Verkada Breach – What Happened?
On March 9th, the world woke up to the news of a very large-scale security breach. A group of hackers succeeded to access and control thousands of security cameras developed and managed by Verkada, a Silicon Valley-based company that sells security as a service. Read more details about the Verkada breach.
Verkada customers include a cross-section of American institutions, from schools, hospitals, and county jails to offices, banks, and health clinics. Customers are provided with IP cameras, from which footage is collected and uploaded to the cloud, where a software system provides a dashboard for the display of the videos. Intended to enable easy accessibility, the customer’s physical security teams can monitor all their sites from any browser and device.
The group of hackers found a Verkada username and a password publicly exposed on the Internet through which they were able to access a super-admin account. The super-admin is a privileged user with permissions to access camera footage and control cameras across multiple customer accounts. By exploiting this user credential, the hacker group was able to hijack control of the cameras to launch future possible attacks and access video footage stored on the cloud of Verkada’s more than 24,000 client list.
Impact of the Damage
This incident is a real-life example of the damage that can be caused by hackers having access and exfiltrating sensitive data from critical facilities. Yet as bad as the situation is, it’s important to be aware of the potential for even worse when connected cameras or other devices are breached that control access systems that are used in smart homes and buildings. When malicious actors have access to this type of sensitive data, they can potentially manipulate footage, conduct invasive surveillance, or control access to sensitive locations. Potentially, coupling a digital risk with a physical attack.
Even more alarming than the attack, was that Verkada had no idea they had been breached until the video feed hit Twitter. Verkada learned about the hack through the media, without any knowledge of the duration of the breach or the extent of the damage. The hackers have since claimed they had uninterrupted full system access for two days.
The cybersecurity measures put in place by Verkada while robust, were limited in scope. Security of their surveillance cameras was focused on applying regular security patches, tamper detections of cameras that have gone offline and data encryption, both in terms of data at rest and data in transit. Unfortunately, neither their cameras or their centralized management consoles had a dedicated cybersecurity solution in place designed to prevent, or even mitigate, detected attacks.
Lessons to be Learned
The scale and the sensitive nature of the data exploited, has reverberated across the cybersecurity industry, particularly for IoT hardware developers. With the irony being that it was a security company that was breached, it has forced many to re-evaluate how to protect those we aim to secure.
No less the incident has had a devastating impact on the company’s reputation and business continuity. The most important task for Verkada right now, like any company that suffers a high-profile attack, is to stem the tide of their reputation damage as they implement their breach recovery plan.
Step 1 – Take Full Responsibility
No matter what happens, accept responsibility! Don’t blame the intern, the disgruntled employee, the obscurity of the type of attack etc. Your reputational damage will not be helped by blaming someone else. Your clients are looking to you as the sole responsible party to ensure their security and privacy when they buy your product. If you look for excuses and play the blame game your clients will perceive that as weak and will abandon your product for a competitor.
Bad stuff happens, we all know that, but it’s what we’ve learned from it that allows us to improve as a result. If you deny responsibility, it indicates a refusal to learn and shuts down the possibility of figuring out a solution that will prevent the attack from happening again.
Step 2 – Be Transparent
Once you’ve demonstrated that you accept full responsibility, the next step is to detail the additional security measures that you are taking to prevent a similar attack from happening again. Reassure your existing clients and prospects by providing them with full visibility into the details of what happened and the steps you are implementing to resolve the vulnerabilities that contributed to the breach. As part of this, demonstrate how you’ve “bullet proofed” this plan, should the primary layers of defense fail, what are the additional back-up measures that are implemented? Demonstrating that you have taken a ‘defense-in-depth’ approach will be key to staying ahead of your competition and critical to maintaining your customer and prospect’s loyalty to your brand.
Step 3 – Your Best Defense is Offense
Be proactive! Once you have fixed the root cause of the breach and implemented a more advanced arsenal of security measures, the next front line that you need to battle is your reputation! Rather than just saying that you have a new behavioral analytics engine embedded into your device that can detect threats in real time, best practice is to launch a security solution with an integrated marketing element that can provide real time visibility of detected threats.
Having an advanced cybersecurity solution on your hardware is really only half the battle, making sure that your customers and prospects are aware of it, is the other half. By adding an integrated marketing capability to your cutting-edge cybersecurity technology enables your product to autonomously demonstrate its efficacy and value. By providing a built-in security status of events and critical threat intelligence data, will make your product a critical element to any IoT ecosystem.
The truth is no one is untouchable. And judging by the escalated sophistication of attacks, the frequency of enterprises being hacked is only going to become more constant. In these circumstances, it’s critical for brands and vendors to take a security-first approach, employing the most advanced cybersecurity solutions available and to ensure ongoing communication and transparency with your customers and users.