View all on-demand sessions from the Intelligent Security Summit here.
Business security is not easy. Small mistakes around systems and vulnerabilities can lead to data breaches affecting millions of users. Unfortunately, one of the most common mistakes is when it comes to APIs.
just yesterday, T Mobile revealed that a threat actor the personal information of 37 million postpaid and prepaid customer accounts through an exposed API (which they operated between November 25, 2022 and January 5, 2023). The vendor has not shared how the hackers exploited the API.
This incident highlights that API security must be at the top of the agenda for CISOs and organizations if they want to prevent customer data from falling into the wrong hands.
Contents
The trend of API exploitation
With cloud adoption increasing dramatically in recent years, analysts have long been warning enterprises that a tidal wave of API exploitation is on the way. Back in 2021, Gartner predicted API abuse would shift from rare to most common attack vector by 2023.
These predictions appear to be accurate, with research showing that 53% of security and technical professionals reported that their organization had experienced a network or app data breach due to compromised API tokens.
In addition, just a month ago, hackers exposed the accounts and email addresses of 235 million people Twitter users after exploiting an API vulnerability that was originally shipped in June 2021 and later patched.
As threat actors increasingly look to exploit APIs, organizations cannot afford to rely on outdated cybersecurity solutions to protect this massive attack surface. Unfortunately, upgrading to up-to-date solutions is easier said than done.
“Unauthorized API access can be extremely difficult for organizations to monitor and investigate – especially large enterprises – due to the sheer volume,” said Chris Doman, CTO and co-founder of Cado security.
“As more organizations move data to the cloud, API security becomes even more relevant with distributed systems,” said Doman.
Doman notes that organizations looking to shield themselves from incidents like T-Mobile experienced need “good visibility” into API access and activity beyond traditional logging.
This is important because logging can be bypassed — as was the case with a vulnerability in AWS’s APIs that allowed attackers to bypass CloudTrail logs.
How bad is the T-Mobile API data breach?
While T-Mobile claimed that the attackers did not have access to users’ payment card information, passwords, driver’s licenses, government IDs, or social security numbers, the information gathered provides enough material to launch social engineering attacks.
“While T-Mobile has made public the severity of the incident, in addition to the response — cutting off threat actor access via the API exploit — the breach still compromised billing addresses, emails, phone numbers, dates of birth, and more.” said Cliff Steinhauer, director of information security and engagement at NCA.
“It’s basic information, but just enough to map out and execute a sufficiently convincing social engineering campaign that can amplify bad actors’ ability for new attacks,” Steinhauer said.
These attacks include phishing attacks, identity theft, Business Email Compromise (BEC), and ransomware.
Why Do API Breaches Occur?
APIs are a prime target for threat actors because they facilitate communication between different apps and services. Each API includes a mechanism for sharing data with third-party services. If an attacker discovers a vulnerability in one of these services, they could gain access to the underlying data as part of a man-in-the-middle attack.
There is an increase in API-based attacks – not because these elements are necessarily insecure, but because many security teams lack the processes to identify and classify APIs at scale, let alone remediate vulnerabilities.
“APIs are designed to provide easy access to applications and data. This is a big advantage for developers, but also a boon for attackers,” said Mark O’Neill, VP analyst at Gartner. “Protecting APIs starts with discovering and categorizing your APIs. You can’t protect what you don’t know.”
Of course, API inventory is just the tip of the iceberg; security teams also need a strategy to secure them.
“Then it’s about using API gateways, web applications and API protection (WAAP), and application security testing. A major problem is that API security falls into two groups: technical teams, who lack security skills, and security teams, who lack API skills.”
Thus, organizations should implement a DevSecOps-style approach to better assess the security of applications in use (or under development) within the environment, and develop a strategy to secure them.
Identification and mitigation of API vulnerabilities
One way organizations can start identifying vulnerabilities in APIs is to implement penetration testing. By conducting an internal or third-party led penetration test, security teams can see how vulnerable an API is to exploitation and provide actionable steps to improve their cloud security posture over time.
“For software of all types, it is vital that companies use updated code and verify the security of their systems, for example by conducting penetration testing — a security assessment that simulates different types of intruders… with the aim of elevating current privileges and increasing access to the environment,” said David Emm, chief security researcher at Kaspersky.
In addition, it is a good idea for organizations to invest in incident response so that they can respond quickly if an API is misused to mitigate the impact of the breach.
“To be on the safe side when a business is faced with an incident, incident response services can help minimize the impact, particularly by identifying compromised nodes and protecting infrastructure from similar attacks in the future,” said Emm.
The role of zero trust
Unauthenticated, public APIs are susceptible to malicious API calls, where an attacker will attempt to connect to the entity and exfiltrate any data they have access to. In the same way that you wouldn’t implicitly trust a user to access PII, you shouldn’t automatically trust an API.
Therefore, it is essential to implement a zero trust strategy and deploy an authentication and authorization mechanism for each individual API to prevent unauthorized access to your data.
“If you have sensitive data (in this case, customer phone numbers, billing and email addresses, etc.) scattered across databases, mixed with other data, and access to that data is not properly managed, these types of breaches are difficult to prevent. avoid,” said Anushu Sharma, co-founder and CEO of Airflow.
“The best-run companies with the most sensitive data know they need to embrace new zero-trust architectures. Bad actors are getting smarter. Adopting new privacy technology is no longer an option, it’s at stake,” Sharma said.
Combining access control frameworks such as OAuth2 with authentication measures such as username and password and API keys can enforce the principle of least privilege and ensure that users only have access to the information they need to fulfill their role. to feed.
VentureBeat’s mission is to become a digital city plaza where tech decision makers can learn about transformative business technology and execute transactions. Discover our Briefings.
Janice has been with businesskinda for 5 years, writing copy for client websites, blog posts, EDMs and other mediums to engage readers and encourage action. By collaborating with clients, our SEO manager and the wider businesskinda team, Janice seeks to understand an audience before creating memorable, persuasive copy.