Barracuda Attack: Never Let Your Security Guard Down
Six days ago, Barracuda Networks, a major player in the information security space, experienced a breach via its public-facing web site, which compromised sensitive company data.
It is important to note that attack took place during a vulnerable time: the company was performing routine maintenance on its own Barracuda Web Application Firewall. (Anyone who has been in an airport recently has seen one of these on a poster touting their effectiveness.) During this time of exposure, an astute hacker simply searched for well known vulnerabilities and found an SQL injection vulnerability.
This particular attack reinforces the reality that companies and organizations can never leave themselves vulnerable – even during short routine maintenance windows, because the bad guys are continually scanning websites and networks looking for easy prey. Obviously, this is an extremely embarrassing breach for a leading player in the security arena that will have negative business consequences for Barracuda.
In a candid blog post, Michael Perone, Executive Vice President and CMO of Barracuda Networks, highlighted the painful lessons learned from this breach, which includes the following (these words are taken from his actual post):
- You can’t leave a Web site exposed nowadays for even a day (or less)
- Code vulnerabilities can happen in places far away from the data you’re trying to protect
- You can’t be complacent about coding practices, operations or even the lack of private data on your site – even when you have WAF technology deployed
I believe that every company can learn a lesson from Barracuda breach. Most organizations perform maintenance that requires them to “let their guard down.” Bad guys are ready to exploit well known source code vulnerabilities like SQL Injection and Cross Site Scripting instantly, and I mean instantly, when the opportunity arises. The bottom line is that companies and organizations need to find out what risks are present in their web applications and then fix them, and not rely solely on WAF’s or any other external (to these applications) device.
Some hackers target security companies (RSA, HB Gary and Barracuda just this year), but most go after more lucrative targets. Companies with more to lose need to take notice and understand the risks in their Internet presence, and make fixing them a high priority. Relying on ‘silver bullets’ to protect them only works in the movies.
About the Author:
Greg Reber is the founder and CEO of AsTech Consulting. Since 1997, AsTech has helped Fortune 1000 companies meet the challenge of securing their information assets. In 2001, AsTech was among the first to see the emerging threat posed by customer-facing Internet applications and developed an application vulnerability assessment solution which has continuously evolved to meet today’s threat environment head-on..