Enterprise security isn\u2019t easy. Small oversights around systems and vulnerabilities can result in data breaches that impact millions of users. Unfortunately, one of the most common oversights is in the realm of APIs<\/a>.\u00a0<\/p>\n

<\/p>\n

Event<\/h3>\n
\n
Intelligent Security Summit On-Demand<\/span><\/p>\n
Learn the critical role of AI & ML in cybersecurity and industry specific case studies. Watch on-demand sessions today.<\/span><\/p>\n<\/div>\n

\n Watch Here <\/a>\n <\/p>\n<\/div>\n
<\/body><\/p>\n
These predictions appear to be accurate, with research<\/a> showing that 53% of security and engineering professionals reported their organizations experienced a data breach<\/a> of a network or app due to compromised API tokens.\u00a0<\/p>\n
In addition, just a month ago, hackers exposed<\/a> the account and email addresses of 235 million Twitter<\/a> users after exploiting an API vulnerability originally shipped in June 2021, which was later patched.\u00a0<\/p>\n
As threat actors look to exploit APIs more often, organizations can\u2019t afford to rely on legacy cybersecurity<\/a> solutions to protect this vast attack surface. Unfortunately, upgrading to up-to-date solutions is easier said than done.\u00a0<\/p>\n
\u201cUnauthorized API access can be extremely difficult for organizations to monitor and investigate \u2014 especially for enterprise companies \u2014 due to the sheer volume of them,\u201d said Chris Doman, CTO and cofounder of Cado Security<\/a>.\u00a0<\/p>\n
\u201cAs more organizations are moving data to the cloud, API security becomes even more pertinent with distributed systems,\u201d Doman said.\u00a0<\/p>\n
Doman notes that organizations looking to insulate themselves from incidents like T-Mobile experienced need to have \u201cproper visibility\u201d into API access and activity beyond traditional logging.\u00a0<\/p>\n
This is important because logging can be sidestepped \u2014 as was the case with a vulnerability<\/a> in AWS\u2019 APIs that allowed attackers to bypass CloudTrail logging.\u00a0<\/p>\n
How bad is the T-Mobile API data breach?\u00a0<\/h2>\n
While T-Mobile has claimed that the attackers weren\u2019t able to access users\u2019 payment card information, passwords, driver\u2019s licenses, government IDs or social security numbers, the information that was harvested provides ample material to conduct social engineering attacks.\u00a0<\/p>\n
\u201cAlthough T-Mobile has publicly disclosed the severity of the incident, alongside its response \u2014 cutting off threat-actor access via the API exploit \u2014 the breach still compromised billing addresses, emails, phone numbers, birth dates and more,\u201d said Cliff Steinhauer, director of information security and engagement at NCA<\/a>.\u00a0<\/p>\n
\u201cIt\u2019s basic information, but just enough to map out and execute a convincing enough social engineering campaign that can strengthen bad actors\u2019 capacity for new attacks,\u201d Steinhauer said.\u00a0<\/p>\n
These attacks include phishing attacks<\/a>, identity theft<\/a>, business email compromise<\/a> (BEC) and ransomware<\/a>.<\/p>\n
Why do API breaches happen?<\/h2>\n
APIs are a prime target for threat actors because they facilitate communication between different apps and services. Each API sets out a mechanism for sharing data with third-party services. If an attacker discovers a vulnerability in one of these services, they can gain access to the underlying data as part of a man-in-the-middle attack.\u00a0<\/p>\n
There is an increase in API-based attacks \u2014 not because these elements are necessarily insecure, but because many security teams don\u2019t have the processes in place to identify and classify APIs at scale, let alone remediate vulnerabilities.<\/p>\n
\u201cAPIs are designed to provide ready access to applications and data. This is a great benefit to developers, but also a boon for attackers,\u201d said Mark O\u2019Neill, VP analyst at Gartner. \u201cProtecting APIs starts with discovering and categorizing your APIs. You can\u2019t secure what you don\u2019t know.\u201d \u00a0<\/p>\n
Of course, inventorying APIs is just the tip of the iceberg; security teams also need a strategy to secure them.\u00a0<\/p>\n
\u201cThen it involves the use of API gateways, web application and API protection (WAAP), and application security testing. A key problem is that API security falls into two groups: engineering teams, who lack security skills, and security teams, who lack API skills.\u201d\u00a0<\/p>\n
Thus, organizations need to implement a DevSecOps-style approach to better assess the security of applications in use (or in development) within the environment, and develop a strategy to secure them.\u00a0<\/p>\n
Identifying and mitigating API vulnerabilities\u00a0<\/h2>\n
One way organizations can start to identify vulnerabilities in APIs is to implement penetration testing. Conducting an internal or third party-led penetration test can help security teams see how vulnerable to exploitation an API is, and provide actionable steps on how they can improve their cloud security posture over time.<\/p>\n
\u201cFor all types of software, it\u2019s vital that companies use updated code and check the security of their systems, e.g., by arranging penetration testing \u2014 a security assessment that simulates various types of intruders \u2026 the goal of which is to elevate the current privileges and access the environment,\u201d said David Emm, principal security researcher at Kaspersky<\/a>.<\/p>\n
In addition, it\u2019s a good idea for organizations to invest in incident response, so if an API is exploited, they can respond quickly to limit the impact of the breach.<\/p>\n
\u201cTo be on the safe side when a company is faced with an incident, incident response services can help minimize the consequences, in particular by identifying compromised nodes and protecting the infrastructure from similar attacks in the future,\u201d Emm said.<\/p>\n
The role of zero trust\u00a0<\/h2>\n
Unauthenticated, public-facing APIs are susceptible to malicious API calls, where an attacker will attempt to connect to the entity and exfiltrate all the data it has access to. In the same way that you wouldn\u2019t implicitly trust a user to access PII, you shouldn\u2019t automatically trust an API either.\u00a0\u00a0<\/p>\n
That\u2019s why it\u2019s essential to implement a zero trust<\/a> strategy, and deploy an authentication and authorization mechanism for each individual API to prevent unauthorized individuals from accessing your data.\u00a0<\/p>\n
\u201cWhen you have sensitive data (in this case customer phone numbers, billing and email addresses, etc.) sprawled across databases, mixed with other data, and access to that data not properly managed, these types of breaches are hard to avoid,\u201d said Anushu Sharma, co-founder and CEO of Skyflow<\/a>.\u00a0<\/p>\n
\u201cThe best-run companies with the most sensitive data know that they must adopt new zero-trust architectures. Bad actors are getting smarter. Adopting new privacy technology isn\u2019t an option anymore, it\u2019s table stakes,\u201d Sharma said.<\/p>\n
Combining access control frameworks like OAuth2 with authentication measures such as username and password and API keys, can help enforce the principle of least privilege and ensure that users have access only to the information they need to perform their role.<\/p>\n
VentureBeat’s mission<\/strong> is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.<\/a><\/p>\n<\/p><\/div>\n
Read More<\/a>
\n Tim Keary<\/p>\n","protected":false},"excerpt":{"rendered":"
Enterprise security isn\u2019t easy. Small oversights around systems and vulnerabilities can result in data breaches that impact millions of users. Unfortunately, one of the most common oversights is in the realm of APIs.\u00a0Just yesterday, T-Mobile revealed that a threat actor stole the personal information of 37 million postpaid and prepaid customer accounts via an exposed<\/p>\n","protected":false},"author":1,"featured_media":599722,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[252,22286,46],"tags":[],"class_list":{"0":"post-599721","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-breach","8":"category-t-mobile","9":"category-technology"},"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts\/599721","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/comments?post=599721"}],"version-history":[{"count":0,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts\/599721\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/media\/599722"}],"wp:attachment":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/media?parent=599721"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/categories?post=599721"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/tags?post=599721"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

Event<\/h3>\n\nIntelligent Security Summit On-Demand<\/span><\/p>\nLearn the critical role of AI & ML in cybersecurity and industry specific case studies. Watch on-demand sessions today.<\/span><\/p>\n<\/div>\n