Traditional cloud security issues once associated with service providers are declining in significance, as per the Cloud Security Alliance's 2024 Top Threats report, However, new challenges persist.
Traditional cloud security issues once associated with service providers are declining in significance, as per the Cloud Security Alliance's 2024 Top Threats report, However, new challenges persist.
In December 2022, a hacker claimed to have access to the personal data of 400 million Twitter users for sale on the dark web markets. And only yesterday, the attacker published the account details and email addresses of 235 million users.
The breached data revealed by the hacker includes account names, handle creation data, follower count, and email addresses of victims. Moreover, the threat actors can as well design social engineering campaigns to dupe people into providing them their personal data.
Social media giants provide threat actors with a gold mine of user data and personal information that they can utilize in order to perform social engineering scams.
Getting a hold of just a user name, email address, and contextual information of a user’s profile, available to the public, a hacker may conduct reconnaissance on their targeted user and create phishing and scam campaigns that are specifically designed to dupe them into providing personal information.
In this case, while the exposed information was limited to users’ information available publicly, the immense volume of accounts exposed in a single location (Twitter) has in fact provided a “goldmine of information” to the threat actors.
Unsecured APIs allow cybercriminals direct access to users’ Personally Identifiable Information (PII), such as username and password, which is captured when the user connects to any third-party service API. API attack thus provides threat actors with a window to collect large amounts of personal information for scams.
An instance of this happened just a month ago when a threat actor leveraged an API flaw to gather the data of 80,000 executives throughout the private sector and sell it on the dark web. The threat actor had applied successfully to the FBI's InfraGard intelligence sharing service.
The data collected during the incident included usernames, email addresses, Social Security numbers, and dates of birth of victims. This highly valuable information was utilized by the threat actors for developing social engineering dupes and spear phishing attacks.
One of the main challenges faced while combating API breaches is how modern enterprises need to detect and secure a large number of APIs. A single vulnerability can put user data at risk of exfiltration, therefore there is little room for error.
“Protecting organizations from API attacks requires consistent, diligent oversight of vendor management, and specifically ensuring that every API is fit for use […] It’s a lot for organizations to manage, but the risk is too great not to,” says Chris Bowen, CISO at ClearDATA. “In healthcare, for example, where patient data is at stake, every API should address several components like identity management, access management, authentication, authorization, data transport, exchange security, and trusted connectivity.”
It has also been advised to the security team to not rely solely on simple authentication options like username and password in order to secure their APIs.
“In today’s environment, basic usernames and passwords are no longer enough […] It’s now vital to use standards such as two-factor authentication (2FA) and/or secure authentication with OAuth,” says Will Au, senior director for DevOps, operations, and site reliability at Jitterbit.
Moreover, measures such as utilizing a Web Application Firewall (WAF), and monitoring API traffic in real time can aid in detecting malicious activities, ultimately minimizing the risk of compromise.
APIs, by nature, are at risk of getting the application logic or sensitive data exposed, such as personally identifiable information (PII). Since APIs are generally accessible over public networks, they are often well-documented and can easily be manipulated and reverse-engineered by a threat actor. Additionally, they are susceptible to DDoS attacks.
Since most significant data leaks happen as a result of defective, vulnerable, or hacked APIs, exposing data like medical, financial, or personal information, it is crucial to ensure the security of APIs. Additionally, if an API is not properly secured, it could result in numerous cyberattacks, making API security essential for today's data-driven enterprises.
Critical API vulnerabilities and attacks
In recent times, APIs have emerged as a preferred method for establishing more advanced applications, significantly for mobile devices and the internet of things (IoT). however, some businesses still need to fully understand the possible risks pertaining to their APIs while making them accessible to the public, given the continually evolving application-development methodologies and pressure for innovation.
Businesses should as well be cautious of these typical security errors before public deployment.
• Authentication flaws: Many APIs deny requests for authentication status made by legitimate users. Threat actors could take advantage of these exploits in a variety of ways by replicating API requests, such as session hijacking and account aggregation.
• Lack of encryption: Several APIs lack encryption layers present between the API client and server. Flaws as such could lead a threat actor into intercepting unencrypted or stealing sensitive data via unencrypted or inadequately protected API transactions.
• Flawed endpoint security: Since most IoT devices and microservices are created in order to communicate with the server via an API channel, hackers often attempt to acquire unauthorized access over them through IoT endpoints. This frequently causes the API to reorder its sequence, leading to a data breach.
Challenges Faced by API Security
As per Yannick Bedard, head of penetration testing, IBM security X-Force Red, one of the challenges in API security in current times is going through tests for security, for intended logic flows could be difficult to understand, and test it is not clearly comprehended.
Bedard tells VentureBeat, “In a web application, these logical flows are intuitive through the use of the web UI, but in an API, it can be more difficult to detail these workflows […] This can lead to security testing missing vulnerabilities that may, in turn, be exploited by attackers.”
“It is common for services to inherently trust data coming from other APIs as clean, only for it to turn out to not be properly sanitized,” says Bedard. “Malicious data would eventually flow to backend APIs, sometimes behind many other services. These APIs would, in turn, be vulnerable and could provide the attacker an initial foothold into the organization.”
“The top challenge is discovery, as many security teams just aren’t sure how many APIs they have,” says Sandy Carielli, principal analyst at Forrester.
Carielli said that many teams unknowingly deploy rogue APIs or there may be unmaintained APIs that are still publicly accessible, which can lead to several security hazards.
According to her, many teams obliviously use rogue APIs, and there may be unmaintained APIs that are still accessible to the general public. This poses a number of security risks. “API specifications could be outdated, and you can’t protect what you don’t know you have,” she said. “Start by understanding what controls you already have in your environment to secure APIs, and then identify and address the gaps. Critically, make sure to address API discovery and inventory.”
Best practices to enhance API security
Listed are a few approaches that may be utilized in order to effectively secure your system against API intruders:
• API gateway: API gateway serves as the cornerstone of an API security framework, since it is easy to create, administer, monitor, and secure APIs, and serves as the cornerstone of an API security framework. The API gateway can enable API monitoring, logging, and rate limitation in addition to protecting against a variety of threats. Additionally, it may automatically validate security tokens and restrict traffic depending on IP addresses and other data.
• Web application firewalls (WAF): WAF serves as a layer between traffic and the API gateway or application. It offers an additional security layer against threat actors, like bots, by providing malicious bot detection, the ability to detect attack signatures, and additional IP intelligence, WAFs can be useful for preventing malicious traffic from entering your gateway in the first place.
• Security applications: Standalone security applications with features like real-time protection, static coded and vulnerability scanning, built-time checking, and security fuzzing can as well be incorporated into the security architecture.
• Security in code: An internal form of security that is built into the API or apps is security code. However, it can be challenging to apply uniformly across all of your API portfolios the resources necessary to verify that all security measures are applied appropriately in your API code.
According to industry experts, the increase in integrated web and mobile offerings that requires data exchange between products of multiple organizations and the reliability of mobile apps on APIs, has eventually led to growth, making API security a huge challenge for CIOs today.
A 2022 survey by 451 Research found that 41% of organizations surveyed had an API security incident in the last 12 months; 63% of respondents said the incident involved a data breach or loss.
Consequently, cybersecurity startup Wib is looking to zero in on API security. Wib further announced a $16 million investment led by Koch Disruptive Technologies (KDT), the growth and venture arm of Koch Industries, Inc, with participation from Kmehin Ventures, Venture Israel, Techstars, and existing investors.
Blocking API attacks in the network:
According to a report by GigaOm research, API security products were developed before API use expanded to the extent seen today and “were based upon the idea that it is asking for failure to insist developers secure the code they write. The report added that “most developers do not knowingly create insecure code,” if they inadvertently develop code with vulnerabilities, most likely because they are unaware of what vulnerabilities an API might suffer from.
“Once API security was in use, though,” the report said, “IT quickly discovered a new reason to use a security product: Some vulnerabilities are far easier blocked in the network than in each and every application.”
The report inferred that the idea that it is more effective in blocking some attacks in the network, including data centers, cloud vendors, and SaaS providers — before access to the API occurs, has spurred demand for products that can do this.
According to Wib, its API security platform aims at providing visibility across the entire API landscape, right from code to production. This would help unify software developers, cyber defenders, and CIOs around a single holistic view of their complete API domain.
The platform could leverage real-time inspection, management, and control at every stage of the API lifecycle to automate inventory and API change management, according to the company. Wib was created to identify rogue, zombie, and shadow APIs and analyze business risk and impact, helping organizations reduce and harden their API attack surface.
According to Gil Don, CEO, and co-founder of Wib, API has moved into the spotlight in the past years. “Organizations are using them as the basis of a new generation of complex applications, underpinning their move to competitive and agile digital business models,’’ says Don.
A Whole New Category of Cyber Threat
Don explains that APIs account for 91% of all web traffic and they fit with the trend towards microservices architectures and the need to respond dynamically to rapidly changing market conditions. But APIs have given rise “to a whole new category of cybersecurity threats that explicitly targets them as a primary attack vector. Web API traffic and attacks are growing in volume and severity.”
Over half of APIs are invisible to business IT and security teams. “These unknown, unmanaged, and unsecured APIs are creating massive blind spots for CIOs that expose critical business logic vulnerabilities and increase risk,’’ Don continues.
On the other hand, GigaOm report called out Wib for its API source code scanning and analysis “with an eye toward API weaknesses.” Wib’s platform “provides automatic API documentation to create up-to-date documentation, as well as snapshots of changes to APIs and their risks every time they see a commit to code,” the report further read.
As its operations grow across the Americas, UK, and EMEA, Wib says the investments will be used in order to improve its comprehensive API security platform and accelerate international growth.