Mar 19, 2024The Hacker NewsAPI Security / Vulnerability

Application programming interfaces (APIs) are the connective tissue behind digital modernization, helping applications and databases exchange data more effectively. The State of API Security in 2024 Report from Imperva, a Thales company, found that the majority of internet traffic (71%) in 2023 was API calls. What’s more, a typical enterprise site saw an average of 1.5 billion API calls in 2023.

The expansive volume of internet traffic that passes through APIs should be concerning for every security professional. Despite best efforts to adopt shift-left frameworks and SDLC processes, APIs are often still pushed into production before they’re cataloged, authenticated, or audited. On average, organizations have 613 API endpoints in production, but that number is rapidly expanding as pressure grows to deliver digital services to customers more quickly and efficiently. Over time, these APIs can become risky, vulnerable endpoints.

In their report, Imperva concludes that APIs are now a common attack vector for cybercriminals because they’re a direct pathway to access sensitive data. As a matter of fact, a study from the Marsh McLennan Cyber Risk Analytics Center finds that API-related security incidents cost global businesses as much as $75 billion annually.

More API Calls, More Problems

Banking and online retail reported the highest volumes of API calls compared to any other industry in 2023. Both industries rely on large API ecosystems to deliver digital services to their customers. Therefore, it’s no surprise that financial services, which include banking, were the leading target of API-related attacks in 2023.

Cybercriminals use a variety of methods to attack API endpoints, but one common attack vector is Account takeover (ATO). This attack occurs when cybercriminals exploit vulnerabilities in an API’s authentication processes to gain unauthorized access to accounts. In 2023, nearly half (45.8%) of all ATO attacks targeted API endpoints. These attempts are often carried out by automation in the form of bad bots, software agents that run automated tasks with malicious intent. When successful, these attacks can lock customers out of their accounts, provide criminals with sensitive data, contribute to revenue loss, and increase the risk of non-compliance. Considering the value of the data that banks and other financial institutions manage for their customers, ATO is a concerning business risk.

Why Mismanaged APIs are a Security Threat

Mitigating API security risk is a unique challenge that frustrates even the most sophisticated security teams. The issue stems from the fast pace of software development and the lack of mature tools and processes to help developers and security teams work more collaboratively. As a result, nearly one out of every 10 APIs is vulnerable to attack because it wasn’t deprecated correctly, isn’t monitored, or lacks sufficient authentication controls.

In their report, Imperva identified three common types of mismanaged API endpoints that create security risks for organizations: shadow, deprecated, and unauthenticated APIs.

• Shadow APIs: Also known as undocumented or undiscovered APIs, these are APIs that are unsupervised, forgotten about, and/or outside of the security team’s visibility. Imperva estimates that shadow APIs make up 4.7% of every organization’s collection of active APIs. These endpoints are introduced for a variety of reasons—from the purpose of software testing to use as a connector to a third-party service. Issues arise when these API endpoints are not cataloged or managed properly. Businesses should be concerned about shadow APIs because they typically have access to sensitive information, but nobody knows where they exist or what they’re connected to. A single shadow API can lead to a compliance violation and regulatory fine, or worse, a motivated cybercriminal will abuse it to access an organization’s sensitive data.

• Deprecated APIs: Deprecating an API endpoint is a natural progression in the software lifecycle. As a result, the presence of deprecated APIs is not uncommon, as software is updated at a rapid, continuous pace. In fact, Imperva estimates that deprecated APIs, on average, make up 2.6% of an organization’s collection of active APIs. When the endpoint is deprecated, services supporting such endpoints are updated and a request to the deprecated endpoint should fail. However, if services are not updated and the API isn’t removed, the endpoint becomes vulnerable because it lacks the necessary patching and software update.

• Unauthenticated APIs: Often, unauthenticated APIs are introduced as a result of misconfiguration, oversight from a rushed release process, or the relaxation of a rigid authentication process to accommodate older versions of software. These APIs make up, on average, 3.4% of an organization’s collection of active APIs. The existence of unauthenticated APIs poses a significant risk to organizations as it can expose sensitive data or functionality to unauthorized users and lead to data breaches or system manipulation.

To mitigate the various security risks introduced by mismanaged APIs, conducting regular audits to identify unmonitored or unauthenticated API endpoints is recommended. Continuous monitoring can help detect any attempts to exploit vulnerabilities associated with these endpoints. In addition, developers should regularly update and upgrade APIs to ensure that deprecated endpoints are replaced with more secure alternatives.

How to Protect Your APIs

Imperva offers several recommendations to help organizations improve their API Security posture:

1. Discover, classify, and inventory all APIs, endpoints, parameters, and payloads. Use continuous discovery to maintain an always up-to-date API inventory and disclose exposure of sensitive data.
2. Identify and protect sensitive and high-risk APIs. Perform risk assessments specifically targeting API endpoints vulnerable to Broken Authorization and Authentication as well as Excessive Data Exposure.
3. Establish a robust monitoring system for API endpoints to detect and analyze suspicious behaviors and access patterns actively.
4. Adopt an API Security approach that integrates Web Application Firewall (WAF), API Protection, Distributed Denial of Service (DDoS) prevention, and Bot Protection. A comprehensive range of mitigation options offers flexibility and advanced protection against increasingly sophisticated API threats—such as business logic attacks, which are particularly challenging to defend against as they are unique to each API.

Mar 06, 2024The Hacker NewsData Security / Cloud Security

Every Google Workspace administrator knows how quickly Google Drive becomes a messy sprawl of loosely shared confidential information. This isn’t anyone’s fault; it’s inevitable as your productivity suite is purposefully designed to enable real-time collaboration – both internally and externally.

For Security & Risk Management teams, the untenable risk of any Google Drive footprint lies in the toxic combinations of sensitive data, excessive permissions, and improper sharing. However, it can be challenging to differentiate between typical business practices and potential risks without fully understanding the context and intent.

Material Security, a company renowned for its innovative method of protecting sensitive data within employee mailboxes, has recently launched Data Protection for Google Drive to safeguard the sprawl of confidential information scattered throughout Google Drive with a powerful discovery and remediation toolkit.

How Material Security helps organizations safeguard Google Drive

Trying to answer fundamental questions about what’s in Google Drive and where it’s shared is painstakingly manual using the Workspace admin dashboard, and working with the Drive API is costly and complex. Given the breadth of sensitive content, this is an area that warrants focus, but it’s challenging to get to the depth required.

Material is backed by a powerful data platform that syncs with your Google Workspace tenant to build out a structured model of historical file contents, metadata, permissions, and sharing settings that is kept up-to-date based on ongoing activity. This data platform enables in-depth inspection that wouldn’t be possible by interfacing with the Drive API alone. With this data platform as the foundation, Material:

• Scans file contents against a set of custom built ML-based detection rules to identify and classify sensitive content across a wide range of PII, PCI, PHI, and other confidential data categories
• Calculates file and folder permission sets and sharing settings to build a unified access model that is easier to understand and demonstrate for compliance
• Enables automated access revocation based on precise search results and activity triggers to continuously reduce the risk profile

The precision of Material allows you to effectively wrangle such a complex and vast data repository without getting in the way of daily use – security without impacting productivity. See it for yourself.

Illuminate blind spots across your Google Drive footprint

With a powerful data platform as the foundation, you gain an expressive search interface that guides you through your Google Drive footprint to identify toxic combinations worthy of investigation. You can search against file metadata, ownership, content, location, and sharing to answer questions such as:

• Show me every file that contains financial records that are shared externally
• Show me every file viewable via a public link that contains PII
• Show me every file accessible by these users who are departing the company next week
• Show me every file with confidential information that’s shared with a gmail address
• Show me every file in a Shared Drive that contains health records

As you illuminate more of those dangerous blind spots, you continuously gain a more complete view of the environment with heightened security posture – the types of things that make it easier to sleep at night.

Block exfiltration paths with automated remediation

The primary remediation mode to fix toxic combinations in Google Drive is to revoke access. That sounds easy on the surface, but when you consider the conditions of the whole space, it becomes a multi-dimensional puzzle. When is external sharing valid and when is it not? Are there users that belong to groups that they shouldn’t? Which settings should change when a document is modified to add confidential information?

Precise search and activity-based filtering enables remediation workflows for scenarios such as:

• Automatically revoking public links for any file that contains classified information
• Sending users a message to confirm external sharing when files contain any sensitive data
• Cutting off access to all files shared with specific external domains in a single bulk job
• Revoking all access to a specific account that displays behaviors of a compromise
• Resetting any files accessible to the organization that contain personal health information to Restricted

Applying automation generally can get in the way of day-to-day use, so it’s important to build with precision – a better understanding of the nature of content, which domains are trusted, and common user behaviors help you contain the surface area the right way.

Keep your productivity suite productive with Material Security

At Material, we focus our efforts on the productivity suite because we believe that it’s critical infrastructure to any organization. And as critical infrastructure, in-depth security defenses that can effectively stop attacks and reduce risk across the environment are paramount.

The new capabilities with Data Protection for Google Drive solve hard data discovery, governance, and access problems that have traditionally been challenging to do without dedicated tooling.

Want to see it for yourself? Schedule a personal demo with our team today.