IBM report finds two-thirds of cloud breaches traced to misconfigured APIs

A new report from IBM Security X-Force has found that two-thirds of cloud breaches can be traced to misconfigured application programming interfaces.

The report, released today, is based on data for the 12 months to the end of June. The data sets are based on dark web analysis, IBM Security X-Force Red penetration testing data, IBM Security Services metrics, X-Force Incident REsponse analysis and X-Force Threat Intelligence research.

The main finding in the report is that cloud environments need to be better secured.

On the dark web side, the report found a thriving market exists for public cloud access, with advertisements for tens of thousands of cloud accounts and resources for sale. In 71% of cases, Remote Desktop Protocol access to cloud resources was offered for sale. In some cases, account credentials to access cloud environments were being sold for only a few dollars.

The vast majority of X-Force Red penetration tests of cloud environments found issues with either passwords or policies. Subsequently, two-thirds of breaches to cloud environments would likely have been prevented by more robust hardening of systems.

Vulnerabilities in cloud-deployed applications were also found to have surged. Almost half of the more than 2,500 known vulnerabilities in cloud-deployed applications were disclosed in the last 18 months. While some growth can be attributed to better tracking, the steep increase is said to emphasize the importance of closely managing risks.

APIs were the most common gateway for compromise. With two-thirds of incidents analyzed involving improperly configured APIs, threat actors were found to be pivoting from on-premises environments to cloud environments.

Over half of the breaches to cloud environments occurred due to what IBM calls “shadow IT.” These shadow IT attacks emerge via unauthorized systems spun up against security policies that lack vulnerability and risk assessments, as well as hardened security protocols.

“APIs are fast becoming the technical basis for both B2B and B2C business models,” Setu Kulkarni, vice president of strategy at application security company NTT  Security AppSec Solutions Inc., told SiliconANGLE. “As such, when APIs are developed and deployed, there is really no way to estimate all the possible places the APIs are going to get used. APIs are the silently but rapidly becoming one of the most critical pieces of the software supply chain. Organizations are now one vulnerable API call away from a potential major breach.”

Kulkarni explained that an underlying challenge that is often obscured is that APIs today are facades to legacy systems that were never designed to be online or used in an integrated business-to-business or business-to-consumer setting.

“By creating an API layer, these legacy transactional systems are enabled to participate in digital transformation initiatives,” Kulkarni noted. “This pattern of API enablement of legacy systems creates security issues which otherwise would not have been issues in the controlled trusted zones the legacy systems were designed to operate in.”

The IBM report also noted that threat actors continue investigating in cloud targeting with cryptominers and ransomware remaining the top dropped malware into cloud environments.

“Threat actors are continuing to pursue clouds in their malware development, with new variants of old malware focusing on Docker containers, as well as new malware being written in programming languages, like Golang, that run cross-platform,” the report notes.

Photo: IBM/YouTube

A message from John Furrier, co-founder of SiliconANGLE:

Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.

Join Our Community 

Click here to join the free and open Startup Showcase event.

“TheCUBE is part of re:Invent, you know, you guys really are a part of the event and we really appreciate your coming here and I know people appreciate the content you create as well” – Andy Jassy

We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.

Click here to join the free and open Startup Showcase event.