301.519.9237 exdirector@nesaus.org

3.19.21 – SIW

The security industry was rocked by a massive surveillance hack this month and the scrambling to recover has just begun

George Orwell, the English novelist, essayist, journalist and critic was once quoted as saying that “men are only as good as their technical development allows them to be.” While the recent events surrounding the much-publicized Verkada hack may not rise to the occasion of being an “Orwellian” situation, which Orwell has described as an idea or societal condition that can be identified as being destructive to the welfare of a free and open society, the apparent recklessness that led to the breach of more than 150,000 live-feed video surveillance cameras around the world by an international hacker collective would certainly qualify as a cautionary tale for the security industry in general and the surveillance sector in particular.

The fallout from the breach, judging from most accounts, was a result of sloppy internal security protocols among Verkada employees and even worse technology diligence from a company that branded itself and its devices as being “secure from the ground up,” has been swift and scathing from all corners of the security industry. But rebukes from other video surveillance solutions providers seem to carry a harsh and consistent theme: “Your mess is now our mess.”The fallout from the breach, judging from most accounts, was a result of sloppy internal security protocols among Verkada employees and even worse technology diligence.The fallout from the breach, judging from most accounts, was a result of sloppy internal security protocols among Verkada employees and even worse technology diligence.Courtesy of Getty Images –Credit: MediaProduction

An Industry in Damage Control

That is how Christian Morin sees it. The CSO and Vice President of Integration and Cloud Services for Genetec, says he was taken aback when the news broke of the Verkada hack and that there is no denying it reflects badly on the industry as a whole and admits his company is forging ahead with damage control as if the incident had happened to them.

“Obviously Verkada is in way more hot water than anybody else but the entire industry is going to reel from this one and it’s not going to blow over overnight. Hopefully, this will act as a wake-up call and it’s also going to be very telling how regulatory bodies are going to react to this. This is one of those mega-breaches that in some cases shows gross negligence and has happened with both GDPR and CCPA and a whole bunch of other privacy regulations, well in effect. This incident just blew it all up,” Morin says. “That being said, I am consuming the information as it’s being published, almost in real-time. The information is kind of patchwork right now in terms of what actually happened but, at the end of the day, a breach like this, just like the nature of a breach, proves nobody’s immune. In this specific case, the nature of how the breach was perpetrated and the nature of the attack is not highly sophisticated, and it proves that we still have some organizations that do not take cybersecurity and protection of privacy seriously enough or bake in the proper level of governance over how they manage the organization and manage their product development — or take proper precautions in terms of the controls that they put in place.”

One of the more absurd offshoots of this particular breach centers around the alleged hacker, Tillie Kottmann, who admitted that the team of “recreational” hackers wasn’t attempting to make a political statement nor was it a malicious breach. They said the attack was carried out because it was so easy to do, they couldn’t resist doing it. While this is an incredibly telling indictment of Verkada, there are also ramifications for the industry in general related to the brand and the confidence of video surveillance across the board.

“We’ve been inundated with calls from customers asking questions, ‘What if this happened to you?’” Some have been our worried customers and some existing Verkada customers. I’ve been reading posts and people that had a beef with cloud are now using this as an excuse (to question cloud security), but, at the end of the day, cloud or no cloud, that’s not really the relevant point here,” admonishes Morin, adding that in the case of Verkada, who manages a large number of customers, they had architected their system in such a way that somebody could have the keys to the entire kingdom. “Actually, multiple people had the keys to the entire kingdom but that’s a different problem. Somebody could have the keys to the entire kingdom, but everybody has their own little kingdom, and everybody has to secure their own little kingdom in any way that they can. This is where there were some simple things that could have been done. Sure, credentials get stolen and compromised on a regular basis, and how many phishing emails do you get in your inbox every day? You get tons. And people latch onto these things and get caught. Even we have people that click on these emails and compromise their credentials. So, we use multifactor authentication. That’s an easy mechanism to actually help prevent these types of attacks because even if you compromise your credentials unless you authorize the multifactor or you have the second factor, you’re ultimately safe.”

Morin adds that if your security procedures and policies are buttoned up, you have ways to ultimately detect these types of incidents, especially if your security operation center is monitoring the logs and firing off alerts; somebody somewhere should say, “Oh, something wrong is happening. Let me check. Hey, credentials have been compromised. Let’s block that account. Let’s do something about it.”

“That didn’t appear to happen, so there seems to have been a (security) gap there,” continues Morin. “That’s worrisome, but for me, it’s really how they literally managed or actually didn’t manage, who had access to what administrative function. Zero governance, right? From all the reading I’ve been doing from potential Verkada insiders, these types of privileges were given willy-nilly to anyone who wanted them, even interns, which is totally mind-blowing.”

 How to Address Lapses in Security

Best practices, in terms of an organization’s cybersecurity protocols, is to limit — as much as possible — high-privileged accounts to the people who really need them to carry out their jobs. Even these high-privileged accounts should be limited in scope so that if they do get compromised, there’s a limit to the damage that they can cause. The principles of least privilege, segregation of duty and accounts; these are the kind of cybersecurity fundamentals that were apparently lacking at Verkada, says Morin and others in his professional circle.

Taken from a couple of perspectives, the question is what should end-user expectations be when dealing with video surveillance, cloud and data collection, and from a vendor perspective, what is a vendor’s liability and responsibility in a situation of this kind?

“So as a user, and I’m subscribing to a cloud service for video surveillance, I think there’s this tacit assumption that nobody’s going to be out there looking at my cameras. How many people with Nest, Ring or whatever brand of cameras they have in their house are now asking themselves the question, ‘Is somebody back in the support center or in a high school or working from home or whatever, looking at my camera right now?’ I think people take it for granted and assume goodness in their peers and figure there’s this expectation of privacy. There’s this expectation that the people that you’re entrusting with your data, with your security system in this case, are doing the right thing,” says Morin. “In this case, I think this trust was broken, and it was violated in the sense that this was not taken seriously. I’m not sure to what extent Verkada was open about the fact that these accesses existed, and that people could actually look at these cameras, let alone how they handled their credentials. Christian Morin is the CSO and Vice President of Integration and Cloud Services for Genetec.

“If I subscribe to a cloud service, and I have my CSO hat on at Genetec when we’re buying a new system, we’re going to look at what type of data we put in there if we put in any data at all,” Morin continues. “And depending on the sensitivity of that data, we’re going to have a varying degree of controls that we expect that our service providers will put in place to protect our data. Perhaps we’ll ensure that they have third-party certifications such as ISO 27001 that vets what they’re saying is true as another layer of protection.”

The Role of the Systems Integrator

The systems integrator, however, also has a critical role to play in establishing cybersecurity frameworks, whether it is for cloud hosting, network protection or future-proofing technology migration paths.

“The integrators play a very important role, specifically in the context of a cloud service. But this is not just a cloud problem. As soon as you have a system that’s connected to a network, security potentially becomes an issue. Obviously, the scope of it is modulated, but it’s not just the vendor’s responsibility. It’s also the SI’s responsibility. It’s also the end customer’s responsibility. This type of technology, because of its nature and because it is sensitive, brings back some feelings or reactions of Big Brother, so it can very, very easily overwhelm people. Technology has to be used responsibly. As an end-user, where do I place cameras and for what purpose? Do I really need these cameras? Do I put the proper safeguards in place to ensure that these cameras are not exploited? Because as much as a cloud service provider could have leaked credentials, an end-user could have just as well leaked credentials. If I only use the admin account and I use no password or default passwords, I’m at fault as well and my system could be compromised,” Morin explains.

Morin insists there are myriad questions a seasoned systems integrator, who is in the middle of it all in this scenario because he’s going to implement those systems, is obligated to ask his client. Did he implement the systems according to the best practices? Did he harden the servers? Did he harden the cameras? Did he use strong passwords? Did he use multifactor authentication? Did he properly segregate the responsibilities, or did he just give the security guard admin access to the entire security system? Or did he create a profile for his security guard that is sufficient enough for him to do his job with a strong password? Did he teach the user how to responsibly use the technology and responsibly use the system that he’s been given or just purchased?

“There are multiple different aspects to this particular issue. Right now, there’s a gigantic laser spotlight on Verkada, and with good reason. But we must engage in the more substantive debate about how technology is used to a greater extent in issues like patching. Microsoft Exchange was, and still is, in the spotlight of multiple hacking groups, some nation-state-sponsored, and certain very critical vulnerabilities have been recently fixed. All the credit to Microsoft for reacting really quickly. This is also monumental, and bad in and of itself because some bad actors have free-roaming access to email servers — and then from that point onto the network in some organizations. Yet, I was reading an article this morning that Microsoft said that as of a few days ago, only 10% of Exchange servers have been patched so far. It’s like when we tell people you have to act much more quickly than this they don’t and that’s bad. You have to take the measures necessary when these things happen to ensure that in case your organization was compromised, the Microsoft-issued fix is implemented or that you monitor your own system when they offer a customer alert,” concludes Morin, adding that at the end of the day, the onus is on the user to understand their organization’s vulnerabilities and ensure that both their partner vendor and systems integrator has their best interest in mind when designing their cloud or cyber solution.

About the Author:

Steve Lasky is a 34-year veteran of the security industry and an award-winning journalist. He is the editorial director of the Endeavor Business Media Security Group, which includes magazines Security Technology Executive, Security Business and Locksmith Ledger International and top-rated webportal SecurityInfoWatch.com. Steve can be reached at steve@securityinfowatch.com