A CISOâs job has never been more challenging. Engineering teams move fast, especially as organizations are accelerating their digital transformation efforts. The tech stack is exploding and varies greatly across the organization. And there is a surge of internal, external, and partner APIs.
Itâs T-Mobile in the headlines today, but frankly it could be any other Fortune 1000 here. The job of protecting APIs requires a different tool- and skill-set, and organizations need to adapt as they leverage more and more APIs to support their innovation, competitive and customer-focused efforts.
## What we know about the breach
Hereâs what we know so far about todayâs T-Mobile hack, based on [an 8-K filing with the SEC]() and official press release:
* Bad actor obtained data through a single API
* Itâs possible the abused API didnât have authorization, or the attacker managed to by-pass it or exploited a BOLA vulnerability (the SEC filing says _a bad actor was obtaining data through a single API ⦠without authorization_).
* API Abuse impacted approximately 37 million customer accounts.
* T-Mobile and their external cybersecurity experts were able to stop the malicious activity within a day of learning of it.
* The impacted API provided âlimitedâ access to customer data, including name, billing address, email, phone number, date of birth, and account number & some other details.
From the T-Mobile SEC filings ( January 19, 2023)
## How to improve your API Security Strategy in 2023-2024
1. **Discover and inventory_ all_ your APIs.** Maintain a centralized inventory of all your APIs, both managed & unmanaged, and both public-facing & design for internal use. You can and should automate this process.
2. **Assess and score your API risk. **Which APIs handle sensitive data? Which of them donât have authentication/authorization? Which of them handles sensitive data AND doesnât have authentication/authorization? Why? Automatically alert your team if the risk score is above your threshold.
3. **Prevent API Abuse.** Is it normal behavior if a single user / IP / credential fetches data with millions of requests within a certain period of time? Probably not, so block the user/session proactively, block the IP if required, and alert the team. You can do this automatically.
4. **Have adequate security controls. **There is a chance that the API didnât have authorization. Or maybe it has been an Injection ([OWASP API8:2019]()) or BOLA ([OWASP API1:2019]()) vulnerability which led to the breach. Modern API security products can remediate these issues. Old tools like cloud WAFs and API gateways canât.
5. **Proactively remediate issues quickly. **T-Mobile were able to end the malicious activity within a day of discovery, which might be considered pretty fast if it werenât for the 40+ day dwell time. When talking about APIs, anything that is not real-time and immediate is not fast enough. The attacker was able to execute millions of requests and retrieve millions of records quickly â we need to be able to do the same.
As Ivan Novikov, CEO and co-founder of Wallarm, noted: “The T-Mobile API breach serves as a reminder of the critical importance of API security in today’s digital landscape. As a leading API security company, Wallarm is uniquely equipped to mitigate the risk of similar breaches for organizations of all sizes. We understand the challenges that CISOs and security executives face and are committed to providing the tools and expertise needed to protect against API abuse. By learning from this incident, we can all take steps to improve our API security programs in 2023 and stay ahead of the curve in the ongoing battle against cyber threats.”
The post [Learn from the T-Mobile API Breach to Improve Your API Security Program in 2023]() appeared first on [Wallarm]().Read More
References
Back to Main
