Optus has suffered a massive cyberattack, the sensitive information of nearly 10 million customers has been exposed and data has been stolen from 2.8 million customers. The details included names, birth dates, phone numbers, email addresses, and – for some customers – addresses and driver’s licences, and passport numbers.
How did the attack happen?
Based on the initial investigation, the cybercriminals could access Optus’s customer identity database through an API, or Application Programming Interface. Optus had an API that didn’t require any authentication to access the customer data within. The fact the API was exposed to a test network that could be accessed by the internet, meant that anyone with knowledge of its existence could access the customer database.
A cyberattack of this scale is devastating to any company. Optus will face financial implications as well as immense reputational damage. Optus will also lose profits to competitors, as existing and potential customers go elsewhere and will need to cover the cost of fixing their cybersecurity and compensating customers.
It is important that basic cybersecurity best practices are in place to ensure your systems and networks are secure, with any vulnerabilities patched and dealt with. So what is an API? And how do you secure it?
Download our full guide on the Optus data breach
Learn everything you need to know about the Optus Data Breach and the nine steps your business should take to avoid succumbing to a similar cyberattack.
Below is an introduction to APIs and eight key ways to secure them:
What is an API?
API or Application Programming Interface in simple terms is the software medium that allows for two-way communication between two applications. Through an API, one application or program can access the information and capabilities of another.
Let us look at a real-life example to help you understand how an API works:
Imagine you’re at a restaurant, and you are given a menu to select what you would like to eat. You have made your decision and are looking to place an order. Although the kitchen is in view and is where your meal will be cooked, what is missing is the intermediary to communicate your order to the chef, wait till it is cooked and then deliver it back to your table.
That is where the waiter or API comes in. The waiter is the messenger – or API – that takes your request or order and tells the kitchen – the system – what to do, mentioning any additional requests you might have made, like dietary requirements you may have included in your order. The waiter then delivers the response back to you, in this example, the meal you ordered.
APIs work based on the concept of request and response, an individual makes a request in the hopes that that request is fulfilled by a response. An API acts like the facilitator or interface for that request, it’s role isn’t simply to communicate a message but to also interpret what is needed, source the information or solution and respond back.
What are the benefits of an API?
Now that you have a basic understanding of how an API works, you can imagine how useful they are. Here is how they are beneficial:
To developers - APIs simplify the overall coding process and provide developers with access to a treasure trove of data and resources, that without an API they wouldn't be able to access.
To providers - APIs allow providers the ability to make valuable data and services available to developers for a fee.
To customers - APIs enable the creation of innovative, feature-rich, interactive apps that provide many services all in one app.
Why is it important to secure an API?
APIs have quickly become the go-to method for building applications, especially when it comes to mobile and IoT devices. Although they are highly beneficial they act as the gateway to data, exposing data to outsiders and the public. This makes APIs extremely lucrative targets for a malicious actor, not solely for the data the APIs provide, but as potential entry points to other backend systems within a business’s infrastructure. APIs can pose a huge risk to companies, and like in Optus’s case can lead to a devastating cyberattack.
Here are eight best practices when it comes to securing an API:
1. Make security a priority when developing APIs
The security of an API needs to be considered during its development and not as an afterthought once it has been implemented. As we have seen with Optus, a single API can expose an entire database to cybercriminals looking to steal or expose the sensitive information stored within. Therefore businesses need to ensure that security is thought of during the development process.
2. Make sure you take an account of all your publicly available APIs
With how many uses APIs have, businesses tend to have dozens or even hundreds of publicly available APIs. It is essential that you keep an inventory of all your existing APIs, to then be able to secure and manage them appropriately.
3. Apply the concept of least privilege when it comes to API access
An effective method of implementing access control is by following the concept of least privilege. Least privilege is defined as the strict assignment of access rights and permissions for users, accounts, applications, systems, devices and computing processes, to the absolute minimum so that assigned organisational activities can be carried out. It gives users the bare minimum permissions they need to perform their work. It is essential that this principle is applied to APIs.
4. Ensure that API access is protected by authentication
Non-existent authentication and authorisation are major issues with many publicly available APIs. In fact, this is the key reason why cybercriminals were able to access 10 million customer records stored in Optus’s database. Since an API can provide access to an organisation's databases, it is essential that access to them is strictly controlled and monitored.
Authorisation mechanisms such as the OAuth2.0 system segment your account into resources and provides limited access to the auth token bearer. An additional precaution that can be taken is to implement an expiry protocol on authentication tokens, for example, a 24-hour expiry on tokens can mitigate the impact of a breach or security incident.
5. Implement rate limiting across APIs
Rate limiting is used to control the rate of requests sent or received by a network interface controller. By implementing a constraint to the number of requests that are accepted by your APIs are often subject to Distributed Denial of Service or DDoS attacks, by implementing rate limiting you can defend against bots that flood your APIs with requests in the hopes of disabling them.
6. It is vital to validate input from an API before it passes to an endpoint.
An SQL Injection can wipe out entire databases if not careful. Therefore it is essential that any input that passes through to an endpoint is validated. If it is a bad input, for example, our API expects an email address but is given an address, then the API will reject the data. This is an essential method for securing APIs and preventing attempts by cybercriminals to compromise them.
7. TLS Encryption needs to be considered essential for every API
8. Control the amount of data exposed by APIs
Organisations may choose to not encrypt data from APIs that are considered ‘non-sensitive’, however, this may open an organisation up to a ‘man in the middle attack’. Organisations that utilise APIs to exchange sensitive information should consider encryption as essential. The cost of a data breach or cyberattack severely outweighs the cost of a TLS certificate.
Ensure that APIs are revealing the right amount of data or information required to complete their task. If security controls are not in place, APIs can reveal an extraneous amount of information that can create vulnerabilities. Ensure that filtering is done by the endpoint to control the amount of data exposed by APIs.
The above methods are just a starting point when it comes to securing APIs and protecting your organisation from cybercriminals. APIs are frequently targeted by malicious actors who utilise SQL Injections, Cross-Site Scripting, Distributed Denial-of-Service or Man-In-The-Middle attacks against them. To ensure that your APIs aren’t susceptible to threats like this it is essential that they are adequately secured by your organisation. If you are not sure where to start, the above seven methods are a good starting point for improving your API security.
How can StickmanCyber help?
We know that cybersecurity can be an overwhelming prospect for business owners, especially ones that own small to medium businesses with a limited budget. There are many things to consider when building a cybersecurity strategy, like which framework to follow and what to prioritise when it comes to implementation. At StickmanCyber we are here to help you with your cybersecurity journey.
With growing cybersecurity attacks, most businesses lack the skills and time to mitigate their risks; we provide a comprehensive fully managed service that protects and certifies your business, resulting in mitigating your risks, building trust, and winning and retaining clients.
The First Step is Crucial. Start with a Cybersecurity Assessment
Where are you at your cybersecurity maturity journey? Get an assessment of your current security posture and identify the gaps and challenges that you need to act upon.