In the age of information, data is everything. Since the implementation of GDPR in the EU, businesses around the world have grown more “data conscious;” in turn, people, too, know that their data is valuable.
It’s also common knowledge at this point that data breaches are costly. For example, Equifax, the company behind the largest-ever data breach, is expected to pay at least $650 million in settlement fees.
And that’s just the anticipated legal costs associated with the hacking. The company is spending hundreds of millions of dollars in upgrading its systems to avert any future incidents.
In the cloud WAF arena, data breaches are no strangers. Having powerful threat detection capabilities behind your cloud WAF service provider, while important, is not the only thing to rely on for data breach prevention.
API security and secure SSL certificate management are just as important.
So, what are some ways hackers can cause damage as it relates to cloud WAF customers? And how can you protect yourself if you are using a cloud WAF service?
The topics covered in this blog will answer the following:
- What can hackers do with stolen emails?
- What can hackers do with salted passwords?
- What can hackers do with API keys?
- What can hackers do with compromised SSL certificates?
- What can I do to protect myself if I am using a cloud WAF?
► What can hackers do with stolen emails?
When you sign up for a cloud WAF service, your email is automatically stored in the WAF vendor’s database so long as you use their service.
In case of a data breach, if emails alone are compromised, then phishing emails and spam are probably your main concern. Phishing emails are so common we often sometimes we forget how dangerous they are.
For example, if a hacker has access to your email, they have many ways they can impersonate a legal entity (e.g. by purchasing a similar company domain) and send unsolicited emails to your inbox.
► What can hackers do with salted passwords?
Cloud WAF vendors that store passwords in their database without any hashing or salting are putting their customers at risk if there is a breach, and even more so if hackers already have email addresses.
In this scenario, hackers can quickly take over your account or sell your login credentials online. But what if the WAF vendors salted the passwords? Hashing passwords can certainly protect against some hacker intrusions.
In the event of a password breach without salting/hashing, a hacker can get your website to validate your password when the website compares and matches the stored hash to the hash in the database.
This is where salting the hash can help defeat this particular attack, but it won’t guarantee protection against hash collision attacks (a type of attack on a cryptographic hash that tries to find two inputs that produce the same hash value).
In this scenario, systems with weak hashing algorithms can allow hackers access to your account even if the actual password is wrong because whether they insert different inputs (actual password and some other string of characters for example), the output is the same.
► What can hackers do with API keys?
Cloud WAF vendors that use or provide APIs to allow third-party access must place extra attention to API security to protect their customers.
APIs are connected to the internet and transfer data and allows many cloud WAFs work to implement load balancers among other things via APIs.
If API keys are not using HTTPS or API requests not being authenticated, then there is a risk for hackers to take over the accounts of developers.
If a cloud WAF vendor is using a public API but did not register for an authorized account to gain access to the API, hackers can exploit this situation to send repeated API requests. Had the APIs been registered, then the API key can be tracked if it’s being used for too many suspicious requests.
Beyond securing API keys, developers must also secure their cloud credentials. If a hacker gains access to this then they are able to possibly take down servers, completely mess up DNS information, and more.
API security is not only a concern for developers but also for end users using APIs for their cloud WAF service as you’ll see in the next section.
► What can hackers do with compromised SSL certificates?
Next, what happens if the SSL certificates WAF customers provided ends up in the hands of hackers?
Let’s assume the hacker has both the API keys and SSL certificates. In this scenario, hackers can affect the security of the incoming and outgoing traffic for customer websites.
With the API keys, hackers can whitelist their own websites from the cloud WAF’s settings, allowing their websites to bypass detection. This allows them to attack sites freely.
Additionally, hackers could modify the traffic of a customer website to divert traffic to their own sites for malicious purposes. Because the hackers also have the SSL certificates then they can expose this traffic as well and put you at risk for exploits and other vulnerabilities.
► What can I do to protect myself if I am using a cloud WAF?
First, understand that your data is never 100% safe. If a company claims that your data is 100% safe, then you should be wary. No company can guarantee that your data will always be safe with them.
When there is a data breach, however, cloud WAF customers are strongly encouraged to change their passwords, enable 2FA, upload new SSL certificates, and reset their API keys.
Only two of these are realistic preventive measures (changing your passwords frequently and using 2FA), but it’s unlikely that you, as a customer, will frequently upload new SSL certificates and change your API keys.
Thus, we recommend that you ask your WAF vendors about the security of not just the WAF technology itself but also how they deal with API security and how they store SSL certificates for their customers.