So, LastPass was hacked, but don’t fire the password manager just yet—the tool can still play an important, breach-stopping role, according to industry pros who spoke with IT Brew.

Despite the recent breach of the LastPass development environment, credential-handling applications are likely still a superior option to trusting employees, who can frequently display a variety of bad authentication habits. (Looking at you, CEO with “QWERTY” on a Post-it note.)

“If I were to say, ‘Hey, drop that password manager today,’ what would you do? You’d go reset the same password for every single site and take a big step backward in [your] security posture,” said David Chase, research director for identity and access management at Gartner.

The hack

• According to an Aug. 25 blog post from LastPass, an unauthorized party compromised a developer account and took portions of source code and some proprietary technical information.
• “We have seen no evidence that this incident involved any access to customer data or encrypted password vaults,” according to the post.

LastPass

• LastPass has more than 30 million registered users.
• The service’s password manager creates complex passwords for all logins and stores them in an encrypted vault, which can only be accessed by the registered user with their encryption key. “Without that encryption key, the stolen passwords are useless. They’re locked. So it’s like stealing a giant safe out of someone’s house. If you don’t have the keys to it, you can’t break into it,” said Jason LaPorte, CTO and CISO at New York-based Power Consulting Group.

Costs: According to an early 2022 IBM report that surveyed 550 breached organizations, the cost of a data breach averaged $4.35 million. Stolen credentials were the primary attack vector in 19% of breaches.

Read the rest here.—BH

Do you work in IT or have information about your IT department you want to share? Email [email protected] or DM @BillyHurls on Twitter.

CISOs are stressed, burned out, and…making bank.

The 2022 Global CISO Survey by Heidrick & Struggles found median cash compensation for US-based CISOs surged from $509,000 in 2021 to $584,000 in 2022—a $75,000 raise that works out to nearly 15%. At the same time, the 327 CISOs around the world who participated in the study reported high rates of stress (59%) and burnout (48%), with roughly a third reporting concerns over high staff turnover.

CISOs are likely to get big raises in large part because companies are quickly realizing how important the role is, said Scott Thompson, a partner at Heidrick & Struggles in the financial services practice who worked on the report. “CISOs are being compensated for the risk that they’re taking on.” The job also puts them on the front lines of serious threats like ransomware, a top concern for 67% of respondents.

“The key findings in the report were that the CISO role continues to evolve. It continues to be an incredibly stressful and high-profile role, which leads to a lot of burnout, a lot of turnover,” Thompson told IT Brew. “What’s interesting about the CISO function is they’re getting tens of thousands of bad actors or threats every single day. And they need to be right every single time, whereas a bad actor only needs to be right once for something bad to happen within the company.” Median CISO compensation, including all sources of income like equity, grew at a slower pace, from $936,000 to $971,000, which might reflect many choosing hard cash now over stock in the uncertain economic environment.

“It’s really just the sheer magnitude of roles in the US and how many organizations [there are] and how large the cyber functions are within the US,” said Thompson. “If you look at the survey this year, compared to the last two years, the number of respondents and the number of diverse CISOs is going up slightly, but we'd like to see much more of an increase.”

Read more here.—TM

Do you work in IT or have information about your IT department you want to share? Email [email protected] or DM @thetomzone on Twitter. Want to go encrypted? Ask Tom for his Signal.

Today’s top IT reads.

Stat: 194,905. That’s the number of customers affected by a credential-stuffing attack on clothing company The North Face, which was compromised in late July. (ITPro)

Quote: “Threat actors continue to search for ways to deliver malware in new ways to stay under the radar and avoid detection.”—AT&T Alien Labs researcher Ofer Caspi, on the Linux-focused malware Shikitega. (Ars Technica)

Read: Apple’s new iPhone 14 lineup ditches the traditional SIM card for the newer eSIM standard. Here’s what that could mean for your device’s security. (ZDNet)

Learn: From cybersecurity to big data to software development, IT is always evolving—so your business strategy should be too. The Brew’s Business Essentials Accelerator is here to help. Sign up for our upcoming cohort now.

AWS expert webinar: Learn how to establish Everything-as-a-Service patterns with API-first domain-specific platforms that leverage Apache Kafka® for real-time data streaming. Register now.*

^{*This is sponsored advertising content.}