With organizations stepping up their network perimeter security, hackers are now looking at new vulnerabilities to exploit. Security experts believe that hackers’ next major target for attacking enterprises will be Application Programming Interfaces (APIs). Not only are large businesses in the firing line, but also small to medium sized business, if they have something of interest to cybercriminals.
What is an API
An API is an interface or set of protocols that allows different programs to communicate with each other. In other words, an API is like a user interface for other applications instead of users. Applications communicate through API requests, also known as API calls.
APIs are a big part of the web and mobile applications. They’re responsible for nearly everything anyone does on the internet or mobile. With just a few clicks or taps, they allow anyone to order a takeaway, book a hotel or download music. Any organization or individual with a website – be it a simple static website or a more complex website – would be using APIs if their website uses a web content management system such as WordPress in the backend.
APIs work quietly in the background, making the interactivity users expect and rely upon possible. However, they also add another layer of vulnerability thanks to hackers targeting APIs. They provide windows into applications that present a growing cybersecurity risk.
Rising Number of API Attacks
The last couple of years has seen an increase in API related security incidents and breaches. According to a report by Gartner, APIs are expected to be one of the “most frequently attacked vector for enterprise web application data breaches” by 2022.
Hackers like APIs because they present multiple avenues to access organizations’ data. They can be used to enable attacks that exploit websites, web applications, mobile applications, and IoT (Internet of Things) devices.
An API-related breach occurred at the US Postal Service earlier this month. In this instance, the API behind a web-based system allowed any logged-in user to incorrectly query the other 60 million users’ private details held within the system.
In June this year, GateHub was attacked and funds were stolen from community members’ XRP Ledger wallets, when API requests were authorized without valid access tokens.
A further API-based breach, this time at LandMark White, was caused by an exposed API. This attack on an Australia independent property valuation and consultancy firm saw private customer contact information and property evaluation details exposed to the public.
Why are APIs Vulnerable to Hackers?
There are a number of reasons that make APIs vulnerable. One of the main issues with APIs is the level of permissions often granted to them. Since APIs are not intended for human use, they are frequently setup with unrestricted access within web or mobile applications’ environments. Usually, permissions are set up for the user making the original request, and these permissions are passed to the API. However, problems arise with this access authentication method when an attack bypasses the user authentication process. Since the API itself has unrestricted access, successful API attacks can provide hackers with access to all an organization’s data.
Visibility and Management
The other major issue is API visibility and management. As APIs run behind the scenes, there is less awareness of them and of any possible attacks originating from them. Furthermore, details of an organization’s API architecture are often only known to development teams. Security teams are frequently unaware that connections with great potential impact are even possible in their computing environment. Consequently, APIs are often not as strongly managed for security risks to the organization or to users of the organization’s application.
How to Secure APIs
In order to avoid falling victim to hackers targeting APIs, security experts recommend measures such as implementing API access controls for both users and applications, maintaining an API inventory, implementing encryption, logging API connections and using rate limits.
Rate limits protect against brute force attacks. With such attacks, a hacker uses computer software to generate many consecutive login attempts by systematically guessing passwords. If the API is not protected by rate limits, the attack would be allowed to continue indefinitely or until the attack succeeds.
A further recommendation involves investing in firewalls that are “API aware” and API security services. API aware firewalls can check, validate and throttle API requests. API security services attempt to determine if a request is legitimate or malicious. They can also ensure that API requests only have access to what they should have access to and that requests do not increase their privileges and get access to the application or the application’s data.
This may all sound rather complicated to small or medium sized businesses. These businesses are therefore advised to invest in an API management and security strategy with the help from managed security service providers. This is especially important for businesses with a web presence or mobile applications. An upfront investment in API security is likely to provide significant benefits in reduced security risks to any organization, be they large or small.
Security experts predict if nothing is done to better secure and manage APIs, API-based security incidents are likely to increase and will increasingly impact organizations worldwide. API awareness is just one of the steps to protect your company from hackers.