Could It Happen Here? Assessing Cyber Defenses After an Outside Breach
It was a client’s worst nightmare. A hacker breached security firm and video surveillance provider Verkada’s systems on 8 March 2021, using the opening to access customer data including live video streams into their facilities.
Verkada confirmed that 97 of its customers’ cameras were accessed or video and image data were viewed in the breach. Eight other customers had their Wi-Fi credentials accessed. And the hacker was able to download a list of Verkada’s Command product users (including names and email addresses) and a list of the company’s sales orders.
“The attackers’ vector of entry was through a misconfigured customer support server exposed to the Internet,” Verkada said in a statement. “Once the attackers accessed that server, they found customer support administrator credentials and used those to log into a customer support Web interface, where they accessed customer devices using internal support functionality that emulated user sessions.”
Using this pathway, the hacker may have accessed 4,530 cameras in Verkada’s clients’ facilities.
“No cameras were viewed for more than 90 minutes,” Verkada said. “It is not known exactly how much live video was accessed due to limited information in log files. The attackers created six video archives on the Verkada platform and accessed 87 video archives. Fifteen People Analytics searches for images of persons were performed in five organizations. The search results in four of these organizations have returned user-entered text labels associated with images of a person.”
the number of cameras a hacker may have accessed during the Verkada breach
Verkada said it was able to revoke the hacker’s access within a day of becoming aware of the breach, but not before the incident became front-page news because some of the clients involved were Cloudflare, hospitals, prisons, Tesla factories, and other high-profile locations.
Hacker Tillie Kottmann claimed credit for the Verkada hack and said in an interview with Bloomberg that the reasoning behind targeting the company was “lots of curiosity, fighting for freedom of information and against intellectual property, a huge dose of anti-capitalism, a hint of anarchism—and it’s also just too much fun not to do it.”
Following the incident, Verkada went into damage control mode—notifying all affected customers of the breach and setting up a 100-day plan to enhance its security systems, including hiring security firm Mandiant to conduct an independent review of the incident, partnering with the Chertoff Group, conducting a SOC 2 Type 1 assessment, opening a bug bounty program, and more.
The incident also prompted other security vendors to take action, kicking off internal reviews and renewed efforts to evaluate aspects of their infrastructure and supply chain.
One company that underwent this process was Genetec, Inc., which set up a task force in the wake of the Verkada breach to evaluate how Genetec would fare if a similar breach of its systems occurred.
The company already had some controls in place that would have allowed it to weather the storm and potentially mitigate the ability of a hacker to move through its network—including strong segregation between its development environment and production environment, says Mathieu Chevalier, lead security architect at Genetec.
Additionally, he adds that Genetec has limited account access to systems—so only those that need access for their work have access. The company has also implemented multifactor authentication.
“One thing we started to do as well is have our SOC—the team that is watching the IT security aspects of Genetec—also watching the products to identify strange patterns,” Chevalier says. By implementing this monitoring capability into Genetec’s existing SOC, the company can take a more proactive approach to threat monitoring and mitigation.
Along with these security controls, Chevalier says his team met with the product teams to explain the Verkada breach incident and what the company is doing to prevent a similar incident from impacting its own environment.
“It was a good exercise to assemble people around the goal to make sure this does not happen to us, and it led to an interesting engagement for the product teams as well,” he explains.
It also provided an opportunity to raise awareness about the types of threats security vendors and manufacturers face—from attempts to steal intellectual property to attempts to obtain access to monitor clients’ systems and facilities to attempts to compromise a network for botnet activity.
Internally, we look at answers and flag non-conformities as part of a risk assessment.
Since 2019, for instance, the IBM X-Force team has been monitoring a high volume of Internet of Things (IoT) malware activity. Much of this activity—74 percent in 2021—was carried out by the Mozi botnet, despite its authors being arrested by Chinese authorities.
“Post-infection, it is capable of maintaining persistence on network gateways, which can be particularly effective initial access points for lateral movement to high-value networks, including [Operational Technology] and [Industrial Control System] networks,” according to the X-Force Threat Intelligence Index 2022. “In addition, by infecting routers, threat actors behind Mozi can position themselves to conduct man-in-the-middle attacks that lead to ransomware deployment, including attacks on OT networks.”
Mozi has also been seen to infect a “large number of security cameras” and other similar devices, diminishing “an organization’s ability to effectively conduct physical security operations,” according to the report.
Threats like this make securing IoT devices, like IP cameras, that are then incorporated into a video management system even more important. Some manufacturers, for instance, are taking the approach of monitoring for known vulnerabilities that could impact their products and then alerting internal teams—as well as customers—to resolve the issue and enhance the overall security of the ecosystem, Chevalier adds.
And looking further up the chain, Julie Gauthier, director of global operations and technical support, says Genetec has been working with its vendors and partners to ensure they are aligned with Genetec’s goals and security objectives.
“Our president is very vocal about the steps we take to make sure we are doing our best in delivering a safe product, and that we only partner up with strong vendors who are just as concerned as we are about cybersecurity,” she explains.
the percentage of Internet of Things malware activity in 2021 carried out by the Mozi botnet
For instance, Genetec assesses whether its vendors have cyber certifications, if they conduct penetration testing, and if they are willing to share their results and address issues that were highlighted in the tests. The company uses questionnaires for its suppliers to assess their cyber practices and ethics, as well as employing an individual responsible for looking at the cyber aspect of the supply chain—enrolling Genetec’s suppliers into a specific platform to track risks and have them accepted by the respective business executive.
“Internally, we look at answers and flag non-conformities as part of a risk assessment,” Chevalier says. “We then present those risks to the risk owner and work with the supplier. When we meet with the supplier, we try to see if they got a good assessment and if there are other mitigating controls, and then we either transfer the risk or we accept it—or we don’t do business with this supplier.”
Genetec isn’t the only company doing this. The National Institute of Standards and Technology (NIST) previously issued recommendations for vetting suppliers for financial, location, and business continuity risks. Recently, however, it has incorporated assessing cyber risks as part of overall supplier risk management.
“Physical and cybersecurity processes are being evaluated during supplier vetting processes,” NIST said in a best practices fact sheet. “Many companies also include process requirements in supplier agreements and contract language.”
These processes could include manufacturing and operational security measures, asset management, personnel security practices, software engineering and architecture, and more. To further assist companies with vetting vendors and their supply chains, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a vendor supply chain risk management template for information and communications technology (ICT) services.
“The purpose of this assessment template is to normalize a set of questions regarding an ICT Supplier/Provider implementation and application of industry standards and best practices,” according to the template. “This will enable both vendors and customers to communicate in a way that is more consistently understood, predictable, and actionable. These questions provide enhanced visibility and transparency into entity trust and assurance practices, and assist in informed decision-making about acceptable risk exposure.”
Chevalier says that Genetec has an automated tool—called BlackDuck—that provides visibility on the exact components in the company’s products, and tracks the versions and publicly known vulnerabilities. If a vulnerability comes up, Genetec receives an alert to update its library and patch the vulnerability.
The company also shares security alerts with clients—via direct contact and by posting about them in a dedicated security alert portal on its website—about its products and others in its ecosystem, as well as steps to take to increase their security.
“We warn our customers, ‘You have this camera, you have this version, and there is a new version that you can download automatically,’” Chevalier says. “This is management of the supply chain.”
CISA released a vendor supply chain risk management template to communicate ICT supply chain risk posture in a consistent way among public and private organizations of all sizes. You can access the template, here, for free.