials for accounting. Maybe I've got these credentials here in this accounting folder that I created and I want to share with other people in the finance team. I can simply right click and click share, and last password rename this shared accounting, and then I can invite other people to have access to this as well. So in the sharing center, you'll see I've got a list of folders I've shared with other people or that they have shared with me, and you can manage this and make sure that the right people have access to it at the right time. Again, because we're all logging into our own LastPass account, we can identify that specific individual that's logged into even though it's a shared account. We can identify the specific user that logged in. I'll show you the reporting of that in the back half when we look in the administrative side. So another thing I wanted to point out here is the security dashboard. So the security dashboard, because if you're like me, before I use LastPass, I had a lot of different passwords I used. I'm not sure say 3 different passwords I use repetitively. That's obviously not a good idea. LastPass gives you a security dashboard to give you an idea of how well you're doing managing the credentials within your Vault. Here you'll see I've got almost a 70%. It's not not fantastic. I have the opportunity to improve that score. And, and part of the ways we do that is by looking through your vault locally. So we don't have access to this, but you as an individual will be able to look into your vault and see that. And we would populate that you have multiple credentials that are repetitive or some that might be weak, like a short password, or that you might have some that have been found on the dark web. So we offer a free dark web monitoring to make sure that you can see any password that has been compromised, giving you the ability to change that, giving you a better score, and of course, making you a more secure individual, which is great for the company too. So if I go into the administrative console here, which is where we can manage the business aspect of the service, The business aspect of the service will give you a quick overall view of how well the company is doing, but we also feed in that security score. So you as a business owner can see that, alright, I've got my users taking advantage of LastPass, but are they really using it to the best of their ability? The security challenge here will give you some feedback and let you know how well they're managing and and who needs to make updates. And we do have the ability to not only show you a leaderboard, but we can set up some automated responses. So without having to look in here on a weekly basis, you can actually automatically urge your users to be better about how they're managing their credentials. So I'm at the main dashboard of the service right now, and I'll start off by saying LastPass. The the three major reasons why I think people really take advantage of LastPass on the business side and what they were looking for is ability to set up those password policies and make sure people are using it the way that they that you want them to, not the way that we have it set up by default. So and LastPass has over a 120 different types of passwords or of different policies that you could set to make sure that people are using it the way you want to. 120 could be a little bit daunting. We do break this down into different categories. Recommended policies, there's just a little over a dozen here that allow you to choose from to make sure that people are, you know, taking advantage of the way you want them to. Maybe making sure that people are only sharing through shared folders or whatever it might be. Again, there's a lot of different things you could take advantage of, and we do have some guides to help you out on that as well. But the policies allow you to really scale these into the way that you'd like them to. And maybe you don't want an offline access or if you do, you could actually set up a policy here and make sure it's set for maybe everybody or only just a small group of people or everybody except a small group of people. So a lot of flexibility in how you want to be able to roll this service out and make sure that the policies are meeting your specific requirements. Now, the other thing I think is really important for us to go through here is on the user side, being able to add users, and you can simply add users by adding an e mail address and inviting someone to the service. But a lot to take advantage of federated login, meaning that we're going to tie this to our Active Directory so that when they log into their Active Directory, they're using the same AD password that they would for their master password. So that means that they're automatically logging into the Last account when they're logging into their service or into the whichever source of truth you might be utilizing. And if you're protecting the source of truth with an act with a multifactor tool, you would also be protecting your LastPass account with a multifactor tool as well. And I should also add in on the policy side, we do offer up a lot of different multifactor options so you could choose from. So if you're already using something, great. There's a good chance that we're gonna be able to map to that as well. So if I jump back to the user side, I just think it's important to list that you can see a list of all the users and see what they're up to and what they're doing with the service. You can obviously remove a user from here, but if you're federating this user, when you deactivate a user in active directory, you would automatically deactivate that user in LastPass account too. So they're not walking out of the door with their credentials. And to see a little bit more about this and to validate all this, obviously, we have detailed reporting. So this detailed reporting will show you the activity within the last best service, what they've logged into, what they're going through. But we also look at admin activity. So admin activity could be that someone changed the policy or someone deleted a user. So all this is tracked within our service as well. And we track all this information for up to 2 years, but it is exportable. So if you want to export this data and make sure you're matching it up with another reporting tool like Splunk or Sentinel, we can actually export all this data and make sure that you have access to it where you want to. So again, I think the the major use case here, a major benefit of the LastPass on on the business side is being able to control the onboarding and offboarding, making sure that when you onboard someone, you can make sure that they're, you know, meeting your security requirements, which we're taking advantage of through policies. And then, of course, that detailed reporting. There's a tremendous amount more to the service, but I know we have a brief period of time, and I wanna make sure that we're, meeting any questions that you guys might have as well. So maybe I pause and, and see what we're doing on the question side. Hi, guys. Yeah. We are we have so many questions coming in and I'm also loving this. Everybody is helping answer each other's questions which is amazing. So keep dropping any questions that you have into the chat and we will get to them or if we don't get to them, it seems like other people will get to them as well. So, we do have a few questions though that are popping up and we're seeing some some common themes. So just to start, if I'm using 2FA, how concerned should I be about potential hacking of Authenticator apps? Yeah. I can I can take that? Yeah. So, MFA is one of the most effective ways to protect accounts from unauthorized access. But, hackers have, you know, developed techniques to bypass it. It's not 100%, secure. And there's a few ways that hackers can get around MFA. One is phishing. You know, hackers can use phishing emails, messages, or fake websites to trick users in entering their login credentials and MFA codes. Some phishing kits are even, advanced enough to capture session tokens from real MFA prompts. So just kinda, like, bypasses the need for hackers to, intercept a code in the first place. Also, another one way is, man in the middle attacks, which is where hackers intercept communications between a user and a legitimate service. So, some tools, kind of proxy communication. They can capture login creds and MFA tokens to impersonate the user. And then another, another way that came up, early was SIM swapping, which is where hackers can, can gain control of a victim's phone number by tricking the carrier into transferring the number to a SIM card that's actually controlled by the hacker. And then once they control the phone number, they can intercept MSM, based MFA code. So, you know, I think bottom line, is, you know, MFAs are not 100% foolproof, and but they do add that added level of security, and passwords still matter at the end of the day. And just as a follow-up question that we actually have a question around the SIM hacking. How hard should I push for using the MFA app instead of simply a code texted to the phone? I can I can address that? So multifactor authentication is good in general, and that includes SMS. The challenge with SMS is that the bad guys have shown a propensity to do what's, called SIM swapping. And that is when I call your mobile phone provider and I say, hi. It's Alex. I got a new phone. I need to switch my SIM to this new phone. You know, typically, because of the authentication methods that the phone companies use, that's hard to do. But if you think about the amount of public data that's out there, around people just, you know, from various breaches, it's fairly trivial for me to get enough information to be able to call your phone provider, pretend to be you, answer the authentication questions with the data that I have, the breach data I have, and then get my SIM changed. So, you know, in a general sense, you're probably okay with SMS, but the potential exists that if you are a big enough target, the bad guys have a proven capability to compromise SMS via that social engineering. So, you know, if you want to be the most secure, the best way to do that is to move towards an authentication app or passwordless or something like that. Right? There is, there are definitely levels to MFA, and SMS is probably the lowest from a security standpoint. So hopefully that answers the question. Great. I'm also seeing a lot of questions coming in around having people change their passwords regularly. Is this something that you recommend? Is this something that we should be doing? And if people are using MFA, is this something that they need to do? Yeah. I I can address that one as well. So if you guys have been watching the chat, you'll see that Richard and Danny and Dave have all been talking about this. Right? And and they're absolutely right. So recently, NIST, who's one of the big organizations that does, you know, cybersecurity standards, is recommending that you don't change your password frequently. You don't have a set you know, we change our password every 90 days policy. And they basically say, don't change your password unless you know it's been compromised. Right? So monitor the breach landscape. Look for those data, you know, those those password lists. If your password shows up there, then, you know, then you change it. And, you know, the idea there is that what we found over time is that re you know, recreating your password over and over again, changing it every 90 days just makes it more difficult for the end user. And not only that, because end users tend to forget passwords or, you know, forget what they've changed it through or what have you, have to call the help desk, get their password, you know, changed. The churn that that creates from a support standpoint is also huge. Right? So that's why NISTAs said, yes. From now on, don't change your passwords unless you have a, you know, you haven't you have no knowledge that it's been compromised, and that just kinda makes things easier. So, you know, what we'll see in the industry is a gradual switch from password change policies to that sort of, you know, the don't change unless you're compromised policy. So the the industry is kind of in that move right now. So that's a great point from the chat. Yeah. Awesome. Thank you guys for commenting that in the chat. We're also seeing some questions around biometrics. I'm seeing that come up quite a bit. What is your stance on using biometrics as a 2FA? Also a great idea. Right? You know, You know? The the the typical authentication sort of things are, like, something you know, something you have, something you are. That's something you are. Right? It's hard to fake your fingerprint. It's hard to fake your your facial scan. If you have the potential to use bio as a multifactor, point, do it. I mean, it's it's just that much better. You know, it's that much that's that much more security. Some people are a little strange about putting that sort of info into their, you know, security, operations day to day, but, again, bio is huge. So all good. Great. And some questions around sharing. Jerome, as you were going through and sharing, you were sharing it from an admin perspective. Can you speak a little bit to how users can share with other users? Yes. I I should also add it in that section that, although you, I was showing you from an admin's perspective, any you can allow multiple users to be administrators of any shared folder. So those shared folders are not, required you to be an admin of the overall service. You can and so we see a lot of companies that, break up these different roles for, like, accounting, finance, HR, whatever it might be. So the director of those departments might have multiple people that are administrators of those of those folders, and that's something you can set within the shared folder itself. So when you're inviting someone, you can make another person administrator. That way, if the head of that department or whoever's owns that folder is unavailable for whatever reason, you still have a backup person there to make a change. So, you're really not limited. You can have as many administrators of the folder itself, to make that, very simple process. And I'll try to put something in the chat. I know there's another question about, learning more about the sharing functionality. I saw something in our we we actually do a very thorough, training, session that are training modules that you can take advantage of. You'll see that in the administrative guide as well. But I'll put some links in the support side that can help you get through it too. So I'll try to add that in a moment. Yeah. And I'll just actually use that as a plug to call out last pass university. If you have any questions or want any videos, training, help, LastPass University is a hub that has so many different resources available to you. So if you ever have any questions, wanna watch past demos, past webinars, all of those are hosted in there, as well as our website. You can go back and watch videos, and I'm 90% sure we have one on sharing, a full webinar on it. I'm also actually seeing a lot of or a few comments around, LastPass families and families as a benefit. Jerome, do you want to speak to that quickly as well? Sure. That's another thing I wish I got a little bit more time to delve into. So with every business vault, with every business user, LastPass, when you rolled this out and buy this for your service, for your organization, everyone that's a, a user of the business user of the service also gets what we call, families as a perk. Frameless of benefit, fab. Very clever. So, there's fab benefit means that you get, access to LastPass yourself plus up to 5 other members of your family can take advantage of LastPass as well. So the goal here is to make sure that you're able to, use LastPass at home as well as at work. And we want to make sure that your family's using it because we know that sometimes you share credentials with your significant other or your family, right? The, any of the streaming video services is clear. So the goal is to make sure that people are using this at home. So they're not reusing passwords into a work environment. And LastPass allows you to not only get this family's as a benefit, but you can also link that family's account to your business account. So you're basically setting up a personal version of LastPass to use at your leisure. But that could be linked to your business account so that you don't have to log out of your business account and then into your personal account just if you want to access your bank information, for example. And so, and that is a preventable feature, through LastPass as well. Meaning that if you don't want people linking their business accounts, you see that as a risk in your environment. You can limit that. I do should I should also say that when you link your personal account to your business account, there is no visibility from a business user's perspective into that personal account. So all that information stays as a separate vault. It's very convenient for the end user, but there's no visibility. It doesn't show up in the company reporting. So you wouldn't know that anyone's actually, has access. We don't know the credentials to any of those employees' faults, their personal vaults. And just to tie on to that a little bit more, if that end user leaves the organization, they leave with their personal vault. That personal vault automatically becomes unlinked from their business account. So there really is no, there's no visibility from a business owner into someone's personal life. Hopefully, that helps. Yeah. Thank you for that, Jerome. And I I'm seeing so many questions. Great questions coming in around specific product features. If you guys have any questions or you wanna talk specifically with a sales rep, we're actually gonna launch a poll right now. So if you just wanna answer the poll, that yeah, yes, you wanna speak to someone or no, you don't wanna speak to someone, we'll make sure to get you in touch if you, do say that you wanna speak to someone. And while that poll is live, we have a few more questions to get through. We have about 10 minutes left. How can we ensure the security of remote work environments? I know that's probably a very loaded question, but I think there's a few simple things that you guys can recommend. Yeah. I mean, you know, the the from a general sense, you know, protecting your remote workers is is very similar to protecting yourself. Right? The the 3 big things you should be doing. 1, patch your machines. When when you see a little pop up that says, hey. The software, has an update. You wanna apply it? Apply it as soon as you can, largely because those pop ups and those updates are for security issues. Right? The bad guys will actively find and exploit things, and then the companies go, we need to patch that. They push the update out, and you apply it. If you don't apply that update, you're gonna be vulnerable to that security issue until you apply that update. Right? So that's what I tell people. It's like, when you see that pop up, apply it as quickly as possible. Little bit easier with smaller companies than it is with bigger companies because of some of the change requirements and that sort of thing, but make sure that you're patching, you know, as quickly as you can. The second thing is MFA. Right? Use your MFA. It's super important. The way I equate MFA typically is a door lock. Right? Your your front door. You've got both the lock on the knob, and you've got the deadbolt. Right? You can look at MFA like that. The lock on the knob is your password. The deadbolt is MFA. If you don't have MFA, you just have one lock to be. Why not have 2? And then the last one is don't reuse your passwords and, use complex passwords. Right? LastPass makes that super easy because it does it for you. But, you know, the reuse of passwords has historically been a huge part of breaches, both from a, you know, company standpoint, but also individual standpoint. So, you know, make sure you're not reusing those passwords. So fetch your machines, use MFA, don't reuse your passwords. That gets you a good baseline, and then you can start looking at some of the other stuff. Great. And this might be a similar answer, but how can small businesses with limited resources improve their cybersecurity posture? Yeah. That's that's absolutely it. Yeah. Time. The the thing the things that I just said, right, exactly the same. One thing I would add on to that is some education. Right? Make sure that you've got some mandated security training every year for your folks. There are a lot of companies that offer that. You know, you can do some online stuff for free, etcetera. But you wanna make sure that your folks have that sort of security mindset in in place when they're doing their business. So they question those weird emails that come in, or they question that phone call that ask them to do something strange. Just having that awareness around security is really important. Yeah. And and just to add on to that, a lot of the smaller businesses don't have necessarily the budget. This is large organizations have. So large organizations usually be able to put a lot of different layers of security into the play. But, like, if you don't have an SSO service, like, LastPass is a great fit for you even if you do have an SSO service. Meaning that, SSO is a great, is a great tool, but at the same time, it doesn't work on all the applications out there. So it's nice to know that LastPass will store your password in here for everything. So it's nice to be able to set that base level. So actually, it could be a lower expensive cost way to be able to deploy something and still get a lot of visibility and security out of the tool. Great. A couple of questions around password managers in general. How user friendly are password managers for non technical individuals? I mean, I think we'll all say that we know a lot of technical people that use LastPass for sure, but there are a lot of people that are non technical as well. And when LastPass first started off, it was really built for people that are not necessarily technical in nature. And so I do find it very easy. And obviously, it's easier than looking up your Excel spreadsheet, finding that password and trying to copy it here. It actually will autofill and pull that information in for you. So I find it to be very easy, but it's it's like anything. Give it a little bit of time. It'll change your habit and you'll be it'll seem like second nature. Great. Thank you. And one more question around just general password managers. How do they integrate with web browsers and mobile apps? Yeah. So so LastPass does have the ability to I think most major web actually, I know all major web browsers that are out there, we do have a, a downloadable feature, within the store to be able to download LastPass, have access to it where you want to. And you can find a native application on the on the for LastPass in the, mobile device stores as well. So you can actually download it, have access to it where you want. And it's just your again, your username and password and the multi vector tool, which you definitely should take advantage of, to be able to log in there. But, yeah, that it is pretty simple to be able to find. You will see a downloads page for LastPass as well on our web page. So, there's multiple options to be able to download it and have access to it where you need it. Great. And just to expand upon that one more, I've realized that if you go to the last if you are a LastPass user already and you don't have access to your phone or your, your own computer, you're at someone else's place and you need access to your to your passwords. On the LastPass webpage, you'll see there's an option to log in and get a web version of your passwords too. So you can actually, access LastPass anywhere you are. Great. I'm seeing a couple questions come in through the q and a around VPNs. Are they a good option for business or are they a waste of time? Yeah. I mean, so v VPNs are good. Right? They're not so a lot of people approach VPNs, and they look them look at them as, like, a security fancier, and they're really not. I mean, they're they are good for encrypting your data in motion. Right? When you're on the Internet and you're doing your kind your thing, and you don't want anybody to be able to, intercept your traffic as it moves through the Internet, VPNs are great. The challenge with VPNs, and and somebody mentioned, you know, why do we disable VPN to access why do I have to disable VPN to access sites is the bad guys know VPN works too, and they tend to use it. Right? So when we look at, you know, who's logging into, LastPass and how they're doing it, one of the things that we look at is the use of VPN. And, you know, if you look at the threat environment and the threat underground, there are certain VPNs that are more popular with the criminal underground than others, so we pay particular attention to some of those. But, yeah, VPNs are can be both good and bad depending on the use, but ultimately, they're good. Great. It seems like we're getting a little bit of a lull in questions. There are a few coming in that are pretty technical, so I won't be asking those. They're very account specific technical, I should say. So I won't be asking those live, but I am actually going to launch a survey. We would love your feedback. And if there's any final questions coming through the chat, drop them in. We've got a few more minutes here. I see one question around how do you manage both business and personal passwords? And it looks like we're having some conversation in the chat about keeping things separate, but I'll let you guys answer that a little bit more. Yeah. Definitely. So that, that families is a benefit that you get as a business user. That is is by far the best way to go to be able to have a separation between your personal life and your professional life. So that personal version of LastPass, it's free of charge, gives you the ability to have, again, with that families, it allows you to have multiple people, have access to that to, I guess, to the LastPass service so they can actually, use the tool as well. But the goal would be to make sure that you're using your personal the LastPass, if you link it, it makes it very simple for you to say, Hey, if I'm saving something, I'm going to save it to my personal vault as opposed to my business vault. And then if you leave the organization or if the business decides that you're going to leave or even that they change your master password, they change your AD password, it would unlink that personal account. And so that would became, become separate. You'll still be able to walk away with all your credentials. And again, LastPass is a free service. So if you walk away, you have the option to continue to pay us for that, that families as a benefit. But in the worst case scenario, we degrade that account to a free account and you still have access to all the credentials you stored within it. So it's a nice way to be able to have that separation, still be able to use it when you need it. But it's much better than putting everything in one vault, because if you keep everything in your business vault and you're no longer there, you're going to be locked out of all those things that matter to you on the personal side. Great. Thank you for that answer. And I'll just I'll pass it back to you guys. Any final closing thoughts? If you could take away one tip, piece of advice from this webinar, what would you, as our speakers, want all of our audience members to take away? For me, it would be don't reuse your passwords. Bottom line, don't reuse your password. Yeah. I think I think being aware of, you know, if your passwords are out there on the dark web, you know, floating around for anyone to use, just, you know, monitor your your, exposure and just be aware of what's out there. Yeah. So, you know, I'll kinda tie into the same thing. I would say the security dashboard was the first thing that came to mind. It's when you start using LastPass, you give it, obviously, if you're not, already using LastPass, it might be a little bit of a change of behavior. So give yourself a little bit of time with it, but take advantage of that security dashboard. It will show you that if you are you reusing passwords, you should definitely change those And it'll point out if anything is on the dark web, it's a it's a good opportunity for you to make those changes as well. And frankly, if you see something that is, like a lot of people have passwords that are just fairly weak, meaning that they're short or not very complex, you can you can change those passwords as well. So take advantage of it and, and happily happily be able to reach out to us if you have any further questions. Obviously, we got a great support network here. So, and there's a forum, they take advantage of too. So, take advantage of the resources we provide you, but it's it's a great tool. I hope it really works out for you. Yes. Me too. Thank you all so much for your time today. We really appreciate you joining and sitting with us for this past hour. We will be sending out the deck and and the recording of the webinar, so feel free to go back and watch it. Send it to any colleagues within your organization, anyone that you think this might benefit. And I hope you have a great rest of your day. Bye.