Incident & Breach Response , Security Operations
Imperva Alerts Customers About 'Security Incident'
Data for Certain Users of Cloud Web Application Firewall ExposedSecurity firm Imperva is notifying some of its Cloud Web Application Firewall customers about a "security incident" that exposed certain data, CEO Chris Hylen reports in a blog post.
See Also: OnDemand | Realities of Choosing a Response Provider
The firewall product – widely used by banks and others - is also known as Cloud WAF. It had previously gone by the name Incapsula – the name of a company Imperva acquired in 2014. Imperva is owned by investment firm Thoma Bravo.
In a Tuesday blog post, Hylen did not disclose many details about the security incident. He did note, however, that on Aug. 20, Imperva learned through a third party that a database that included email addresses as well as hashed and salted passwords for some Cloud WAF customers was exposed. Additionally, a subset of Imperva customers also had their API keys and customer-provided SSL certificates exposed, Hylen said.
The customers affected by this incident had registered for product accounts through Sept. 15, 2017.
None of Imperva's other products, services or customers are affected by this incident, Hylen noted. The CEO added that the company has notified regulatory agencies around the world and has hired a third-party forensics team to help with its investigation.
"We continue to investigate this incident around the clock and have stood up a global, cross-functional team," Hylen adds.
A spokesperson for Imperva did not immediately reply to a request for comment.
Possible Impact
Hylen does not mention the number of customers whose data was possibly exposed or if there have been any attacks or compromises that used this exposed customer information.
Security analysts, however, warn that exposed API keys and SSL certificates should be a major concern for those affected. The loss of the SSL certificates is particularly concerning, because this standard allows encrypted communication between an application and its server, and it helps prevent sensitive information from being tampered or stolen by attackers.
"Losing SSL certificates and API access to an enterprise network is concerning. Secure web gateways, firewalls, intrusion detection and prevention systems, and data loss prevention products all perform some form of SSL intercept and decryption to perform [deep packet inspection]," says Chris Morales, the head of security analytics at the security firm Vectra.
"While we often point to lack of maturity of security operations or misconfiguration of cloud systems as to why a company would miss an attack, it is even more unfortunate when a security vendor who builds a cloud security product is compromised that should have the skills and capabilities to detect and respond to cyberattacks," Morales adds.
Concerns Raised
Several security experts have also raised concerns that Imperva has released so few details about the security incident so far.
Independent British security researcher Kevin Beaumont notes in a Twitter post that Imperva's Cloud WAF product is used by thousands of banks, so it’s particularly concerning that the company is only offering vague information about what happened.
Imperva announce breach of their WAF product, dates back to 2017, includes SSL certificates (potentially breaking end to end encryption) https://t.co/3ftcKhoEMj
— Kevin Beaumont (@GossiTheDog) August 27, 2019
Investigation Underway
In his blog, Hylen notes that that the company has implemented forced password rotations and 90-day expirations in its Cloud WAF product.
"We are informing all impacted customers directly and sharing the steps we are taking to safeguard their accounts and data, and additional actions they can take themselves," Hylen adds.
Imperva is urging affected customers to change their user account passwords, implement single sign-on, enable two-factor authentication, generate new SSL certificates and reset API keys.
(Managing Editor Scott Ferguson contributed to this report.)