American journalist and investigative reporter Brian Krebs reported this week that a whistleblower has alleged that Ubiquiti, a major vendor of cloud-enabled Internet of Things (IoT) devices such as routers, network video recorders and security cameras, has massively downplayed a “catastrophic” incident to minimize the hit to its stock price. and that the third-party cloud provider claim was a fabrication. Back in January, Ubiquity disclosed that a breach involving a third-party cloud provider had exposed customer account credentials. According to an anonymous source that contacted KrebsOnSecurity, the third-party cloud provider claim was a fabrication.
Commenting on the news, Paul Norris, senior systems engineer, EMEA, at Tripwire, stated: “In this particular case, Ubiquiti suggested the fault was with a Cloud Provider, when in fact the faults appear to be Ubiquiti. They failed to take responsible actions and decided to play down the breach for the sake of their share price.”
“This is a prime example where the organisation is responsible for the security controls within Cloud environments and not necessarily the Cloud Service Provider. The CSP provides the platform and tools for organisations to secure their environments and should not be held accountable for weakened security. Hardening systems is best way for organizations to secure their cloud and prevent inadvertent exposure,” Norris added.
Robert Meyers, Channel Solutions Architect, CISM, CDPSE and Fellow of Information Privacy at One Identity, said that, when a major IoT provider has a breach, it reaches across industries and brings up questions of privacy and security. “Well, it happened. While Ubiquiti was breached in January, details that have come to light this week highlight the importance of what can happen when you do not manage three areas with the concept of both privacy and security: privileged access management, log management, and least privileged access,” said Meyers.
Robert Meyers offered some further observations and recommendations:
Today if you have privileged accounts, they simply need to be managed like privileged accounts. They need to have multiple layers of security. They need to have auditing, which happens in real-time for at least the basics. Access for privileged use has to be restricted to the minimum access required to do the job, yes that touches on least privilege which goes hand in hand. If you don’t manage your privileged accounts in business, then you are ignoring security.
Now if log management was a control point, it could have been caught quicker, and if the logs were managed, they would allow a live track down of who did the deed, instead of the waffling we have seen.
And least privilege. Companies need to stop making universal access accounts. You can only breach what you can access. So don’t give people access to what may be tens of millions of accounts… and whatever else those files included.
In the world of privacy laws and compliance requirements, you need a data lifecycle for all your data. It should cover creation, use, storage, and deletion. And all this should include pseudonymization of the data when it cannot be anonymized, in addition to encryption and general security.
It’s time to get with the times and not be stuck announcing breaches, let alone for details needing to rely on a whistleblower that speaks on the condition of anonymity for fear of retribution. Secure your company, and be able to stand up tall and say what your company has done for its customers.