We’ve already had the first major API-related cybersecurity incidents for 2023. The T-Mobile API breach exposed the personally identifiable information (PII) of 37 million customers. The API attack had been going on since November but was not discovered and disclosed until January 19, illustrating the threat of the “low and slow” approach of API attacks, which are increasing at a steady pace. Following research by Sam Curry that uncovered hundreds of API vulnerabilities in the automotive industry – from Mercedes-Benz to Nissan to Kia to Ferrari and more – it’s not surprising that 2023 has been dubbed “The Year of API Security.”
Unfortunately, threats do not stop at API security. Today’s organizations – and the world – face inordinate security risks. What other threats and trends can we expect to see in the coming year?
Automated attacks targeting industrial control system (ICS) infrastructure will explode in 2023, following a ransomware-type cadence and designed for maximal disruption.
The on-going war in Ukraine will certainly be a factor. We could see cyber disruptions to ICS coming either from real nation-state origins (i.e., Russia) or from teams purporting to be Russian government sponsored. Targeted ICS will likely be in the U.S., U.K., and the like. Ukraine will also see ICS attacks as they did from Russia in 2015.
For expected exploits, we haven't seen Stuxnet-at-scale yet, and more than 12 years have passed since that event. Our threat modeling suggests that a repeat series of on-going Stuxnet-type attacks at scale will occur, and automated malicious access through public APIs will be a major vector.
Recent attacks prove multi-factor authentication (MFA) is no longer sufficient, requiring adoption of Passwordless authentication for increased protection.
Cloud security is no longer limited to Infrastructure-as-a-Service (IaaS), the widespread adoption of cloud-based apps requires Software-as-a-Service (SaaS) security posture management.
The browser has become the primary workspace but remains rather insecure, requiring enterprise browsers or plug-ins to provide granular security controls.
Expanding regulations with stronger enforcement actions at the federal level (FTC, SEC) and state level (California, Colorado, Connecticut, New York, Utah, and Virginia) will require maturing of controls, policies, and practices to further protect customer data.
As SaaS vendors continue to increase in numbers, and PaaS and low-code/no-code tools enable the Citizen Developer movement, non-IT employees will increasingly build apps and functionality without involvement from IT and security. Companies will struggle to get ahead (and stay ahead) of shadow IT as more complicated functionality is built into non-sanctioned/non-federated applications and APIs.
CISOs first need to ensure policy and education are in place so employees understand the danger and potential consequences of non-federated SaaS and PaaS implementations. Second, tooling around discovery, federation, control, and offboarding of SaaS and PaaS tools must be investigated now to get shadow IT under control (even if they don’t know they have this problem).
Two years ago, we learned about one of the most potentially damaging direct attacks ever – the corruption of a SolarWinds software update.
Insecure CI/CD processes are not the root problem. The real problem is that we have spent decades cajoling teams to patch immediately. Scan systems continuously, score discovered vulnerabilities by severity or “risk,” and patch, patch, patch.
Malicious software updates are not new. During the Athens Olympics in 2004, Ericsson switches at the Greek telecom provider were updated to turn on standard lawful intercept and athletes, Olympic officials, and politicians had their phones illegally tapped. NotPetya, a malicious worm seeded in Ukraine, stemmed from a compromised update from an accounting software company. And the FLAME malware was delivered via a spoofed Microsoft update to specific targets.
In 2023, we will get more reminders that we cannot trust software updates, even if signed, sealed, and delivered directly from the supply chain. We must look at ways to defend ourselves now, before the next SolarWinds.
The cybersecurity labor market will continue to struggle with filling vacancies and diversity. Skilled talent with experience in security operations and identity engineers will be difficult to find and retain. Cybersecurity professionals will demand more benefits like remote work and excessive pay.
CISOs will also be impacted as they demand directors and officers insurance, indemnification and pre- and post-employment benefits. They may opt for the number two role to avoid risk or move out of the position altogether, adding to the cyber security leadership gap.
Target of opportunity will always be the weakest link in the armor – humans. With sophisticated threat actors crafting more realistic phishing campaigns and the prevalence of multifactor authentication (MFA) bombing/fatigue, attackers will continue to gain entry into email systems, intent on diverting financial transactions to fraudulent bank accounts.
Technology-driven investments will not pay off. Most companies invest in technology driven cybersecurity, with the following results: no overview, skyrocketing costs, and solutions that are bandages but don’t stop the bleeding.
Organizations must connect cybersecurity investments to potential digital business risks that could seriously impact core business objectives.
Companies need a ‘top-down” approach, in which business objectives and research into business risk lead their decision making. Creating possible risk-based scenarios and risk-based use cases enables companies to determine which logging, tooling, and software are needed to manage digital business risks. By focusing on what really matters, companies gain control over cybersecurity measures and investments.
Organizations now face an additional challenge, potentially as great as the cyber defense battle fought every day - complexity.
Maintaining costly and highly complex enterprise security environments, while wrestling with the bigger challenge of finding qualified security professionals to maintain them, could leave organizations with an unmanageable and insecure operational state. The first initiative for 2023 is to investigate existing security solutions for areas of overlap and eliminate that duplication. The only new security “silver bullets” to introduce should provide clear, differentiated protections that secure currently insecure assets. Companies must simplify to lower costs, enhance visibility, and increase operational efficiency. Focus on true security coverage gaps and lay the foundations for increased use of automation.
As we continue in 2023, companies should look to focus on what really matters so they can gain control over cybersecurity measures and investments.
This article first appeared in BetaNews.
The unsafe consumption of APIs can lead to security breaches, exposing sensitive data, user credentials, or proprietary information, as attackers may exploit vulnerabilities in API usage to gain unauthorized access, execute arbitrary code, or perform unauthorized actions within the system.
Improper Inventory Management is the ninth security threat listed in the OWASP API Security Top 10. By exploiting this vulnerability, attackers can gain unauthorized access to sensitive data, or even gain full server access through old, unpatched or vulnerable versions of APIs.