Cyberattacks exploiting APIs are becoming more common. Within the last few months, there have been high-profile breaches caused by API vulnerabilities at Twitter and T-Mobile which have highlighted the damage they can cause. Q and A wiht By Stefan van der Wal Consulting Solutions Engineer, Application Security at Barracuda
An API (Application Programming Interface) is an intermediary function that makes it possible for two applications to talk to each other. API-based applications allow for faster and easier software deployments, making them a valuable tool for businesses accelerating their digital transformation programmes. However, APIs present different security challenges to traditional web applications, their development is more dynamic, and their ability to access data from backend servers makes them a prime target for cybercriminals.
We asked Stefan van der Wal, Consulting Solutions Engineer, Application Security at Barracuda, why API attacks are increasing and what organisations should be doing to mitigate the risk.
Why do cybercriminals view APIs as such an advantageous gateway to attack?
APIs can be likened to a high-speed motorway. The road system gets commuters and goods from A to B quickly and conveniently but it could just as easily serve as a getaway route for criminals. APIs are designed for speed and accessibility, making it easy to connect different systems and transfer large volumes of data quickly.
These same features make APIs ideal tools for threat actors intent on maximum gain for minimum effort. Exploiting an API that facilitates data exchange with a mobile banking app could grant attackers an easy route to financial information, for example.
Additionally, APIs tend to lag behind traditional web applications regarding security. This is partly due to the speed at which new APIs can be deployed and the sheer volume most businesses have in use. Over-provisioned and under-secured APIs give threat actors a painless ingress point into the network.
Why has the use of APIs, as a gateway to attack, has grown substantially?
The simplest answer is that there are more APIs out there to exploit. Standardised APIs are valuable tools for critical activities, which means they are being deployed in greater numbers by enterprises pursuing digitalisation.
Public-facing APIs are the greatest issue; any developer can use these to connect their application to other systems. This means they’re widely available for threat actors to investigate and probe for weaknesses.
The more systems an organisation tries to connect through APIs, the greater the danger. Industries like healthcare and retail are particularly vulnerable as they usually incorporate many different technologies into their operations. But since greater efficiency and automation is an imperative across business sectors, no industry is free from risk.
Added to this, the cybercriminal community has grown more organised in recent years. Word of new vulnerabilities circulates quickly in dark web forums, and specialist criminals use underground marketplaces to sell exploit opportunities.
What are the biggest factors at play that causes these API-related breaches?
Mostly the speed at which they are deployed and changed. The most straightforward of APIs can be deployed in a matter of minutes. This means it’s easy for development teams to roll them out without necessarily going through all the right checks and processes with the security team.
Visibility is also a challenge. With more APIs in use, it becomes more likely that a business will lose track of where they are located. In research conducted by Barracuda, 44% of respondents stated they did not know where all APIs are deployed in their organisation. APIs that are no longer being updated or monitored are a particularly useful entry point for criminals.
Another factor at play is that useful features of APIs can be exploited in unexpected ways. For example, in the most recent data breach reported by Twitter, attackers appear to have exploited two vulnerable APIs to access the private details of an estimated 200 million accounts. The first step appears to have been a vulnerability in an API that allows users to confirm if email addresses and phone numbers are connected to existing Twitter IDs. Following which, the threat actors seem to have used this, in conjunction with another API, to scrape public data, enabling them to access email addresses and phone numbers that should have been kept private.
T-Mobile was recently involved in an API breach. Could you talk more about how cybercriminals are able to cause damage on such a large scale?
The T-Mobile case is notable for the volume of data that was stolen. It’s estimated that criminals accessed the personal details of roughly 37 million customer accounts. However, an incident like this could happen to any organisation. Since public-facing APIs are so prevalent, it’s only a matter of time before someone with a hacker mindset finds one and discovers a way to use it for malicious purposes.
My advice for companies is to make sure they have a full inventory of their APIs. Firms must have a clear picture of what tools are in place, so they can fully evaluate any risks. This needs to be a continuous process, so that organisations can identify any vulnerabilities or where data is being shared, possibly without the correct controls.
Are organisations aware of the scale of this problem? If not, what is the best way to ensure this awareness throughout the business?
Although awareness is starting to grow, it is a slow process as many stakeholders still aren’t informed of the risks. I believe the security industry has an obligation to work as trusted advisors, and to point out potential risks.In fact, the security challenges around APIs are no different than the challenges facing other software features.
Business leaders need to encourage developer and security teams to talk to each other about APIs. The two departments can be heavily siloed, with the security team having little idea what the developers are working on. Ideally, they need to be working together closely, with the developers focused on building new things, and the security team looking at potential risks and issues.
This would enable security to be baked into the API process to ensure issues are identified and managed before an API goes live or updates are pushed. With proper security processes in place, organisations can enjoy all the benefits of quickly deploying APIs without unnecessarily increasing their risk exposure.