Optus, an Australian telecoms provider, has become the latest high-profile victim of a data breach – with the alleged attacker demanding payment to buy back millions of customer records, having already made 10,000 public online. In the most recent developments, the attacker has now rescinded threats and deleted them from a data breach website. However, it does not change the fact that someone was able to access these customer records, including names, dates of birth, drivers license numbers, addresses, phone numbers, Medicare numbers and passport numbers, in the first place, leaving many Optus customers feeling vulnerable.
But how did this happen?
It appears that an unauthenticated application programming interface (API) was to blame.
Curtis Simpson, CISO at Armis explained: “APIs are the entry point into the modern application and the data it processes. Exposures associated with APIs range from configuration-based to logic-based vulnerabilities that can be exploited to compromise platforms, networks, users, and data. Traditional edge security and application security testing capabilities are not identifying nor facilitating the remediation or protection against the exploitation of such exposures at scale across our cloud environments that continue to transform alongside our business operations. Real-time logic-based protections, API exposure analysis, prioritisation, and remediation through development stacks are examples of capabilities that must be embraced in order to safeguard modern web services.”
He continued: “Digital business is done over APIs. Our security programmes and technologies must continue to evolve around where our businesses live and operate.”
Adam Fisher, solutions architect at Salt Security elaborated further in his blog on the incident:
“Human error nearly always plays a role in breaches, but it’s not just a case of individuals being more careful. APIs touch all areas within an organisation, not just development. Typically, multiple teams share ownership across APIs. Often miscommunication (or incomplete communication) can lead to problems. For example, infrastructure teams may assume that the development team has already managed authentication requirements. They may believe that the API has already gone through a security review when, in fact, it hasn’t.
“Unfortunately, miscommunication is fairly commonplace. Moreover, in the case of Optus, it appears that the network team unintentionally made a test network available on the Internet, which could then be easily exploited.”
Professor John Goodacre, director of the UKRI’s Digital Security by Design challenge and professor of computer architectures at the University of Manchester, added:
“Cyber attackers work in a promiscuous world in which a single mistake in configuration or vulnerability in a digital system can be used to potentially steel data or perturb its operation. Connection with the Internet means this can originate from anywhere, with no one anywhere safe. Accepting that to err is human means everyone, everywhere can suffer attacks. Barriers need to be placed in systems by design that work to block the exploitation of vulnerabilities. The ISP and telco that deliver the Internet can see trends in traffic from where attacks originate, but if a single hacker’s request finds an open door in a remote system, there is little technology can do to differentiate this in isolation.”
While Salt Security’s Fisher posited that there is value in organisations considering API security as its own discipline, particularly with the rise of digitisation and APIs underpinning this movement. He advised ISPs and telcos to:
- Know the risks – starting with the threats identified in the OWASP API Security Top 10
- Ensure a cross-functional approach – API security must be communicated and supported cross-functionally across the organization
- Continuously monitor APIs – in addition to having a complete API inventory, telcos and ISPs must continuously monitor the APIs in their environment for deviations in behavior.
“To identify potential API threats, organisations must understand how APIs normally operate within their environments. Having this insight will enable telcos to quickly identify and speed threat response before a bad actor accesses their critical user data…or worse,” Fisher concluded.