I have to say I am impressed. Barracuda Networks has come forward on their blog with a simple and clear explanation for the breach — three basic mistakes in security management.
This latest incident brings home some key reminders for us, including that:
- You canâ€™t leave a Web site exposed nowadays for even a day (or less)
- Code vulnerabilities can happen in places far away from the data youâ€™re trying to protect
- You canâ€™t be complacent about coding practices, operations or even the lack of private data on your site â€“ even when you have WAF technology deployed
I agree with them 120%. That level of disclosure is commendable on its own as a sign of honesty and root-cause analysis. However what really impresses me is that they then recommend their product and end up with a very subtle sales spin. The breach analysis could be taken as an example of how to use a control to reduce the risk of security management mistakes.
The Barracuda Web Application Firewall in front of the Barracuda Networks Web site was unintentionally placed in passive monitoring mode and was offline through a maintenance window that started Friday night (April 8 ) after close of business Pacific time.
In other words the incident review suggests that their WAF would have blocked the attacks when configured properly. Don’t you want to buy a WAF now?
The breach is subtly boiled down to an “unintentional” decision to put control in maintenance/passive mode (OWASP Risk A6-Security Misconfiguration). It exposed their database to automated vulnerability scans from the Internet. They might have caught the vulnerability themselves if they had run the same scans earlier (OWASP Risk A1-Injection); or they might have prevented data exposure by keeping it better isolated and segmented. Both of these are covered in their announcement but at the end of the day they are selling WAFs. So it is interesting to hear in this context from them that their product could have blocked the blind SQL injection that caused their breach.