Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Thursday, 11 August, 2022
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2021
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2021
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

Ubiquiti accused of downplaying a “catastrophic” security breach

The source said the breach was much worse than Ubiquiti let on

by Hannah
April 1, 2021
in News
Share on FacebookShare on Twitter

American journalist and investigative reporter Brian Krebs reported this week that a whistleblower has alleged that Ubiquiti, a major vendor of cloud-enabled Internet of Things (IoT) devices such as routers, network video recorders and security cameras, has  massively downplayed a “catastrophic” incident to minimize the hit to its stock price.  and that the third-party cloud provider claim was a fabrication. Back in January, Ubiquity disclosed that a breach involving a third-party cloud provider had exposed customer account credentials. According to an anonymous source that contacted KrebsOnSecurity, the third-party cloud provider claim was a fabrication.

Commenting on the news, Paul Norris, senior systems engineer, EMEA, at Tripwire, stated: “In this particular case, Ubiquiti suggested the fault was with a Cloud Provider, when in fact the faults appear to be Ubiquiti. They failed to take responsible actions and decided to play down the breach for the sake of their share price.” 

“This is a prime example where the organisation is responsible for the security controls within Cloud environments and not necessarily the Cloud Service Provider. The CSP provides the platform and tools for organisations to secure their environments and should not be held accountable for weakened security. Hardening systems is best way for organizations to secure their cloud and prevent inadvertent exposure,” Norris added.

Robert Meyers, Channel Solutions Architect, CISM, CDPSE and Fellow of Information Privacy at One Identity, said that, when a major IoT provider has a breach, it reaches across industries and brings up questions of privacy and security.  “Well, it happened. While Ubiquiti was breached in January, details that have come to light this week highlight the importance of what can happen when you do not manage three areas with the concept of both privacy and security: privileged access management, log management, and least privileged access,” said Meyers.

Robert Meyers offered some further observations and recommendations:

Today if you have privileged accounts, they simply need to be managed like privileged accounts.  They need to have multiple layers of security.  They need to have auditing, which happens in real-time for at least the basics. Access for privileged use has to be restricted to the minimum access required to do the job, yes that touches on least privilege which goes hand in hand.  If you don’t manage your privileged accounts in business, then you are ignoring security.

Now if log management was a control point, it could have been caught quicker, and if the logs were managed, they would allow a live track down of who did the deed, instead of the waffling we have seen.

And least privilege. Companies need to stop making universal access accounts.  You can only breach what you can access.  So don’t give people access to what may be tens of millions of accounts… and whatever else those files included.

In the world of privacy laws and compliance requirements, you need a data lifecycle for all your data.  It should cover creation, use, storage, and deletion.  And all this should include pseudonymization of the data when it cannot be anonymized, in addition to encryption and general security.

It’s time to get with the times and not be stuck announcing breaches, let alone for details needing to rely on a whistleblower that speaks on the condition of anonymity for fear of retribution.  Secure your company, and be able to stand up tall and say what your company has done for its customers.

 

FacebookTweetLinkedIn
ShareTweetShare
Previous Post

North Korean hackers targeting Google researchers

Next Post

IoT and IIoT security a major concern for security pros, research finds 

Recent News

Laptop, phone, hands

Campaign Launched to Stop People From Becoming Money Mules

August 11, 2022
MIRACL is One Cybersecurity Company to Watch in 2022

MIRACL is One Cybersecurity Company to Watch in 2022

August 10, 2022
Hooded Torso

Unitree Robot Gun Carrying Dog Disabled by Remote Hacking Tool

August 10, 2022
black background, square. Infinity sign. META logo.

Meta Take Action Against Two Cyber Espionage Operations in South Africa

August 10, 2022

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2021
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information