The hacker didn’t seek to damage their victims’ brands, nor did they demand ransom for hostage data. These amateurs attacked these video surveillance systems’ endpoint vulnerabilities because they could. The hackers said that their team found legitimate credentials to access the Verkada account online and was able to navigate through live video feeds for two days, accessing tens of thousands of cameras, some of which were streaming sensitive data.
Rick Holland, Chief Information Security Officer at Digital Shadows and former Forrester Research analyst says that the very same marketing Verkada touts as a selling point could be a potential flaw.
“Verkada positions itself as a "more secure, scalable' alternative to on-premises network video recorders. The Verkada intrusion is an example of the risks associated with outsourcing services to cloud providers. You don't always get more secure when you outsource your security to a third party,” says Holland. “GDPR violations of personal data could have also occurred, and class action lawsuits could also be on the horizon. The intrusion also highlights the need for internal cybersecurity and physical security teams to be integrated or closely aligned. The lines between these two functional areas are blurred as more and more physical security controls make their way to the cloud.”
It is more important than ever that there be a convergence of practice and responsibility between physical and cybersecurity when it comes to protecting the Crown Jewels of corporate America – brand and data. That requires corporate security to actively recruit security champions within the company to ensure cybersecurity and physical security policy and procedure are implemented and practiced. That’s what Ray Espinoza, formerly CISO of Pentest as a Service provider Cobalt, says because most companies can't afford to hire teams of security engineers and embed them throughout the organization, use the personnel you have..
“We’ve always found several engineering leaders, engineering managers that tend to be security-leaning. They genuinely care about the customer information or data that they process, and they think it’s cool and they’ve always wanted to learn more,” Espinoza says. “In the past, we have enabled some of that and used that to our advantage to say, ‘hey, you are already security leaning and a fantastic partner of ours, why don’t we get you and other engineering leaders from across the organization, and we’ll train you up, we’ll listen and better understand the problems that you solve and see what we can do to collectively solve them. Can we find outputs that you can take to your team and provide them value? And, as we train you up, you can be an additional set of eyes and ears as they are going through planning to say, hey folks, I think we need to involve security as part of the larger or initiative, or hey folks, have you thought about this.’”
Espinoza emphasizes that security champions need to be senior-level personnel in the organization and not interns or recent college grads as they do not have the necessary level or expertise or influence that would ensure success in such a program.
Taken from a couple of perspectives, the question is what should end-user expectations be when dealing with video surveillance, cloud and data collection, and from a vendor perspective, what is a vendor's liability and responsibility in a situation of this kind?
“As a user, and I'm subscribing to a cloud service for video surveillance, I think there's this tacit assumption that nobody's going to be out there looking at my cameras. I think people take it for granted and assume goodness in their peers and figure there's this expectation of privacy. There's this expectation that the people that you're entrusting with your data, with your security system, in this case, are doing the right thing,” adds Christian Morin, the CSO and VP of Integration and Cloud Services at Genetec. “In this case (Verkada), I think this trust was broken, and it was violated in the sense that this was not taken seriously. I'm not sure to what extent Verkada was open about the fact that these accesses existed, and that people could actually look at these cameras, let alone how they handled their credentials.”
According to Morin, at the end of the day, the onus is on the user to understand their organization’s vulnerabilities and ensure that both their partner vendor and systems integrator has their best interest in mind when designing their cloud or cyber solution.