The recent security breach of a well known Silicon Valley tech startup, Verkada inc., is a reminder and stark warning to all, especially existing and aspiring Cloud SaaS providers, of how important it is to get Data Privacy right.
The hack itself was unsophisticated and made possible due to the most basic error, an admin account username and password being misplaced and publicly posted on the internet. The consequences were huge, with the ‘hacktivist’ group gaining access to 150,000 Cloud-connected Security cameras in various organisations and businesses. This included schools, psychiatric hospitals, and even prisons. The damaging ramifications that come with a breach of privacy such as this, involving thousands of individuals, are obvious. The group also could view live camera feeds and archived security video of giants such as Tesla and Cloudflare who are cybersecurity experts.
Unfortunately, once the Cloud-connected cameras were hacked, they acted as springboards that allowed the hackers to scan internal networks for vulnerabilities and mount attacks on internal systems. As for the hackers, an international collective, they wanted to demonstrate the ease in which supposedly highly secure Cloud platforms could be compromised. They claimed this was in a protest against capitalism and in the fight for freedom of information. What was initially an unsophisticated attack led to further opportunities for more advanced techniques to be deployed within the end-user network. Attacks such as this could lead to loss of IP, PII (Personally Identifiable Information) and sensitive commercial/fiscal data.
So what could have been done differently? First and foremost, it is important to ensure usernames and passwords are never misplaced. But that’s the point – Humans will always make mistakes, it is within our nature. The layered systems and processes we put in place around our businesses are what should protect and ensure our actions are fault-proof.
We believe, in this particular case, several of the systems and processes we develop and use at Grosvenor Technology would have helped. Firstly, the use of multifactor authentication, a secondary way of verifying the identity of the user. We see it now in everyday life from a simple ‘unique number’ text generated, to an authorised device using a biometric template to verify the person present when logging into a PC. Simple things that are well executed can make all the difference. The main components are what you know, what you have (A Smartcard for instance) and what you are (A biometric).
An actively enforced password policy may have helped by forcing a password change or expiring the password. The question being, how long would an account login be live for if it were leaked? A regular expiry of login details may stop any potential hack. Even if a malicious agent does make it into your network, you want to be able to limit the damage it does. Using segregation of responsibilities, time-sensitive access to high privilege systems and hard network segregation helps ensure security. Also, ensure regular and secure OTA firmware updates are completed.
The last level of protection is more technical but relevant. It involves the hardening of the devices installed on the secure side of the network (in this case Verkada’s Cameras) connected to the Cloud. And that comes down to independent penetration testing of devices. This will ensure they can withstand external attack and will only offer minimal functionality if unauthorised access is gained.
So if like us you are a manufacturer, then make sure you ‘pen test’ your creations extensively, not just once but annually. Threats continually evolve and iterative pen-testing highlights new vulnerabilities. We as responsible manufacturers can deploy effective countermeasures and assist in this process to keep your people and data safe.