Subscribe to the Salt blog to learn about the latest developments in API Security

Blog Post

The Top API and Data Security Trends You Can Expect in 2023

Michael Nicosia
Mar 28, 2023

We’ve already had the first major API-related cybersecurity incidents for 2023. The T-Mobile API breach exposed the personally identifiable information (PII) of 37 million customers. The API attack had been going on since November but was not discovered and disclosed until January 19, illustrating the threat of the “low and slow” approach of API attacks, which are increasing at a steady pace. Following research by Sam Curry that uncovered hundreds of API vulnerabilities in the automotive industry – from Mercedes-Benz to Nissan to Kia to Ferrari and more – it’s not surprising that 2023 has been dubbed “The Year of API Security.”

Unfortunately, threats do not stop at API security. Today’s organizations – and the world – face inordinate security risks. What other threats and trends can we expect to see in the coming year?

Dr. Edward Amoroso, CEO, TAG Cyber and research professor, NYU

Automated attacks targeting industrial control system (ICS) infrastructure will explode in 2023, following a ransomware-type cadence and designed for maximal disruption.

The on-going war in Ukraine will certainly be a factor. We could see cyber disruptions to ICS coming either from real nation-state origins (i.e., Russia) or from teams purporting to be Russian government sponsored. Targeted ICS will likely be in the U.S., U.K., and the like. Ukraine will also see ICS attacks as they did from Russia in 2015.

For expected exploits, we haven't seen Stuxnet-at-scale yet, and more than 12 years have passed since that event. Our threat modeling suggests that a repeat series of on-going Stuxnet-type attacks at scale will occur, and automated malicious access through public APIs will be a major vector.

Jeff Farinich, SVP Technology and CISO, New American Funding

Recent attacks prove multi-factor authentication (MFA) is no longer sufficient, requiring adoption of Passwordless authentication for increased protection.

Cloud security is no longer limited to Infrastructure-as-a-Service (IaaS), the widespread adoption of cloud-based apps requires Software-as-a-Service (SaaS) security posture management.

The browser has become the primary workspace but remains rather insecure, requiring enterprise browsers or plug-ins to provide granular security controls.

Expanding regulations with stronger enforcement actions at the federal level (FTC, SEC) and state level (California, Colorado, Connecticut, New York, Utah, and Virginia) will require maturing of controls, policies, and practices to further protect customer data.

Michael Farnum, CTO, Set Solutions, Inc.

As SaaS vendors continue to increase in numbers, and PaaS and low-code/no-code tools enable the Citizen Developer movement, non-IT employees will increasingly build apps and functionality without involvement from IT and security. Companies will struggle to get ahead (and stay ahead) of  shadow IT as more complicated functionality is built into non-sanctioned/non-federated applications and APIs.

CISOs first need to ensure policy and education are in place so employees understand the danger and potential consequences of non-federated SaaS and PaaS implementations. Second, tooling around discovery, federation, control, and offboarding of SaaS and PaaS tools must be investigated now to get shadow IT under control (even if they don’t know they have this problem).

Richard Stiennon, Chief Research Analyst, IT-Harvest

Two years ago, we learned about one of the most potentially damaging direct attacks ever – the corruption of a SolarWinds software update.  

Insecure CI/CD processes are not the root problem. The real problem is that we have spent decades cajoling teams to patch immediately. Scan systems continuously, score discovered vulnerabilities by severity or “risk,” and patch, patch, patch.

Malicious software updates are not new. During the Athens Olympics in 2004, Ericsson switches at the Greek telecom provider were updated to turn on standard lawful intercept and athletes, Olympic officials, and politicians had their phones illegally tapped. NotPetya, a malicious worm seeded in Ukraine, stemmed from a compromised update from an accounting software company. And the FLAME malware was delivered via a spoofed Microsoft update to specific targets.

In 2023, we will get more reminders that we cannot trust software updates, even if signed, sealed, and delivered directly from the supply chain. We must look at ways to defend ourselves now, before the next SolarWinds.

Patricia Titus, Chief Privacy and Information Security Officer, Markel Corporation

The cybersecurity labor market will continue to struggle with filling vacancies and diversity. Skilled talent with experience in security operations and identity engineers will be difficult to find and retain. Cybersecurity professionals will demand more benefits like remote work and excessive pay.

CISOs will also be impacted as they demand directors and officers insurance, indemnification and pre- and post-employment benefits. They may opt for the number two role to avoid risk or move out of the position altogether, adding to the cyber security leadership gap.

Target of opportunity will always be the weakest link in the armor – humans.  With sophisticated threat actors crafting more realistic phishing campaigns and the prevalence of multifactor authentication (MFA) bombing/fatigue, attackers will continue to gain entry into email systems, intent on diverting financial transactions to fraudulent bank accounts.

Daniel van Slochteren, Chief Innovation Officer at Open Line

Technology-driven investments will not pay off. Most companies invest in technology driven cybersecurity, with the following results: no overview, skyrocketing costs, and solutions that are bandages but don’t stop the bleeding.  

Organizations must connect cybersecurity investments to potential digital business risks that could seriously impact core business objectives.  

Companies need a ‘top-down” approach, in which business objectives and research into business risk lead their decision making. Creating possible risk-based scenarios and risk-based use cases enables companies to determine which logging, tooling, and software are needed to manage digital business risks. By focusing on what really matters, companies gain control over cybersecurity measures and investments.  

Colin Williams, Business Line CTO, Computacenter UK

Organizations now face an additional challenge, potentially as great as the cyber defense battle fought every day - complexity.

Maintaining costly and highly complex enterprise security environments, while wrestling with the bigger challenge of finding qualified security professionals to maintain them, could leave organizations with an unmanageable and insecure operational state. The first initiative for 2023 is to investigate existing security solutions for areas of overlap and eliminate that duplication. The only new security “silver bullets” to introduce should provide clear, differentiated protections that secure currently insecure assets. Companies must simplify to lower costs, enhance visibility, and increase operational efficiency. Focus on true security coverage gaps and lay the foundations for increased use of automation.

As we continue in 2023, companies should look to focus on what really matters so they can gain control over cybersecurity measures and investments.

This article first appeared in BetaNews.

To learn more about how Salt can help defend your organization from API risks, you can connect with a rep or schedule a personalized demo.

Tags

Salt Security Blog

Sign up for the Salt Newsletter for the latest resources and blog posts.

November 21, 2024

Eric Schwake
Head of Product Marketing

Industry

API (In)security: The Hidden Risk of Black Friday

Learn how, for online retailers, Black Friday represents both a lucrative opportunity and a significant cybersecurity challenge.

Read more

November 5, 2024

Eric Schwake
Head of Product Marketing

Industry

API Security: The Non-Negotiable for Modern Transportation

Airlines and transportation companies heavily rely on APIs to handle sensitive data, from customer information to payment details and flight schedules. While crucial for efficient operations, these APIs are also prime cyberattack targets.

Read more

October 31, 2024

Alexandria Nicosia
Social Media Manager

Industry

Securing APIs in Retail: Safeguarding Customer Data

In the fast-paced retail industry, where customer trust and data protection are critical, API security must be a top priority to ensure both reliability and a seamless customer experience, confidence, and trust in digital services.

Read more

Download this guide for advice on evaluating key capabilities in API Security

Get the guide
Back