Imperva Alert

IMPERVA ALERT

Cybersecurity threats evolve every minute of every day. Best practices exist to protect against or even mitigate these growing threats, but, unfortunately, some companies still fall victim to attacks. Lapses in controls lead to many of the countless breaches that we hear about so often in the news. It was reported recently that Imperva, a leading provider of Internet firewall services, which can help web sites block malicious cyberattacks, was a victim of a cyberattack.

This time the threat came from the cloud, specifically the Incapsula cloud (the company’s cloud-based Web Application Firewall (WAF) product). The result of this breach was those customer data elements dating back to September 17, 2017 were obtained by attackers. The data elements captured included email addresses, hashed/salted passwords, and for a small subset of Incapsula customers, the breach exposed API keys and customer-provided SSL certificates.

OVERARCHING CONCERN

Commenting in an article on the security website Krebs on Security, Rich Mogull, founder and vice president of product at Kansas City-based cloud security firm DisruptOps, stated that “an attacker in possession of a customer’s API keys and SSL certificates could use that access to significantly undermine the security of traffic flowing to and from a customer’s various Web sites.”

In addition, attackers in possession of these key assets could reduce the overall security of WAF settings and could essentially “whitelist” any traffic originating from an attacker. To imagine a worst-case scenario, an attacker associated with this breach could intercept, view or modify any content meant for an Incapsula client web site, and even divert this traffic through an attacker-owned site or other malicious destination.

Certain scenarios could allow an attacker to alter a WAF implementation into a state that makes it essentially meaningless for the customer. Due to the ongoing investigation associated with this matter, many questions remain unanswered. Below are a few of those questions.

Imperva Incapsula breach – unanswered questions (Provided by ZDNET)

  • Did the breach occur because of a server left exposed online by accident or due to an unauthorized, forceful intrusion?
  • Is the “third party” who found the breach a source in law enforcement, a bug bounty hunter, or one of Imperva’s customers?
  • Did the breach occur in 2017, but was only now discovered?

WHAT YOU CAN DO – OUR RECOMMENDATION

As of August 27, Imperva released a statement regarding this incident and has forced passwords resets for affected customers alongside encouraging the use of 2FA (two-factor authentication).

The opinion of IT Security professionals at Schneider Downs (SD) is that 2FA alongside the password reset process should be required for all customers regardless of whether they were affected by this breach (https://www.schneiderdowns.com/our-thoughts-on/cybersecurity/optimizing-two-factor-authentication-security).

Two-factor authentication is not a new technology, nor is it a costly protection mechanism, and we believe it should be required for all Incapsula WAF customers.

WHO USES 2FA?  WHY DOESN’T EVERYONE?

The Elie.net blog (a blog created by the lead of Google’s anti-abuse research team, which assists in protecting users against cyber-criminal activities and Internet threats) wrote an article titled “The bleak picture of two-factor authentication adoption in the wild.” In this post, Elie Bursztein reported that “Overall, as of late 2018, 52.5% of the 1149 sites listed in the dongleauth database support 2FA.”

Bursztein’s blog post paints a grimmer picture of 2FA adoption and solidifies our recommendation that 2FA should be a required implementation following a breach of this magnitude.

Sources:

https://krebsonsecurity.com/2019/08/cybersecurity-firm-imperva-discloses-breach/

https://duo.com/decipher/imperva-discloses-customer-data-breach-theft-of-api-keys

https://elie.net/blog/security/the-bleak-picture-of-two-factor-authentication-adoption-in-the-wild/#toc-4

https://www.zdnet.com/article/imperva-discloses-security-incident-impacting-cloud-firewall-users/

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at contactSD@schneiderdowns.com.

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2019 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on

Cybersecurity BY Matthew Dunn
Questions to Ask Before Ransomware Hits Your Business
Cybersecurity BY Stephen Bish
The Physical Side of Cybersecurity
Cybersecurity BY Sean Thomas
Vulnerability Scanning versus Penetration Testing
Cybersecurity BY Sean Thomas
Ransomware Still a Growing Problem for Organizations of All Sizes
Great Hands-On Experience in Cybersecurity
Imperva Alert

Register to receive our weekly newsletter with our most recent columns and insights.

Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us

contact us

Map of Pittsburgh Office
Pittsburgh

One PPG Place, Suite 1700
Pittsburgh, PA 15222

contactsd@schneiderdowns.com
p:412.261.3644     f:412.261.4876

Map of Columbus Office
Columbus

65 East State Street, Suite 2000
Columbus, OH 43215

contactsd@schneiderdowns.com
p:614.621.4060     f:614.621.4062

Map of Washington Office
Washington, D.C.

1660 International Drive, Suite 600
McLean, VA 22102