Security analysts say that multifactor authentication is an absolute must for any company with multiple interfaces.
API first strategy and Mulesoft help Pilot Flying J to break down data silos
Pilot Flying J uses MuleSoft, which can integrate data from locations in North America and improve the quality of service to its customers.
So many of the biggest infringements nowadays are APIs that support almost all of your favorite apps and platforms.
APIs have made our lives easier by offering companies an easy way to share information and data. The best examples are apps for journeys such as Uber and Lyft.
Dozens of APIs are required to give you the experience you want as a customer, including tools that call up your profile, connect the app to your bank account, identify your location, find the location of nearby drivers, and determine routes.
“Any online service or mobile app that requires you to enter your credit card number can be affected by API abuse. The most common things that you now see are entering credentials and abusing the application’s business logic, such as verifying e -mail addresses, credit card numbers or gift cards, “said Zane Lackey, co-founder and CTO of the cyber security company Signal Sciences.
SEE: Implementing DevOps: a guide for IT professionals (free PDF) (TechRepublic)
Gartner has already made worrying predictions for the future of API security, and wrote in a recent report that by 2022, API abuse will be the most common attack seen by security teams.
Gartner added in another study that by 2019, 40% of web applications will have more attack surfaces in the form of visible APIs instead of the user interface. That number will reach 90% by 2021 according to his predictions.
With all these different APIs that send and receive so much valuable information, there is a risk. Some of the world’s largest companies now manage hundreds of APIs and rely on small external companies to provide crucial functions for their online business.
Etay Maor, chief security officer at IntSights, said that when you delve deeper into many breaches, the cause often refers to APIs being misused or accessed by malicious actors.
“Last year there was a famous IRS breach, where attackers used a database and downloaded information about taxpayers. One of the new systems launched in 2014 where end users could download all their information and that is exactly what the criminals did via the API, “said Maor.
“700,000 taxpayer information has been downloaded. Some of the attacks you read about, as you go deeper, you will find it was an abuse of the API, a combination of vulnerable APIs and someone who got a database of users and then started attacking that API. ”
TechRepublic spoke to security experts and researchers about four steps companies can take to protect their APIs.
1. Manage authentications
In addition to the basic security measures that every organization should have, a key to protecting APIs is that you know who uses what and who has access to what.
One of the biggest problems facing companies is credential filling, where cryber criminals use stolen email and password databases to bomb APIs with thousands of fake requests.
Lackey said that as more companies switch to web apps as their main way of interacting with customers, criminals turn to attack the APIs that control mobile apps.
“Attackers now buy large stolen lists of credentials and try again against every service they can think of,” Lackey said. “Once they discover the accounts, they attack the business logic of the application. Their goal is:” I want to log in to the account and update the mailing address for the client account I just stole so that all goods are delivered to my mailing address. “”
To protect against this type of reference stuff, companies must use strict multi-factor authentication, said Ben Waugh, chief security officer at Redox, the web app of the healthcare app.
Redox helps healthcare institutions use technology, such as APIs, to improve systems and share information. Waugh said for risky industries such as healthcare, multi-factor authentication was an absolute must and businesses should go even further by forcing people to use long, complicated passwords instead of those they invent themselves.
But due to advances in the type of technology that cyber criminals use, even the use of phone numbers as an additional layer of security was not enough.
“What I see more and more, especially for high-risk sites, is that more and more SIM swaps are being used, which means that people really have to move away from SMS-based multi-factor authentication, because for high-risk goals is no longer effective, “Waugh said.
The Open Web Application Security Project recently released an API Security Top 10 report that said authentication mechanisms were “often incorrectly implemented, allowing attackers to compromise authentication tokens or misuse deployment errors to temporarily or permanently assume the identity of other users.
“Compromising the ability of a system to identify the client / user compromises overall API security,” added the Open Web Application Security Project report.
2. Check authorizations
With many companies managing hundreds of APIs, it can be difficult to keep track of who or what is authorized to use or access certain information.
Waugh said that companies should be concerned about how information is passed through APIs. It is generally more difficult to detect attacks on APIs because each API request is difficult to distinguish from others and cyber criminals make a point of overwhelming systems with thousands of attempted attacks.
“API attacks are usually much more focused. They will follow the API specifications, but in the end it is still the same type of attack as anything else. It is still trying to access another indirect source, so you need to make sure that you properly check if each request is authorized to access a particular source that it is requesting, “Waugh said.
“They may be trying to attack some downstream microservers or another downstream service through an injection attack,” he added.
“Most people have APIs in a microserver architecture, so they pass requests from one service to another. You really have to think about and understand which service is responsible for clearing up that input and handling it safely in that chain. Many people assume that another part of the system is doing something. ”
Companies must have a clear understanding of who is in charge of what and suspect that something else has given it permission upstream.
In many cases, companies do the authentication part, but fail to handle the authorization needed to protect themselves, Waugh said.
“They will say,” Yes, this is a valid API key, so this must be a valid request “and then a downstream service will handle the resource request itself and it will not really control who the actor requesting this resource is And they assume that the first front end has carried out the authorization, “he said.
The OAS report added that “object-level authorization checks should be considered in any function that has access to a data source with user input.”
3. Organize the security team setup
Every analyst mentioned the need for security teams to set up in an organized manner that involved the entire company.
Lackey, who spent years as CISO at the Etsy e-commerce site, said many of the API security issues that companies have usually caused by the separation between development teams and security teams.
Traditionally, security teams focused on the infrastructure or network layer and generally stayed away from the applications, he said. But visibility throughout the system is now a must for every security team.
“This is what we have learned very painfully at Etsy. If you go through digital transformation or DevOps or a cloud journey, the only way you are scalable and effective and can defend yourself is to get visibility that is not just one of those can use groups, but actually all of them. “
“You need to understand how people are trying to abuse those applications, but it has to be done in a way that the development teams, the DevOps teams, and security teams can use it all,” Lackey said.
Older cyber security systems required highly trained security officers to manage them, but more modern tools use AI and other technology to ease the burden on defenders.
Shadow IT is a big problem for companies, because departments start their own projects and allow external services into an organization’s system. Waugh noted that IT departments would handle all external accounts and check for security in the past, but those days are long gone.
“There is no longer such a thing as IT. Our entire company is what we are responsible for and our entire company works closely with the IT security team on everything that we ultimately deploy or use,” Waugh said.
4. Research by third parties
Even when companies do the right things and ensure that everything is protected, they can still run the risk of breaches or attacks thanks to third-party services.
Waugh said that a good part of the breaches he sees are not direct attacks on a business system, but a compromise from a third party that has access to that data processing system.
“As an industry, we are doing very poorly to understand the risk when it comes to third parties. However much we protect ourselves, we have a very limited understanding of which third parties we have. How do we protect them?” he said.
Companies must have an understanding of external partners who have access to their data, send them security questionnaires, certification requests or demanding reports. But even this, Waugh said, can still make companies vulnerable to attacks.
Last year, India’s national ID database, which contains identity and biometric information such as fingerprints and iris scans on more than 1.1 billion registered Indian citizens, was exposed via a vulnerable API.
According to ZDNet’s Zach Whittaker, a network provider, Indane, had access to the Aadhaar database through an API that the company relies on to check the status of a customer and verify their identity.
The company did not secure the API, and as a result, everyone had access to private data from every Aadhaar holder, even those who were not customers of that specific tool.
According to a researcher, a URL on the company’s domain was the endpoint of the API and had no access control. The researcher also discovered that the API had not set tariff limits, meaning that cyber criminals could work through to trillions of permutations until they were successful.
Cyber Security Insider Newsletter
Strengthen the IT security of your organization by staying up to date with the latest news, solutions and best practices for cyber security.
Delivered on Tuesday and Thursday
NicoElNino, Getty Images / iStockphoto