The database break-in at Barracuda Networks highlights that no firm is immune to attack, but the email and web security vendor also may have overlooked some basic security tenets that made it more attractive to hackers, according to company executives and industry experts.
The attack against Barracuda occurred on Saturday night when the company's web application firewall (WAF) was offline for maintenance.
The incident provides takeaways for other organizations, namely highlighting the danger of alone relying on web application firewalls to protect sites, experts said.
If operational, Barracuda's WAF most likely would have stopped the attack, since one of its functions is to block SQL injection, Jason Reed, principal consultant at SystemExperts, told SCMagazineUS.com.
But the attack occurred while the WAF was down, illustrating the value of conducting penetration tests during scheduled maintenance windows, when networks are most vulnerable, he said.
“Firewalls are good but can mask problems if you don't test your network without them in place,” Reed said. “If they had tested in the past during this maintenance window, they may have found this error.”
After several hours of automated probing, hackers, apparently from Malaysia, found and exploited an SQL injection vulnerability on Barracuda's website to raid various databases and hijack the names and contact information of partners, customers and Barracuda employees.
The incident follows successful infiltrations this year of security firms RSA, Comodo and HBGary.
“Those threats are out there and can occur in your environment, just like in theirs,” Reed said.
SQL injection attacks are one common entry point, Chris Wysopal, CTO of application security firm Veracode, told SCMagazineUS.com.
“We test hundreds of web apps a month, and about 38 percent have SQL injection vulnerabilities in them,” he said. “It's pretty prevalent.”
Plus, with the help of automated scripts, these vulnerabilities are easy to uncover and exploit, Wyspoal said.
Finding and fixing vulnerabilities in applications before they are released or updated is critical to the development process but is sometimes overlooked, he said.
Stephen Pao, vice president of product management at Barracuda Networks, told SCMagazineUS.com that “just north of 20,000 records” were taken in the attack, though the number of companies impacted is lower because in many cases, multiple contacts from the same company were affected.
Most of the compromised records belong to Barracuda's reseller partners, he added.
“Security is all about layers,” Pao said. “We always tell customers to use vulnerability assessment tools and static code analyzers. It is something we regularly employ as processes within the company.”
But, he added, business today is all about speed, and oftentimes organizations demand that applications be developed and deployed quickly.
WAF technology is attractive because it provides the ability to operate safely, even when vulnerabilities are present, he said. But the breach is a reminder that things can go wrong, so relying on one technology alone is not adequate.
“It is a reminder that the documentation and enforcement and auditing of processes is required, at multiple levels,” he said.
Experts said the breach also illustrates the necessity of following the tried-and-true principle of least privilege.
In a blog post detailing the attack, Barracuda said the vulnerability existed in a PHP script that serves up customer reference case studies by vertical market. This content, however, was in the same SQL database infrastructure used for marketing programs. Once the attackers were able to find the vulnerable script, they could access multiple databases.
“The system wasn't configured to only allow access by the application to the information it needed," System Experts' Reed said.
Barracuda's Pao acknowledged that the company “could have had some better database security privileges in place.”
If the hackers were only able to access case study content, the security firm wouldn't have cared, he added.
“If someone wanted to steal and post that content, we would have been thrilled,” Pao said.