TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | Q&A: On the dangers of API attacks and how you can mitigate Related reading: Evolving privacy law 'exciting' for IAPP Westin Scholar

rss_feed

""

""

Stephen Gates is chief research intelligence Analyst at Zenedge which specializes in cloud-based denial-of-service-attack mitigation, API protection and bot management, among other things. Gates sees an uptick in API attacks and believes API risks are often completely overlooked, meaning hackers could take advantage of vulnerabilities, especially via mobile apps. "Hackers have determined that APIs are untapped territory and often can improve the likelihood of success in achieving their criminal outcomes," he says. The Privacy Advisor caught up with Gates to ask him about his experience in the field and what tips might offer privacy pros. 

The Privacy Advisor: Why should we care about API security issues? What are we talking about here?
Gates: For years, developers have fought to get different applications built in dissimilar languages to communicate with one another and share data across their many implemented platforms. Lists of Stephen Gates - Headshotprotocols were developed to help address this problem, but most of the approaches did not fulfill their promises. The true solution was to implement application programming interfaces (APIs). APIs allow programmers to create open architectures that are capable of sharing data between different applications, for example browsers, desktop APPs, and mobile APPs. Unfortunately, APIs also enable new targets for hackers.

While the motivation behind today’s cyber attacks — whether monetary, to hurt a company’s reputation, or cyber terrorism — one thing remains true; most hackers are after an organization’s data. The monetary value of this data continues to rise on Darknet exchanges, and hackers are making significant amounts of money selling stolen data to be used in a host of cybercrimes. Hackers have also determined that APIs are untapped territory and often can improve the likelihood of success in achieving their criminal outcomes.

Before APIs came into reality, there was a logical border that existed between webservers and backend databases that, in most cases, was hidden from hackers.  This “internal border” was often well protected and viewed as a roadblock to hackers. However, with the usage of APIs, that same logical border has been pushed out to the application itself. This provides a “visible roadmap” to hackers and expands their attack-surface significantly. This increased visibility gives hackers more vulnerabilities to exploit and all APIs must be protected from highly targeted cyberattacks.  If left unprotected, APIs undoubtedly serve to expand hackers’ rates of success. 

The Privacy Advisor: In what ways can APIs expose sensitive data? Which methods are most commonly employed? Why should privacy professionals pay attention to that?
Gates:
Although there are several ways that APIs can expose sensitive data, the most common method utilize “input parameter attacks." These attacks attempt to manipulate an application by presenting input that is not being carefully checked, yet is still being executed by the vulnerable application. Most application security professionals understand SQL-injection attacks and take strides to ensure SQL commands cannot be used as input into areas such as online form fields, etc. These same types of attacks can also be performed against vulnerable APIs. 

Organizations must incorporate vulnerability testing against their APIs, similar to what responsible organizations have been doing with their applications for years. All the usual types of exploitable vulnerabilities found in traditional applications can often be found in APIs, as well. Privacy professionals need to ensure that their organizations are regularly performing vulnerability testing, especially before updates to APPs and APIs are released. It’s highly recommended that organizations document the results of their findings and rapidly fix the discovered vulnerabilities in their APPs and APIs, before they are subjected to an attack.

The Privacy Advisor: Are you seeing an increase and DDoS attacks? 
Gates:
Unfortunately, denial of service (DoS) attacks continue to be on the rise — targeting networks, websites, applications, and even APIs. Regardless of if the attacks are from multiple sources (making them distributed denial of service (DDoS) attacks) or not, this problem does not look like it will be resolved any time soon. 

As long as hackers are successful at causing outages, these attacks will persist for the foreseeable future. As vast numbers of vulnerable IoT devices are connected to the internet, this problem is likely to increase exponentially, rather than subside, due to the ease of new botnets made up of vulnerable IoT devices. Organizations must understand that DDoS defenses are imperative today, and must protect all of their operations against these attacks, or face the consequences. 

The Privacy Advisor: What from this information should privacy pros take to heart and how should they incorporate this kind of advice into their daily jobs?
Gates:
Privacy professionals must understand that their roles are to ensure organizations are doing everything possible to protect the private data the company stores.  Regardless of the type of data, it can have significant value to hackers, and they will do everything necessary to get their hands on it. The best advice is to implement policies that ensure “due care” is at the forefront of all security-related decisions.  

“Due care” refers to the amount of reasonable effort performed by one party, to avoid harm to another. It also can be used as a pseudo-framework that can help define what prudent and reasonable steps should be taken to protect privacy. If other organizations are doing “X” to protect their customers’ data, and your organization is not doing something similar, this simply increases your liabilities for not doing so. Using recommendations and requirements like PCI DSS, OWASP Top 10, and SANS Critical Security Controls to build your own security framework makes a great deal of sense.

Comments

If you want to comment on this post, you need to login.