Securing a business is a challenging task. Data breaches affecting millions of people might be the consequence of seemingly little mistakes regarding systems and vulnerabilities. One area where mistakes frequently occur is with application programming interfaces (APIs).
T-Mobile just recently disclosed that a malicious actor had accessed an unsecured API and stolen personal information for 37 million postpaid and prepaid customer accounts (which they exploited between November 25, 2022 and January 5, 2023). The company did not disclose how the security flaw was accessed via the API.
To prevent sensitive consumer information from slipping into the wrong hands, CISOs and businesses should make API security a top priority, as demonstrated by this incident.
What we’re seeing is a rise in API usage, which
A tidal wave of API exploitation has been developing for some time, and analysts have been warning businesses of its impending arrival as cloud use has skyrocketed over the past few years. Gartner forecasted in 2021 that API misuse will become the most common threat vector in 2023.
Research shows that 53% of security and technical experts have suffered a data breach of a network or app due to compromised API tokens, suggesting that these forecasts are valid.
On top of that, hackers revealed the accounts and email addresses of 235 million Twitter users a month ago by exploiting an API flaw that had been present since June 2021 but had since been patched.
APIs are increasingly becoming a target for cybercriminals, and as a result, companies can no longer rely on antiquated cybersecurity measures to safeguard this expansive target. Transitioning to more modern solutions is easier said than done, though.
“Unauthorized API access may be exceedingly difficult for firms to monitor and analyse, especially for corporate enterprises owing to the sheer amount of them,” said Chris Doman, CTO and cofounder of Cado Security.
Doman argued that the need of API security was heightened in the context of distributed systems as more businesses moved their data to the cloud.
Doman points out that businesses who want to avoid hacks like the one T-Mobile suffered require “adequate insight” into API access and activity beyond what is provided by standard logging systems.
Because to a flaw in the AWS APIs, attackers were able to circumvent CloudTrail tracking, therefore this is crucial information.
What kind of damage did the T-Mobile API hack cause?
Despite T-assurances Mobile’s that the stolen data did not include credit card details, passwords, or copies of customers’ driver’s licences, government IDs, or social security numbers, the trove of data nevertheless gives abundant fodder for social engineering assaults.
“Despite T-public Mobile’s disclosure of the severity of the incident and its response, which included cutting off threat-actor access via the API exploit, the breach still compromised billing addresses, emails, phone numbers, birth dates, and more,” said Cliff Steinhauer, director of information security and engagement at NCA.
The information is “minimal,” but it is “just enough to plot out and execute a convincing enough social engineering campaign that can increase bad actors’ capability for subsequent assaults,” Steinhauer added.
Phishing, business email compromise (BEC), identity theft, and ransomware are all examples of such assaults.
Why do APIs get hacked into?
Since APIs enable communication between apps and services, they are a natural target for threat actors. Each API defines a protocol for exchanging information with other platforms. In a man-in-the-middle attack, an attacker can compromise one of these services to access the underlying data.
Not because APIs themselves are inherently insecure, but rather because many security teams lack the procedures to properly detect and categorise APIs at scale, much alone fix any security flaws that may exist.
APIs are created so that programmes and information may be accessed quickly and easily. According to Mark O’Neill, VP analyst at Gartner, “this is a bonanza for attackers, but a huge gain for developers.” To begin with, you need to find and classify your APIs before you can begin to secure them. What you don’t know can’t keep you safe.
While it’s important to keep track of APIs, that’s only the beginning; security teams also need a plan to keep them safe.
Then, it requires application programming interface (API) gateways, web application and API protection (WAAP), and testing. A major issue with API security is that it is divided between engineering teams that lack security expertise and security teams who lack API expertise.
As a result, businesses need to adopt a DevSecOps strategy to better evaluate the security of apps now in use (or being developed) in the environment and to formulate a plan to protect them.
Understanding how to locate and repair API flaws
Implementing penetration testing is a first step for businesses in identifying API security flaws. By doing either an internal or externally conducted penetration test, security teams may get insight into an API’s susceptibility to exploitation and provide concrete recommendations for enhancing their cloud’s security.
According to David Emm, principal security researcher at Kaspersky, “it is vital that companies use updated code and check the security of their systems, e.g., by arranging penetration testing — a security assessment that simulates various types of intruders… the goal of which is to elevate the current privileges and access the environment.”
In addition, businesses should allocate resources to incident response in case an API is exploited, allowing for faster recovery and less damage.
“Event response services may assist limit the effects when a firm is faced with an incident, in particular by detecting affected nodes and safeguarding the infrastructure against similar assaults in the future,” added Emm.
Zero-Trust and Its Importance
An attacker might make a malicious API request to an unprotected public API in an attempt to get access to the entity and steal all of its data. Just like you wouldn’t want to blindly trust a user with your personal information, you shouldn’t provide an API unfettered access to your data.
That’s why it’s so important to use a zero-trust approach and set up an authentication and permission process for each API to make sure only authorised users may access the data.
Anushu Sharma, co-founder and CEO of Skyflow, noted that such breaches are difficult to prevent when sensitive data (such as client phone numbers, billing and email addresses, etc.) is spread out across databases, mingled with other data, and access to that data is not effectively regulated.
Companies with the most sensitive data and the finest management understand that they need to implement new zero-trust architectures. As time goes by, criminals improve their intelligence. Sharma argues that modern privacy measures are now required.
To guarantee that users only have access to the data they need to do their jobs, it is best to employ a combination of authentication techniques such as username and password or API keys with an access control framework such as OAuth2.
Subtly charming pop culture geek. Amateur analyst. Freelance tv buff. Coffee lover