Imperva Data Breach: Learn these Lessons

September 5, 2019  David Musselwhite

Last week, major Internet firewall provider Imperva announced a breach of email addresses, hashed and salted passwords, API keys, and SSL certificates for a subset of users of their Incapsula cloud-based Web Application Firewall.

Let’s quickly recap who is impacted and why it’s important:

Who is impacted?

Customers of the Incapsula Cloud WAF product who had accounts through September 15, 2017.

What was breached?

It appears that email addresses and hashed and salted passwords for all customers in the impacted database were exposed. (For a great primer on encryption, hashing, and salting, check out this article from The SLS Store.

For a subset of customers in the impacted database, API keys and SSL certificates were also exposed. While the investigation is underway, here are some questions and implications as I currently see it:

David Musselwhite is Training Lead for RiskLens.

What do we know about the threat actors?

Analysts have long feared state actor attacks against cybersecurity vendors, as their products are key pieces of the security infrastructure of so many major American corporations and government entities. One stone, many birds. While attribution isn’t clear at this point in time, we’ve seen this before involving a number of key players in the cybersecurity space and are likely to see it again.

Why did this only affect clients through September 15, 2017?

Imperva’s statement doesn’t reveal why that date is significant. Was that the day a backup was created that later got breached? Or perhaps the day a copy of production data was pushed to a lower environment with less intense security? Risk analysis are eagerly awaiting this critical information.

Here are my takeaways and lessons learned. 

Learn from the response to this announcement.

Imperva recommended to customers that new SSL certificates be generated and uploaded and that API keys be reset. Based on this recommendation, some questions come to mind:

  • What would that effort look like in your organization?
  • How long would it take?
  • What process improvements can be identified?

Make yourselves better and faster if you had to respond to this incident and improve your primary response cost estimates for future analyses.

Organizations should review SSL certificate management practices.

Is it time to implement a policy to never upload SSL certificates to cloud environments? Will this change the calculus of on-prem vs. cloud security solution decisions? Given the criticality of SSL certificates in secure web gateways, firewalls, DLP systems, and other controls it is vital that an up to date inventory is maintained, including a complete list of third parties with whom SSL certificates have been shared. SSL certificate expiration can also lead to loss events; a good management solution should help you prevent it.

2FA saves the day yet again.

If you don’t have two-factor authentication enabled for admin accounts across your security tool suite, you’re way behind. The fact that Imperva included it on their list of recommended actions implies that some portion of their customer base still hasn’t enabled it.

The passwords were hashed and salted this time, but that won’t always be the case.

Complex and unique passwords have to be the standard. Implement password management tools to make this as easy as possible for your team members to follow.

Regardless of what we learn in the coming days, this event reminds us that no organization is impervious when it comes to cyber-attacks. Let’s hope we don’t later learn that customers of other Imperva products were also impacted and that Imperva’s detection and response capabilities worked in giving the bad guys the boot.

Cyber risk quantification (CRQ) through the RiskLens platform can help organizations analyze their current exposure to cyber risk scenarios and then demonstrate the potential value of password managers, two-factor authentication solutions, and better SSL certificate management. Using FAIR, the international standard for cyber risk analytics, RiskLens helps make control investment decisions clearer and easier by showing return on investment in dollar terms.