But they are likely able to cause a lot more damage if they choose to do so, as our own research team has discovered.
The bad actors simply used valid credentials to access the data stored on a cloud server."Ĭonstante adds, "In this case, the bad actors have seemingly only resorted to viewing the footage these cameras have captured.
Worryingly, the attack wasn't even very sophisticated and didn't involve exploiting a known or unknown vulnerability. Yet, as the shocking Verkada security camera breach has shown, the exact opposite is often true.
#Verkada breach details install
"Since the video system data can contain personally identifiable information (PII), company confidential information, and personal health information (PHI), it is important that our security community band together to help Verkada, the impacted organizations, and the individuals whose privacy was exploited."Įlisa Costante, VP of Research, Forescout, says, “Connected cameras are supposed to provide an additional layer of security to that install them. digital transformation), says Horne, as an opportunity to start maintaining a continuous and accurate inventory, a true understanding of how those devices communicate, automate alerts based on any device or group of devices that act outside of a set baseline, and automate proper segmentation of devices as to not let lateral movement inside your network via the device(s), and always make sure that admin maintenance accounts are secured properly. Organizations must look at the rapid growth of connected devices (ie. Security is not one dimensional and while organizations might point to the faults in Verkada’s practices, the ownness is not solely on the supplier or manufacture – although this point can be argued at length." Jeff Horne, CSO at Ordr, a connect and unmanaged device cybersecurity company, explains that while the Verkada website bolsters that they have a “Secure by Default” methodology, "it is clear that while we create devices with security-in-mind, what humans create, typically has flaws. Proactive measures like regular pentesting, red teaming, or compromise assessments likely could have caught these network vulnerabilities ahead of time." If the claims are correct, Verkada’s super admin account could have been phished, could have had a weak password, or could have been left on default across multiple devices. Espinoza says, "The attack is another example of how easily cyber criminals can infiltrate networks, how much damage they can do with the smallest loophole or bit of information. In this case, the fact that the super-admin account information was freely available and the fact that missing security controls on the device are considered “by-design”, point to how a combination of security gaps across the “digital chain of custody” resulted in such a significant breach.”Īccording to Ray Espinoza, CISO at pentest-as-a-service provider Cobalt, this type of security breach could have likely been prevented. This breach is illustrative of how multiple simple gaps across multiple elements of the “digital chain of custody” can be combined to orchestrate a significant breach. Each one of those elements presents potential gateways to a breach. Setu Kulkarni, Vice President, Strategy at WhiteHat Security, a San Jose, Calif.-based provider of application security, explains, “If one conceptualizes the security requirements of an organization around the “digital chain of custody” – securing all elements of the digital chain of security is critical – Data, Infrastructure, Device, Endpoint, Application and Identity.
0 kommentar(er)
