Imperva Announces a data breach exposing Cloud Waf clientsByBill Toulas-28 August 2019.573 Imperva Cloud Waf customers had their Api keys and Ssl certificates compromised by hackers. The data breach involves an unspecified number of websites, but probably a very large number. Imperva the California-based It security expert has confirmed they have experienced a data breach that exposed some of its Incapsula users ‘ email addresses to hashed and salted passwords Api keys and Ssl certificates. Incapsula is the cloud-based firewall (Waf) solution for Imperva and the company makes it very clear in its announcement that the breach is limited to this software alone. The discovery of the security incident took place on 20 August 2019 and as the investigation is ongoing, the company has already implemented several securing steps. In the Cloud Waf solution, for example, they introduced forced user rotations and 90-day expiry periods. All affected customers receive notification emails right now while the data protection regulatory agencies were also told of the incident. According to Imperva the subset of compromised customers are customers who built their Cloud Waf accounts after September 15, 2017. These customers are now encouraged to update their user account passwords by allowing single sign-on authentication to create and upload a new Ssl certificate and reset their Api keys. A guide on how to do everything that the notification message provides to them. The Cloud Waf product lets customers test their communications for suspicious activity or attack events and then filter out the malicious traffic by routing only the “secure” traffic to the destination intended. This is a very important role for an industry resource, and one that has helped Imperva build its place among the world’s top cloud-based firewall providers. With the incident that compromised the Waf users ‘ Api keys and Ssl certificates, these customers ‘ websites are now vulnerable to traffic interception change and even to traffic diversion. The question now is how many customers were infected and how many websites are actually vulnerable to attacks of this sort. Imperva has just listed a “subset” of users for now so no definite numbers have been given. Unfortunately for Imperva this incident is attributed exclusively to them and it will certainly have an impact on the confidence they are trying to build and maintain with customers. Furthermore, the specific occasion highlights the fact that seasoned and knowledgeable cyber-security companies such as Imperva can still screw up and expose confidential customer data as they are attacked by hackers constantly and aggressively. Joseph Carson Thycotic on Ethical Hacking and Security Threats
ByGabriela Vatu-June 28, 2019.574 The best way to do this is to get advice from those cybersec veterans who have seen it all done it all and know how to direct you. The Chief Security Scientist and Visory Ciso of Thycotic-Joseph Carson is one of those men who know what he’s talking about. Joseph is an active member of the cybersec community with over 25 years of experience in security, and often speaks at dedicated events around the world. From a security point of view, we had a chat with him about the dangers we face today that we can do to help the younger generation navigate the threats we face online and much more. Joseph Carson: I love gadgets and I am very technique. However my special skill is that I can take something very complex and describe it to most people in a clear way that makes sense. I use this special skill to clarify cybersecurity issues and best practices to executives who don’t have prior knowledge of technology. Some aspects that I am most proud of include winning the 2018 Isc2 Information Security Leadership Award for recognition of cybersecurity and also helping to share my experience with an amazing team at Thycotic to help our newest talented employees gain new skills. TechNadu: The company offers privileged strategies for controlling exposure. So bad are things for the companies hiring Thycotic to work out their systems? How do they feel exposed? Joseph Carson: Thycotic provides privileged access management (Pam) solutions and those businesses that are engaged with us either start their journey to secure privileged access or have already begun the journey and are now looking at Thycotic for feedback on how to get more value and sophistication with Pam. Organizations that work with Thycotic range from company size to business needs of all kinds. Some of the most common need to comply with several of the major regulations or industry compliances such as Pci and Iso is the need to reduce the risks of cyber attacks that strengthen access protection or result from significant infringements and privileged access is one of the most important priorities for reducing the risk of becoming a victim again in the future. TechNadu: What do you see today as the biggest threat to our safety? Joseph Carson: The biggest threat to our health is failure to act. We understand that most cyber attacks are not sophisticated, nor do they all come from nation-states, and we have many best practices that help businesses reduce the risk of becoming a cybercrime victim. Becoming proactive and carrying out a thorough cyber-business impact assessment and putting in place strong best practice security controls such as privileged access management will help most businesses become more secure in reducing the risk of most common cyber attacks as well as increasing their resilience. Joseph Carson: Critical infrastructure is highly vulnerable because more computers are communicating at the speed of lightning than ever. Taking and making available old legacy equipment online means only more vulnerable systems that can be exploited. Not only are they vulnerable but we also fail to educate the human with the basic cybersecurity hygiene needed to keep them safe from criminal hackers using those systems. TechNadu: Finally what advice do you give to children who are just beginning to flex their hacking muscles? Joseph Carson: Some online safe platforms like catching flag challenges offer safe environments for kids to develop their hacking skills without breaking any laws. It is important that we teach them how to do it ethically and we also need to develop a mentoring platform that allows seasoned ethical hackers to educate the next generation and help keep them on the right side of the law. Reviews and interviews for more Tech news guides.