Now is the time for CISOs to ensure that APIs are truly protected.
With an ever-changing threat landscape, increased regulatory oversight and a desire among authorities to hold individual executives accountable for data breaches, these are tough times for CISOs. And as APIs become the attack vector of choice for bad actors, it’s more important than ever to prioritize effective API security at your organization.
A string of recent cases have caused alarm for C-suite cybersecurity leaders, demonstrating a new era of personal accountability and an increased appetite among authorities for taking individuals to task. The conviction of the former Uber CISO for concealing a massive data breach and the SEC's fraud charges against the CISO of SolarWinds are two obvious examples. These cases signal a paradigm shift where executives are not only responsible for their organization's security posture but can also face personal legal consequences for lapses.
With this newfound zeal among prosecutors, it’s highly likely we will see InfoSec executives answering difficult legal questions about API breaches in the months ahead. APIs are the ‘connective tissue’ of the web and modern software applications. They account for more than 83% of web requests. As new technologies and architectures gain in popularity, attackers take notice. APIs are now involved in more than two-thirds of data breaches, making them the number one attack vector for bad actors. A look at FireTail’s API data breach tracker shows an alarming surge in the volume and scale of attacks recently.
APIs, by design, serve as a gateway to your data. This makes them extremely attractive to attackers. APIs are also often the interface where business functions can be invoked. For that reason, APIs are the only construct with both data access and transactional capabilities, making them a doubly enticing target. Our research shows that API breach incidents are accelerating at a rate of 227% year-on-year and the average volume of records exposed is close to 3M per event, and rising. Securing your APIs is more important than ever. The ramifications for organizations and individual executives are too stark for this attack surface to be ignored.
In September 2022, the Australian telecommunications company, Optus, suffered a massive data breach that saw an attacker access sensitive customer data relating to more than 10 million customers. The attack was discovered by Optus on September 22 and a day later a user by the name of OptusData posted a $1M AUD ransom demand on a darknet forum.
On September 26, the user OptusData posted another message on the same forum which included a 10,000-record sample of the data. Investigations by security researchers showed that the data looked genuine, lending credence to OptusData’s claims that they were the attacker.
Initially, Optus claimed it had been the victim of a “sophisticated” cyber attack but this was later called into question. Tech reporter Jeremy Kirk made contact with the purported hacker using the same darknet forum and said the person gave him a detailed explanation of how they stole the data. The user contradicted Optus's claims the breach was "sophisticated", saying they pulled the data from a freely accessible API.
"No authenticate needed… All open to internet for any one to use,"
- The purported hacker in a message to Kirk
As investigations progressed, it transpired that the breach was made possible by a network configuration change that made public a temporary API aimed at meeting government-mandated two-factor authentication requirements. Because this API was internal, it lacked adequate authentication requirements. This vulnerability was further compounded by the fact that Optus used sequential user ID numbers so it was easy for the attacker to enumerate IDs and retrieve data for customer after customer.
This combination of events is also common, according to our research. In the vast majority of API breaches, more than one thing goes wrong.
As the media storm raged, Optus claimed not to have paid a ransom for the data but within a couple of weeks the user OptusData had removed the 10,000-record sample from the forum and claimed that the remaining data had been destroyed.
Whether or not a ransom was paid, the fallout for Optus was considerable. First, there was the reputational damage. Telling 40% of the Australian public that their sensitive personal data may have been exposed is catastrophic when it comes to customer confidence. Optus also had to contend with increased regulatory scrutiny and parliamentary attention. An investigation by the Office of the Australian Information Commissioner (OAIC) was launched, new regulations were enacted in response to the breach and the company received harsh criticism from the government.
"We should not be in the position that we're in, but Optus has put us here. It's really important now that Australians take as many precautions as they can to protect themselves against financial crime."
- Home Affairs Minister Clare O'Neil
Optus then found itself the subject of two class action lawsuits with firms Slater & Gordon and Maurice Blackburn both pursuing claims on behalf of their clients. The claim lodged in the federal court by Slater and Gordon alleged that Optus breached laws and its own policies by failing to adequately protect customer data and destroy or de-identify former customer data. Later, Optus found itself entangled in a federal court battle as it sought to withhold the breach's cause, a move challenged by regulatory changes demanding increased transparency. Ultimately, Optus set aside $140M AUD to deal with the consequences of the breach.
Fortunately for Optus executives, the breach has not yet led to any personal charges or individual accountability. Given the recent SolarWinds and Uber CISO cases, had this breach occurred in another country, that may not have been the case.
For CISOs who want to protect themselves, their organizations and their customers' sensitive data, effective API security is a must. Unfortunately, it can be hard to cut through the noise when it comes to API security. Many of the existing approaches such as WAFs, API Gateways and Behavioral Analysis just don’t cut it when it comes to stopping most API breaches.
The reason for this is that most successful breaches look like normal web requests. They exploit business logic vulnerabilities and most attacks are multi-vector. As our research shows, authentication and authorization issues are still behind the vast majority of successful API breaches.
API Breaches by Primary Attack Vector
Perimeter security approaches, WAFs, API gateways and even AI/ML behavioral analysis won’t stop attacks that exploit APIs without proper authentication or authorization mechanisms in place. True and effective API security relies on sound API governance, observability and the type of inline context only available at the application layer.
In an era of increasing regulatory and compliance requirements, securing your organization’s APIs is more important than ever. The rapid pace of AI innovation and the recent expansion of API calling capabilities announced by OpenAI mean that the frequency and severity of API attacks is only set to increase. Now is the time for CISOs to ensure that APIs are truly protected.
If you are looking for a way to minimize the personal and organizational risks associated with APIs, look no further than FireTail. With continuous visibility across your API ecosystem and the ability to proactively detect, identify and address vulnerabilities, no other solution offers the same level of true API protection.
FireTail enhances your API security with a unique hybrid approach that combines open-source code libraries with a feature-packed cloud platform. Our end-to-end API security solution provides inline API call evaluation and blocking, cloud-based API security posture management, a centralized audit trail to keep track of all your API interactions and comprehensive reporting to keep you informed.
Ultimately, FireTail provides you and your teams with the governance, observability and monitoring capabilities needed to ensure API compliance and to protect yourself, your organization and your customers from the increasingly complex threat of API attacks.
Schedule a demo today to see how the FireTail platform delivers real API security.