News

Misconfigured APIs make up two-thirds of cloud breaches

  • None--www.securitymagazine.com
  • published date: 2021-09-17 00:00:00 UTC

None

<div class="body gsd-paywall article-body"><p style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">Shadow IT and misconfigured application programming interface (APIs) accounted for the vast majority of security incidents in the cloud last year, according to the </span><a href="https://www.ibm.com/downloads/cas/WMDZOWK6" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt; color: #4a6ee0;" target="_blank"><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">2021 IBM Security X-Force Cloud Threat Landscape Report.</span></a><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"> In particular, the report revealed that two-thirds of the incidents studied involved improperly configured APIs.</span></p><p style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"><br></p><p style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">This year, IBM augmented the 2020 report with new and more robust data spanning Q2 2020 through Q2 2021. Data sets used include dark web analysis, IBM Security X-Force Red penetration testing data, IBM Security Services metrics, X-Force Incident Response analysis and X-Force Threat Intelligence research. These multiple data sources help better understand how threat actors are getting into cloud environments, what types of malicious activity are pursued once they’re inside and how organizations can prepare and react to security incidents involving their cloud environments more effectively.</span></p> <div id="div-gpt-ad-article-body-sky-mobile" class="advertisement"></div> <h3 style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"><br></h3><h3 style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"><strong style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">Cloud Environments Need to Be Better Secured</span></strong></h3><p style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"><strong style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">Cloud accounts/resources on the dark web.</span></strong><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"> There is a thriving dark web market for public cloud access, with advertisements for tens of thousands of cloud accounts and resources for sale. In 71% of cases, threat actors offered Remote Desktop Protocol (RDP) access to cloud resources, enabling attackers to have direct access and conduct malicious activity. In some cases, account credentials to access cloud environments were being sold for a few dollars.</span></p><p style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"><br></p><p style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"><strong style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">Passwords &amp; Policies</span></strong><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">: The vast majority of X-Force Red penetration tests of cloud environments found issues with either passwords or policies.</span></p><p style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"><br></p><p style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"><strong style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">Hardening systems</span></strong><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">: Based on X-Force research, two-thirds of breaches to cloud environments would likely have been prevented by more robust hardening of systems, such as properly implementing security policies and patching systems.</span></p> <div id="div-gpt-ad-sidebar-sky-mobile" class="advertisement"></div> <p style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"><br></p><p style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"><strong style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">Vulnerabilities in cloud-deployed applications surge</span></strong><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">: Almost half of the more than 2,500 disclosed vulnerabilities in cloud-deployed applications recorded to date were disclosed in the last 18 months. While some of this growth can be attributed to better tracking (cloud vulnerabilities were added to MITRE’s CVE standards in January 2020), this steep growth emphasizes the importance of closely managing </span><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">this growing risk as more vulnerabilities are exposed.</span></p><h3 style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"><br></h3><h3 style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"><strong style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">Threat Actors Target Cracks in the Armor</span></strong></h3><p style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"><strong style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">Public API policies </span></strong><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">represented a significant security gap. Two-thirds of the incidents analyzed involved improperly configured Application Programming Interface (APIs) based on analysis of X-Force Incident Response data of impacted clients. </span></p><p style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"><br></p><p style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">Michelle McLean, Vice President at </span><a href="https://salt.security/" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt; color: #4a6ee0;" target="_blank"><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt; color: #4a6ee0;">Salt Security</span></a><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">, a Palo Alto, Calif.-based provider of API security, says, “APIs are the heart of applications, powering business functionality and serving up data. In the current Q3 </span><a href="https://salt.security/api-security-trends" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt; color: #4a6ee0;" target="_blank"><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt; color: #4a6ee0;">State of API Security report</span></a><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">, Salt Labs found that API traffic had increased 141% in the past six months while malicious API traffic increased a whopping 348%. And 94% of respondents had experienced an API security incident in the past 12 months.</span></p> <div id="div-gpt-ad-sidebar-mrect-mobile" class="advertisement"></div> <p style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"><br></p><p style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">“Perhaps the clearest indicator that this market has reached a tipping point comes in recent Gartner research. In its August 25, 2021, </span><a href="https://salt.security/blog/api-security-tipping-point-gartner-just-created-the-category" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt; color: #4a6ee0;" target="_blank"><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt; color: #4a6ee0;">report entitled “Advance your PaaS Security,”</span></a><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"> Gartner modified its long-standing security reference architecture to add a distinct pillar dedicated to API security. For years, Gartner noted three components to securing services:</span></p><ul style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"> <li style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt; list-style-type:disc;"><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">WAF, WAAP, API gateway, and CDNs for edge security</span></li> <li style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt; list-style-type:disc;"><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">CWPP for data-plane security</span></li> <li style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt; list-style-type:disc;"><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">CSPM for control-plane security</span></li> </ul><p style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"><br></p><p style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">“Over those years, Gartner nested API security under the WAF/WAAP pillar. In its verbiage, the firm would acknowledge that some organizations might need dedicated API security. But the “picture” didn’t show it separately. By adding API security as a standalone core element of this security reference architecture, Gartner has acknowledged that protecting APIs requires dedicated API security tooling.</span></p><p style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">“This explosive growth in the API security market brings both good news and bad news for buyers. On the upside, customers gain choices, and competition should improve product capabilities. On the downside, separating signal from noise gets harder as the noise gets louder and more voluminous, so organizations will need to dig in and better evaluate both the technical capabilities as well as the customer penetration and success each platform delivers.”</span></p><p style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"><br></p><p style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">In addition, one of the top attack vectors X-Force observed targeting cloud was threat actors </span><strong style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">pivoting from on-premises environments into cloud environments</span></strong><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">. This lateral movement was seen in almost a quarter of incidents X-Force responded to in 2020.</span></p><p style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"><br></p><p style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">IBM estimates that over half of breaches to cloud environments occurred due to “</span><strong style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">shadow IT</span></strong><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">,” emerging via unauthorized systems spun up against security policies that likely lacked vulnerability and risk assessments, as well as hardened security protocols.</span></p><p style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"><br></p><p style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"><strong style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">Cryptominers and ransomware remain the top dropped malware</span></strong><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"> into cloud environments, accounting for over half of detected system compromises based on the data analyzed. Threat actors continue to pursue clouds in their malware development, with new variants of old malware focusing on Docker containers and new malware written in programming languages, like Golang, that run cross-platform.</span></p><p style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"><br></p><p style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"> APIs are silently but rapidly becoming one of the most critical pieces of the software supply chain, says Setu Kulkarni, Vice President, Strategy at </span><a href="https://www.whitehatsec.com/" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt; color: #4a6ee0;" target="_blank"><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt; color: #4a6ee0;">NTT Application Security</span></a><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">, a San Jose, Calif.-based application security provider. He adds, “Organizations are now one vulnerable API call away from a potential major breach. An underlying challenge that gets obscured is that APIs today are facades to legacy systems that were never designed to be online or used in an integrated B2B or B2C setting. By creating an API layer, these legacy transactional systems are enabled to participate in digital transformation initiatives. This pattern of API enablement of legacy systems creates security issues which otherwise would not have been issued in the controlled trusted zones the legacy systems were designed to operate in.”</span></p></div>