APIs: A Backdoor For Cybercriminals?

APIs Is A Backdoor For Cybercriminals

Published on April 30th, 2024

Imagine APIs as the hidden wiring of the digital world, allowing data to flow seamlessly between applications.

A recent report by Imperva, a Thales company, reveals that a staggering 71% of internet traffic in 2023 consisted of API calls, and the average company site handled a whopping 1.5 billion such calls that year.

This massive volume of data flowing through APIs should raise security concerns.

Despite efforts to integrate security into the development process (shift-left), many APIs are rushed into production without proper cataloging, authentication, or auditing.

The average organization juggles over 600 APIs, and this number is climbing as businesses prioritize faster digital service delivery. Unfortunately, these untamed APIs can morph into security vulnerabilities over time.

Imperva’s report warns that APIs have become a prime target for attackers, offering a direct line to steal sensitive data.

In fact, research by the Marsh McLennan Cyber Risk Analytics Center estimates that API security incidents cost global businesses a staggering $75 billion annually.

How Mismanaged APIs Become A Major Security Threat

How Mismanaged APIs Become A Major Security Threat

Securing APIs throws a unique curveball at even the most seasoned security teams.

The culprit? The breakneck speed of software development coupled with a lack of robust tools and processes for collaboration between developers and security professionals.

This chaotic environment leaves nearly 10% of APIs vulnerable due to improper deprecation, lack of monitoring, or weak authentication.

Imperva’s report identifies three common types of API beasts lurking in the shadows, each posing significant security risks:

  • Shadow APIs: Imagine APIs you never knew existed. These undocumented or undiscovered APIs roam unsupervised, forgotten, and invisible to security teams. Imperva estimates a sneaky 4.7% of active APIs lurk in the shadows. They might be remnants of testing phases or connectors to third-party services. The trouble starts when these shadowy figures remain uncataloged and unmanaged. Since they often have access to sensitive data, a single shadow API can trigger compliance nightmares, hefty fines, or worse – become a cybercriminal’s backdoor to steal your data.
  • Deprecated APIs: As software evolves, retiring old APIs (deprecation) is a natural part of the lifecycle. With software updates happening at lightning speed, it’s no surprise that deprecated APIs, on average, make up 2.6% of active APIs. Ideally, when an API is deprecated, supporting services are updated, and requests to the old endpoint fail. However, if these updates are neglected, the API becomes vulnerable – a sitting duck lacking security patches and software updates.
  • Unauthenticated APIs: These APIs often sneak in through misconfiguration, rushed releases, or the weakening of security measures to accommodate older software. Unauthenticated APIs represent a staggering 3.4% of active APIs on average. Their existence is a major security threat, potentially exposing sensitive data or functionalities to anyone, and paving the way for data breaches or system manipulation.

To tame these API beasts, regular audits are essential to identify unmonitored or unauthenticated endpoints.

Continuous monitoring acts as a hawk, detecting attempts to exploit vulnerabilities.

Additionally, developers must stay vigilant with regular updates and upgrades to ensure deprecated APIs are replaced with secure alternatives.

By working together and adopting these measures, developers and security teams can turn their API zoos into secure havens.

The Growing Peril Of Increased API Calls

The Growing Peril of Increased API Calls

In the bustling digital landscapes of banking and online retail, 2023 saw a surge in API calls, marking new highs for these industries.

With their heavy reliance on expansive API ecosystems to deliver seamless digital experiences, it comes as no shock that financial services, particularly banking, found themselves squarely in the crosshairs of API-related attacks.

Crafty cybercriminals employ a slew of tactics to breach API endpoints, but one particularly potent weapon in their arsenal is the Account Takeover (ATO) attack.

This insidious maneuver involves exploiting chinks in an API’s authentication armor to clandestinely access user accounts.

Alarming statistics from 2023 reveal that a staggering 45.8% of all ATO attacks zeroed in on vulnerable API endpoints, making them prime targets for malicious activity.

Fueling these attacks are the relentless forces of automation, embodied by nefarious “bad bots” that tirelessly execute their sinister scripts.

Once these assaults breach the defenses, the fallout can be catastrophic: locked-out customers, compromised sensitive data, revenue hemorrhages, and heightened non-compliance risks.

Given the invaluable troves of customer data that banks and financial institutions safeguard, the specter of ATO looms as a grave and pressing business concern.

How To Protect Your APIs

How To Protect Your APIs

Imperva prescribes a multi-layered strategy to bolster your organization’s API security posture:

  • Shine a Light: Inventory and Classification – Meticulously discover, classify, and catalog all APIs, endpoints, parameters, and payloads. Continuous discovery ensures your API inventory remains current, while disclosure safeguards sensitive data exposure.
  • Shield the Vulnerable: Risk Assessment and Protection – Identify and prioritize the protection of sensitive and high-risk APIs. Focus risk assessments on API endpoints susceptible to vulnerabilities like Broken Authorization/Authentication and Excessive Data Exposure.
  • Maintain Vigilance: Continuous Monitoring – Establish a robust monitoring system to actively detect and analyze suspicious behaviors and access patterns across your API endpoints.
  • Defense in Depth: A Layered Security Approach – For comprehensive protection, adopt an API security solution that integrates a Web Application Firewall (WAF), API Protection, Distributed Denial of Service (DDoS) prevention, and Bot Protection. This layered defense offers flexibility and advanced protection against evolving API threats, including the particularly challenging business logic attacks that target specific API functionalities.