author photo
By Bruce Sussman
Wed | Aug 28, 2019 | 8:41 AM PDT

Imperva's  CEO says the data security company has stood up a global cross-functional team that is working 24/7 on the breach it announced this week.

Here are some things you need to know.

Which Imperva product is part of the breach notification? 

The breach involves Incapsula, the company's cloud-based Web Application Firewall (WAF).

CEO Chris Hylen wrote about what the company knows at this point:

  • On August 20, 2019, we learned from a third party of a data exposure that impacts a subset of customers of our Cloud WAF product who had accounts through September 15, 2017.
  • Elements of our Incapsula customer database through September 15, 2017, were exposed. These included:
         •  email addresses
         •  hashed and salted passwords

And for a subset of the Incapsula customers through September 15, 2017:

•  API keys
•  customer-provided SSL certificates

What is the potential impact of the Imperva breach?

With API keys and SSL certificates potentially accessed, the fallout could be significant. Brian Krebs has a good write-up on the potential impact. His interview with Rich Mogull, founder of cloud security firm DisruptOps, paints a clear picture:

"Attackers could whitelist themselves and begin attacking the site without the WAF's protection," Mogull told KrebsOnSecurity. "They could modify any of the security Incapsula security settings, and if they got [the target's SSL] certificate, that can potentially expose traffic. For a security-as-a-service provider like Imperva, this is the kind of mistake that's up there with their worst nightmare."

And what's also interesting is how Imperva is approaching the "nightmare" situation.

What is Imperva doing about the Incapsula breach?

The company's CEO says it wants to do the right thing here, and his blog post on the security incident comes across as transparent and sincere. 

Specifically, he lists the following steps the company has underway:

  • We activated our internal data security response team and protocol, and continue to investigate with the full capacity of our resources how this exposure occurred.  
  • We have informed the appropriate global regulatory agencies. 
  • We have engaged outside forensics experts.
  • We implemented forced password rotations and 90-day expirations in our Cloud WAF product. 
  • We are informing all impacted customers directly and sharing the steps we are taking to safeguard their accounts and data, and additional actions they can take themselves.

Aside from the specific incident response steps the company is taking, CEO Chris Hylen makes big promises about Imperva's actions in this case.

He says the company will be fact and data driven, and that it will, "Share what we know, when we know it to be true, to live up to our company values and leadership expectations."

That's an impressive stand to take when you're a security company investigating a security incident in your own organization.

Read it for yourself: Imperva CEO on Incapsula security incident.

[RESOURCE: SecureWorld cybersecurity conference schedule]

Comments