Cybersecurity threats evolve every minute of every day. Best practices exist to protect against or even mitigate these growing threats, but, unfortunately, some companies still fall victim to attacks. Lapses in controls lead to many of the countless breaches that we hear about so often in the news. It was reported recently that Imperva, a leading provider of Internet firewall services, which can help web sites block malicious cyberattacks, was a victim of a cyberattack.
This time the threat came from the cloud, specifically the Incapsula cloud (the company’s cloud-based Web Application Firewall (WAF) product). The result of this breach was those customer data elements dating back to September 17, 2017 were obtained by attackers. The data elements captured included email addresses, hashed/salted passwords, and for a small subset of Incapsula customers, the breach exposed API keys and customer-provided SSL certificates.
Commenting in an article on the security website Krebs on Security, Rich Mogull, founder and vice president of product at Kansas City-based cloud security firm DisruptOps, stated that “an attacker in possession of a customer’s API keys and SSL certificates could use that access to significantly undermine the security of traffic flowing to and from a customer’s various Web sites.”
In addition, attackers in possession of these key assets could reduce the overall security of WAF settings and could essentially “whitelist” any traffic originating from an attacker. To imagine a worst-case scenario, an attacker associated with this breach could intercept, view or modify any content meant for an Incapsula client web site, and even divert this traffic through an attacker-owned site or other malicious destination.
Certain scenarios could allow an attacker to alter a WAF implementation into a state that makes it essentially meaningless for the customer. Due to the ongoing investigation associated with this matter, many questions remain unanswered. Below are a few of those questions.
Two-factor authentication is not a new technology, nor is it a costly protection mechanism, and we believe it should be required for all Incapsula WAF customers.
WHO USES 2FA? WHY DOESN’T EVERYONE?
The Elie.net blog (a blog created by the lead of Google’s anti-abuse research team, which assists in protecting users against cyber-criminal activities and Internet threats) wrote an article titled “The bleak picture of two-factor authentication adoption in the wild.” In this post, Elie Bursztein reported that “Overall, as of late 2018, 52.5% of the 1149 sites listed in the dongleauth database support 2FA.”
Bursztein’s blog post paints a grimmer picture of 2FA adoption and solidifies our recommendation that 2FA should be a required implementation following a breach of this magnitude.
You’ve heard our thoughts… We’d like to hear yours
The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at contactSD@schneiderdowns.com.
Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.