During my 34-year career in federal law enforcement, I repeatedly saw the damage data theft caused to unsuspecting victims. Whether the result was an elderly retiree losing their life savings, a company losing its intellectual property, or the military losing technology that took years to research and billions of dollars to fund. The outcomes were similar regardless of the victim: an anticipated future outlook suddenly changed, plans immediately obsolete, time and effort spent now benefitting the malicious actor who stole it all.
One of the driving catalysts for this rise in data theft is our digital interdependence around the globe. As we become more connected, the opportunities become more plentiful while the risks unfortunately decrease for cybercriminals. In the past, a thief needed to be present to overcome physical security. However, the tremendous growth of applications, which arguably made our daily lives more convenient and easier to navigate, now offers new attack vectors for malicious actors; vectors they can penetrate remotely. Just like asymmetrical warfare, small-scale investments in time and resources present tremendous financial upside for those who want to profit off of others’ hard work and sacrifice. In these scenarios, not only is the risk of physical capture or injury low, hackers can also remain anonymous in the process.
The most prevalent of these attack vectors are application programming interfaces (APIs). Applications that allow users to easily communicate with others, to research information, move money and pay bills, monitor physical attributes and the environment, all operate via APIs. One estimate indicated over 80% of worldwide internet traffic was initiated by API calls. However, despite how integral APIs have become to global commerce and diplomacy, many of them are alarmingly left unprotected. While organizations focused on securing their applications and putting up firewalls and gateways, they didn’t account for the communication links between them – the APIs.
The unfortunate reality is APIs are easy to hack. And organizations relying on API gateways and web application firewalls (WAFs) for protection are giving themselves a false sense of security. We consistently find approximately 30% of APIs circumvent WAFs and gateways. Overall, most organizations don’t have a full understanding of their API environment, what their APIs are doing, what information they are passing, nor what potential payloads reside within newly created fields. With a robust API security program, an organization can pinpoint what’s happening in their environment, take remedial action to mitigate threats, and better protect themselves from loss.
The threat is real. I encourage folks to understand it and aggressively take appropriate action to protect their data. With API use growing exponentially, the attack surface for hackers to exploit also keeps expanding. And without a programmatic approach to API security, you slowly increase the probability of being a victim of data theft. Don’t become another statistic. Partner with a trusted advisor like Noname Security who can help you eliminate blind spots in your environment and protect your APIs from notable threats.