In August, dozens of organizations using Microsoft Power Apps inadvertently exposed 38 million records – COVID-19 contact tracing, job seekers’ social security numbers, and even 332,000 email addresses and company IDs. employees used by Microsoft’s own global payroll services.
In addition to Microsoft, other organizations involved included American Airlines; Ford; JB Hunting; and agencies in Indiana, Maryland and New York City.
According to researchers at UpGuard, the security company that discovered the leaks, Microsoft Power Apps portals were easy to configure to allow public access.
“Several government agencies have reported performing security reviews of their applications without identifying this problem,” the report said.
The problem was how the system’s application programming interfaces, APIs, were configured.
“The tools that enable API creation are set by default to make data publicly available, and organizations must enable privacy settings manually,” said Radu Crahmaliuc, security specialist at the security company Bitdefender.
Most of them didn’t, he told Data Center Knowledge.
âBut that’s not just a problem with Microsoft Power Apps,â he added. “It’s systemic. Amazon Web Services S3, Elasticsearch, and MongoDB all have had similar experiences.”
APIs allow different systems to exchange data. For example, a company can use an API to connect to a third-party service, configure an outward-facing API so that partners can interact with its systems, or use APIs to allow mobile applications to communicate with platforms. main data.
Since APIs are often used to provide access to the most critical data and systems, vulnerable APIs can be extremely damaging to businesses.
According to Akamai, API communications now represent over 83% of all Internet traffic.
And API violations are starting to pile up.
Last May, fitness company Peloton announced that it had exposed customer account data on the internet due to a faulty API that allowed unauthenticated requests. Anyone could access user account data from Peloton’s servers, even if users set their account profiles as private.
Other companies in the news recently for cybersecurity issues related to APIs include Equifax, Instagram, Facebook, Amazon, and Paypal.
In fact, according to an IBM Security X-Force report released last month, two-thirds of all cloud breaches are now due to misconfigured APIs.
âAPIs pose a significant security risk to enterprises because they serve as the foundation and connective tissue for modern applications,â said John Cosgrove, senior product manager for advanced bot protection at Imperva.
And companies probably have a lot more APIs than they realize, said Jason Kent, hacker in residence at Cequence Security.
âAPIs are now the fabric of all new applications, but they have been used for many years by microservices and mobile and cloud application development teams,â he told Data Center Knowledge. âVisibility is paramount for enhanced security, so understanding how many APIs you have and how they work will be critical. “
Who monitors APIs?
One of the problems with API security is that it spans multiple areas.
On the one hand, software developers usually set up APIs. But APIs are generally used for business purposes and are owned by individual business units.
And since APIs require authentication and authorization, security teams are responsible for locking them down or enforcing the use of API gateways.
And since APIs live in data centers and cloud environments, data center managers and operations teams can be responsible for configuring the basic infrastructure and networking to keep them running.
This translates into a model of shared responsibility, said Jonathan Parnell, senior consultant for cloud and data center transformation at Insight.
âThe challenge in a shared responsibility model for APIs is who controls and owns what,â he told Data Center Knowledge.
Business units, security teams, operations managers, and application developers may all have different ideas about what they want the API to do, how it should do it, and what the limits should be.
That could result in many meetings to discuss everything, Parnell said.
As the number of APIs proliferates and changes rapidly, it becomes very difficult to manage.
The key, he said, is for companies to create basic standards and common practices for API deployments and involve all constituents in creating that governance structure.
âEveryone who touches on this API should come together and agree on these policies,â he said.
Otherwise, businesses won’t be able to create the API-driven economies that many are now aiming for.
APIs are a particularly dangerous type of attack vector because they are designed to move large amounts of data or run high volume services.
For example, an API can be used to, for example, request sensitive data or direct a payment to be made.
And since APIs are designed for use by computers that communicate with other computers, not humans, the usual methods of stopping bot attacks – like, say, CAPTCHAs – don’t apply.
âBots attack legitimate business logic,â said Sandy Carielli, senior analyst at Forrester Research.
Businesses need to be able to differentiate between bad and good bots, she said.
âSo you need tools that go beyond traditional application protections,â she told Data Center Knowledge.
For example, web access firewall providers and content delivery networks have started adding bot management to their portfolios, she said. There are also companies specializing in bot management.
CAPTCHAs have a role, especially when the API is used to connect a system like, for example, a mobile application that has a human user.
âBut bot management solutions can also send bots to honeypots, delay bots, return bogus data and attempt other challenges,â she added.
Bots can be used to attack APIs in ways other than simple data theft.
For example, they can flood a system with requests to force it to shut down.
Or APIs can be used to buy concert tickets, limited edition sneakers, or hot game systems before real human customers can grab them, she said.
“We are even seeing robots militarizing the availability of vaccines,” she said. “In India, robots overwhelmed the reservation system and criminals started charging people to reserve slots.”
it only gets worse
According to Salt Security, API attacks increased 348% in the first six months of this year, and 94% of businesses had an API-related security incident in the past 12 months.
Meanwhile, the average number of APIs per business more than tripled from 28 in July 2020 to 89 in July 2021, according to the report, while the average monthly API call volume increased by 141%. during the same period.
In the past 12 months, 55% of companies said they found vulnerabilities in their APIs, 19% exposed sensitive data, 39% found authentication issues, 23% experienced denial of service attacks, 16% saw brute force attacks or prank IDs, and 12% saw the scratching.
Only 6% of companies had no API related issues.
Part of the problem, according to the report, is that too many companies rely solely on developers to secure APIs.
“APIs require runtime protection and security controls external to the code to be protected,” the report said.
There are also some basic steps that companies need to take to secure their APIs, said Elad Koren, product manager at Salt Security.
This includes patching and patching vulnerabilities, he told Data Center Knowledge, following authentication best practices and using the OWASP API top ten list to identify and fix the most critical weaknesses. current.