Cyberthreats

Amid growing cyber crimes and API hacks, shore up your API security

FBI Internet Crime report and API security

Cyber attacks and security concerns continue to hamper the IT industry, as new development practices, extra languages, and structural frameworks appear. In fact, a wide number of data breaches and cyber attacks in 2022 have already interrupted normal business conditions.

Among many cyber crimes committed already this year, the most notable business cyber hack in the first half of 2022 was from the South American group identified as Lapsus$. This gang of cyber thieves took responsibility for several attacks against major companies including Microsoft, NVIDIA, Samsung, T-Mobile, and Vodafone. In addition, there are growing concerns about state-sponsored cyberattacks in a fraught geopolitical climate.

The healthcare sector is an especially lucrative target, with personal health information (PHI) worth more on the dark web than credit card information. Healthcare data breaches reached an all-time high in 2021, impacting some 45 million people.

What we’ve learned from these breaches is that many organizations are creating and publishing APIs without the proper security protocols or gateways to safeguard them. For example, a recent Approov study of FHIR APIs found 50% of clinical data aggregators did not implement database segmentation, allowing access to patient records belonging to other apps developed on their platform for other providers.

Taking the right steps to secure APIs is especially important as their use continues to grow. A recent Gartner report noted that within a few years, the percentage of third-party APIs used in applications will grow to about 30%, up from less than 10% in 2021. Analysts conclude that while APIs have tremendously improved access to applications and services in software architectures, their massive growth has also brought security challenges, which are emerging as a top concern.

As the author of the FHIR report points out, vulnerabilities tend to arise when data leaves the building:

“An effective kill chain in the targeting of the healthcare industry will not be of the EHR systems running in the providers, but in the third-party FHIR aggregators and third-party apps which access these EHR APIs as data moves from higher security levels to third-party aggregators where security has been found to be flagrantly lacking.”

Internet crime continues to rise

Of course, APIs are far from being the only attack vector these days. According to the latest FBI annual report on internet crime, last year was terrible for organizations and individuals, but a good one for cyber criminals. The report noted:

“In 2021, America experienced an unprecedented increase in cyber attacks and malicious cyber activity. These cyber attacks compromised businesses in an extensive array of business sectors as well as the American public.”

The FBI’s Internet Crime Complaint Center (IC3) said it received nearly 850,000 complaints of internet-related crime, resulting in almost $7 billion in financial losses. It’s quite a startling jump in the past half-decade. In 2017, there were only about 301,000 complaints with financial losses around $1.4 million.

The FBI report reveals that the #1 method used by cyber criminals to hack company data (or individual accounts) is through a variety of phishing (email scam), vishing (voice scam), smishing (text scam) or pharming (website redirects) scams. Other methods for gaining access into company systems may also include identity theft attempts, personal data breaches, and fraudulent emails from tech support, or messages about a non-payment or non-delivery, that cause a worker to click on an unsuspecting link.

Internet security firm Kroll found phishing attacks used for initial access into an organization increased 54% compared to Q1 2021. 54%! That’s a statistic that should send shivers down the backs of every CTO and CIO.

Kroll: Incidences of phishing for initial access soar
Graphic via: https://www.redscan.com/services/dark-web-monitoring/

Once a cyber criminal is within your systems, they can infiltrate your APIs and cross-reference them with other exposed data to steal names, email addresses, physical addresses, account numbers, and more.

That’s what happened to jobs and recruiting platform LinkedIn in 2021. Hackers got into LinkedIn, stealing data from some 700 million LinkedIn users. This data included usernames and IDs, phone numbers, email addresses, work titles, and more. The criminals managed to intersect with the data through LinkedIn’s API, then tried to sell this stolen data to cyber criminals on the dark web for other bad actors to carry out their own phishing attacks on unsuspecting organizations.

Maintaining top-level API security

APIs power the web world and help move data from system to system. For example, there are APIs for payments (Paypal, Venmo, Stripe, etc.); employee background checks (Checkr and others); healthcare services, marketing data, video uses, and so many other purposes.

And as the use of APIs – whether their own or from third parties – in enterprises grows fast, the haste in implementation can contribute to unmanaged or poorly secured APIs. This may create openings for bad actors to commit API traffic attacks, resulting in losses of millions of dollars.

In a recent report, API security firm Salt Security highlights key reasons why API security lapses rose an astounding 681% in 2021. These reasons mainly involve poorly written documentation, excessive data exposure, and poor authentication procedures. As Axway Catalyst Erik Wilde explains in his discussion of the top ten most common API security issues, proper governance and management are essential.

Hacks that take advantage of unsecured APIs also illustrate the importance of an API gateway that provides fine-grained access control. The right API management solution allows you to monitor how your APIs are being used and who is accessing them, detecting suspicious patterns which can alert you to possible intruders.

Wilde also notes that API security begins when an API is being designed, not as an afterthought.

Companies with a defense-in-depth strategy and centralized API governance can withstand a hack more confidently than those without proper governance protocols.

You don’t need to sacrifice security to achieve speed

The complexity of API security could understandably put the brakes on innovation – in fact, it sometimes does just that. But leading enterprises find the balance between security and speed, building the kinds of digital experiences their customers have come to expect while keeping their data safe.

Top German private and corporate bank Commerzbank wanted to provide more personalized digital services to its customers and move from a traditional banking market to an open banking market. When selecting an API management solution, security, ease of integration, and maintainability were the bank’s key criteria, so they selected Axway’s Amplify API Management Platform.

With a secure foundation, Commerzbank was able to build a robust, API-powered architecture that could support new, open services — without sacrificing the essential protection required for sensitive financial data.

“One of the big outcomes of our transformation is the shift from a ‘build once, use once’ mentality to a ‘build once, reuse many times’ philosophy,” explains Katharina Berner, Product Owner API Strategy, Open Banking & Digital Ecosystems at Commerzbank. “By offering our developers a catalog of APIs — all managed on one platform to ensure consistent governance and security — we can accelerate the delivery of new services significantly.”

Discover how Commerzbank is building new services based on 150 reusable APIs and counting.

A leading U.S. health insurer used Axway to build secure, compliant API integrations. This insurer works with third-party cloud solutions to help its teams manage claims, provide clinical data, service prescriptions, and benefits for its members, and guide customers to answers online and via mobile devices.

To manage this complex set of tasks, the insurer turned to Axway’s Amplify. With Amplify, the insurer can discover and secure all its APIs and endpoints across environments and vendors thanks to a central control plane that lets it see vulnerabilities and adjust quickly.

They were able to stand up a secure portal to enable developers to discover and consume Fast Healthcare Interoperability Resources (FHIR) APIs. They’re cutting compliance risks – and costs – in the process by automating what was previously a manual onboarding process.

And as a spokesperson points out, the health insurer’s work with Axway was about more than achieving security and compliance:

“By publishing open APIs for the first time, we’re laying the foundation for innovative healthcare services for our members in the future.”

Secure your APIs with Amplify

Some of the largest financial and healthcare institutions around the world trust Axway to help manage, govern, and secure their APIs. As the FBI cyber crime report notes, these critical infrastructure sectors are among the most frequently victimized – and it’s likely to worsen.

API security requires a combination of technology and processes, and security is at the heart of our expertise at Axway. Don’t let API security concerns scare you away from seizing new opportunities and driving innovation.

Download our white paper to learn ten ways to stay ahead of rapidly evolving security threats.