Another Breach, Another Case for Security by Design
Taking a hard look at the breach at Verkada earlier this month. The irony that Verkada is a digital security company at its core is not lost here.
Join the DZone community and get the full member experience.Join For Free
Earlier this month, news broke that hackers breached Verkada, a major provider of surveillance cameras to a variety of facilities throughout the US, gaining access to 150,000 live feeds. Among those compromised were Tesla, jail cells, private homes, healthcare facilities, police stations, elementary schools, and more. The hacktivist group claims the breach was intended to spread anarchy and to demonstrate security holes, in which case, there were many. The hackers reported gaining entry through administrative account credentials listed in materials available to the general public online.
It’s hard to even call this a breach, as access was so easily manipulated. The irony that Verkada is a digital security company at its core is not lost here. According to Bloomberg News, the hackers had 36 hours of unrestricted access to the company’s cameras and were only identified after reporting themselves to the publication. In this case, trust is lost and the damage is done. But what can organizations do to prevent negligent security practices before something worse happens? Fortunately, there’s a lot of preventative measures that can be taken.
First, vendors of these kinds of connected devices can better secure themselves by implementing ‘security by design.’ This approach involves building software with security in mind from product or service ideation to production, and it’s the best way for vendors to safeguard their devices. While many organizations perform security-related activities as a small part of testing at the end of the software design lifecycle, this is simply not enough. As a result, flaws and vulnerabilities are harder and more expensive to fix, and in some cases, left completely undetected. According to IBM, it cost six times more to fix a bug found during implementation than one identified during the design phase.
What’s worse is that there’s little end-users can do to fix security problems the vendor or partner hasn’t confronted. Unfortunately, bad software is simply bad software and poor security practices follow suit. In the case of Verkada, this wasn’t even a case of forgetting to lock a door — there were no locks; there were no doors; there was no guard. To put customers at ease, Verkada laid out a 100-day plan to address this breach but didn’t specify if and when they will provide updates on each of these actions. What did the auditors say and how are they addressing it? What software or procedures are they putting in place to prevent this from happening again? Verkada needs a lot of action to back up these promises — and they owe that to their customers.
While it’s hard for customers to know if security by design was part of a vendor’s product roadmap, they should find out what security measures are currently in place. And they shouldn’t just take their word for it — they should ask for proof. Trust is earned by having proper security processes laid out. It’s earned by formal certifications by outside agencies and auditors like SOC2, ISO 27001, ISO 27018, and CSA STAR compliance, outside penetration analysis, and making good security hygiene a goal of every employee. It’s done by testing and re-testing and making sure operations are as secure on the inside as they are on the outside. It’s an ongoing process and an important one at that.
Verkada’s 100-day plan to address the attack is a smart communications move, but there’s one big problem. Everything outlined in this plan — consulting third-party experts, establishing a governance program, reviewing internal access management, among other initiatives — should have been done in the first 100 days of launching. It could even be argued that most of it should have been done in the 100 days before they launched. Verkada has been in business for more than five years and they’re just tackling these basic security protocols now? There’s no excuse — and this should be a wake-up call for IoT and other connected device companies to get their security in order.
Opinions expressed by DZone contributors are their own.