What a time to be alive! The modern world is full of possibilities as technology enables us to do much more with far less effort. What you may not realize, however, is that the unsung heroes of our digital lives are application programming interfaces, or APIs. These mighty messengers work tirelessly in the background of virtually every application and action we take on tech devices, enabling a rich experience for end users.
Of course, it’s not only organizations and end users that are happy in this digital-first era of freedom. The immense power APIs hold to access and transmit data make them an attractive target for bad actors worldwide. API attacks are on the rise, and protecting the data and services these APIs enable requires first understanding the risks.
The Modern Cybersecurity Landscape
Cybercrime is not simply a modern buzzword. More than a hot-button issue, it’s also big business. So big, in fact, that if cybercrime were measured on a global economic scale, it would rank as the third-largest economy in the world behind the US and China. That’s a $6 trillion GDP in a nation run by bad actors, up from $3 trillion in 2015.
Increasingly, APIs are a target in the cybercrime world. As more apps leverage APIs for functionality and to boost the end-user experience, opportunistic criminals exploit vulnerabilities in these vital application connectors.
No organization is immune. Even the most resource-rich, well-staffed organizations have have fallen victim to API security exploits. In 2021, 90% of LinkedIn’s user base was subjected to an API security breach, and more recently big players including Facebook and Australian telecom giant Optus have suffered breaches thanks to APIs.
Types of API Attacks
The best way to navigate the complexities of cyber risk is to focus on preventative measures. Taking a proactive approach will ensure your company is not contributing to that $6 trillion in cybercriminals’ pockets and that your company’s - and your customers’ - data is safe.
Of course, you can’t take proactive measures without understanding the risks. There are several key API attacks to be aware of:
Distributed Denial-of-Service (DDoS) attacks are prevalent amongst cybercriminals as they’re relatively straightforward. In a DDoS attack, hackers overwhelm the bandwidth of an app or website by sending a flood of disingenuous requests. In turn, web API memory is overwhelmed, rendering your site or service inaccessible.
Prevention best practice: To ensure your API is safe from DDoS attacks, configure rate limiting to prevent overload.
Account Takeover (ATO)
Account takeover is exactly how it sounds: a cybercriminal takes over an end user (or, in some cases, an admin) account. Once they control the account, the bad actor uses it to launch attacks or perform unsanctioned actions. ATO incidents are on the rise, with a 2022 report showing that attacks rose a staggering 90% between 2020 and 2021.
Prevention best practice: API security is paramount to preventing ATO attacks, as criminals steal authentication tokens. Organizations can increase security by employing bot detection solutions, mandating 2FA or MFA, and raising employee awareness.
Unencrypted Data Transmission
APIs are often used to process and transmit sensitive data. This valuable data can include credit card information, health information, session tokens, passwords, and more. It can be compromised if the application API does not properly encrypt the data in rest or transmission.
Prevention best practice: This may seem obvious, but it bears stating: encrypt your data. Transport layer security (TLS) is an easy way to ensure data between a client and the server is encrypted and protected.
Broken Object-Level Authorization
Nearly 40% of API attacks are broken object-level authorizations (BOLA). By manipulating the ID of an object sent by API request, attackers exploit endpoints or gain access to restricted data objects. Similar to the above attacks, BOLA can be used, for example, to gain access to an end user’s account at an eCommerce merchant site. Online merchant accounts often contain data such as full name, address, and credit card information.
Prevention best practice: As BOLA attacks rely on authorization to gain access, consider: enforcing robust authorization, using random UUIDs, and implementing a zero-trust model to outsmart attackers.
Hitting organizations where it hurts, a mass assignment attack occurs when a nefarious user gains access to server-side variables. The bad actor can then initialize or overwrite these elements or craft a request with additional (and unintended) parameters.
Prevention best practice: This attack at an API level exploits the mass assignment feature within the development framework. To prevent these exploits, disable mass assignment or create a whitelist to limit assignments on certain variables or properties.
Security is a Team Effort
They say knowing is half the battle, and in the case of cybersecurity, the adage is true. Understanding the threat landscape will help your organization prioritize and designate resources for prevention methods.
Of course, it’s not only your DevSecOps team that should understand these risks. Creating a risk-aware culture means communicating with end users about threats before they become attacks.
“With reliance on APIs at an all-time high and critical business outcomes relying upon them, it is even more imperative that organizations build and implement a strong API security strategy”, according to a recent report by Salt Security. That same report shows 61% of businesses surveyed said they lack any API strategy or have only basic protection.
Ensure you have a security-minded internal team and leverage the expertise of third-party pros to stay ahead of the curve.