In the latest of the seemingly endless string of IoT security incidents, Verkada—a video security startup that boasts its real-time, accessible-from-anywhere management console—was recently breached. This incident exposed live and saved video feeds from over 149,000 security cameras in use within office buildings, schools, and consumers’ homes, counting larger businesses such as Tesla and Cloudflare among the victims. In this breach, an administrator’s password was published to the internet, allowing hackers to log in with privileged access to the full platform and customer files.
The ThreatLabZ research team regularly monitors IoT threats among the 150+ billion Zscaler platform transactions that occur daily, and listed IP and network cameras among the top unauthorized devices in use on corporate networks in its 2020 IoT Devices in the Enterprise report.
Typically, the threat posed by IoT cameras is that the devices themselves are easy to hack, providing attackers access to corporate networks as employees check their nanny cams from work or engage in similar activities. These types of exploits pop up regularly, such as the RIFT botnet, which looks for vulnerabilities in network cameras, IP cameras, DVRs, and home routers.
This latest breach, however, represents a different type of security concern that is not exclusive to IoT devices (and certainly not exclusive to Verkada): vendors in your environment who may be storing data with inadequate protections. As a security practitioner, you must be aware of the security protocols in place for all of the sensitive data in your ecosystem, whether you manage it yourself or a vendor manages it on your behalf. Failing to do so is like having someone in your pandemic bubble whose behaviors you have no visibility into: you hope they aren’t going to raves every weekend, but you have no way to really know whether you’re safe.
There are a few takeaways we can learn from incidents like the Verkada breach:
- Get serious about zero trust. First, it should not be easy for “super admins” to access all of your sensitive data—especially customer data—and if such access is required, it must be locked down behind several layers of authentication. A foundational principle of zero trust policy is the requirement that you restrict access to the minimum required to get a job done, with heavy monitoring and authentication all along the way. Access policy gatekeeps every transaction in the Zero Trust Exchange, the platform that powers all Zscaler services.
- Segment your applications—and get your data off the internet. The back-end of your systems should never be exposed to the internet for a hacker to be able to even attempt to log into them. Putting your servers behind a proxy means that hackers can’t see that the server even exists, and all authorized access requires layers of authentication in full visibility of your security teams and their analytics tools. Additionally, by segmenting applications, you limit the damage threat actors can cause in the event that they successfully breach one application—they can go no further.
- Manage your cloud security posture. The cloud applications and data storage locations you and your partners are using must be configured correctly. Making sure that they are is easy with the right tools: use cloud security posture management (CSPM) to scan your environments for misconfigurations, compliance violations, and other issues that make you vulnerable.
Every breach story is another reason to take steps forward in your journey to comprehensive zero trust. To learn more about IoT security trends and best practices, check out the ThreatLabZ report, 2020 IoT in the Enterprise: Shadow IoT Emerges.