The principle of least privilege (POLP) “is the practice of limiting access rights for users to the bare minimum permissions they need to perform their work.” Unfortunately, this wasn’t the case at Verkada where their “super admin” account was shared with more than 100 internal users. Those super admin credentials were also found on the Internet by hackers, enabling them to view videos from nearly 150,000 cameras. Video footage included prisoners in county jails, factories for carmaker Tesla, and the offices of Internet-infrastructure firm Cloudflare.
Jeff Costlow, chief information security officer at ExtraHop, explained to DarkReading that accounts with unlimited service capabilities significantly undermine security — even more so as supply chain attacks have become more common. “I’m OK with vendors having the ability to auto-update the device,” he says. “That means they have control over the source code. But that doesn’t mean that they have control over the device any time they want.” Which seems to be the problem here as that one login to Verkada gave the hackers access to a lot of video.
While it is expected that vendors would want to retain some level of access to devices and services, suppliers should review what privileges are necessary to maintain their products and services and clearly communicate that to customers. Accessing more than required puts both the vendor and customer at risk in the event of a breach.
When it comes to privileges, the best practice is to ensure that users only have access to what they need to do their jobs. When it comes to suppliers and third-party vendors, the same holds true: they only need enough access to service their product. Why? A 2016, Forrester Research study estimated that 80% of security breaches involve privileged credentials. Threat actors that have stolen/found privileged credentials use that access to move laterally through an enterprise environment, access critical applications and systems, and maintain persistent access to the environment. With the principle of least privilege, it reduces an organization’s security risk and minimizes the potential disruption to the business.
Want to learn more about the principle of least privilege? Contact Uzado today!