Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecuritySecurity NewswireCybersecurity News

Misconfigured APIs make up two-thirds of cloud breaches

APIs-security-freepik
September 17, 2021

Shadow IT and misconfigured application programming interface (APIs) accounted for the vast majority of security incidents in the cloud last year, according to the 2021 IBM Security X-Force Cloud Threat Landscape Report. In particular, the report revealed that two-thirds of the incidents studied involved improperly configured APIs.


This year, IBM augmented the 2020 report with new and more robust data spanning Q2 2020 through Q2 2021. Data sets used include dark web analysis, IBM Security X-Force Red penetration testing data, IBM Security Services metrics, X-Force Incident Response analysis and X-Force Threat Intelligence research. These multiple data sources help better understand how threat actors are getting into cloud environments, what types of malicious activity are pursued once they’re inside and how organizations can prepare and react to security incidents involving their cloud environments more effectively.


Cloud Environments Need to Be Better Secured

Cloud accounts/resources on the dark web. There is a thriving dark web market for public cloud access, with advertisements for tens of thousands of cloud accounts and resources for sale. In 71% of cases, threat actors offered Remote Desktop Protocol (RDP) access to cloud resources, enabling attackers to have direct access and conduct malicious activity. In some cases, account credentials to access cloud environments were being sold for a few dollars.


Passwords & Policies: The vast majority of X-Force Red penetration tests of cloud environments found issues with either passwords or policies.


Hardening systems: Based on X-Force research, two-thirds of breaches to cloud environments would likely have been prevented by more robust hardening of systems, such as properly implementing security policies and patching systems.


Vulnerabilities in cloud-deployed applications surge: Almost half of the more than 2,500 disclosed vulnerabilities in cloud-deployed applications recorded to date were disclosed in the last 18 months. While some of this growth can be attributed to better tracking (cloud vulnerabilities were added to MITRE’s CVE standards in January 2020), this steep growth emphasizes the importance of closely managing this growing risk as more vulnerabilities are exposed.


Threat Actors Target Cracks in the Armor

Public API policies represented a significant security gap. Two-thirds of the incidents analyzed involved improperly configured Application Programming Interface (APIs) based on analysis of X-Force Incident Response data of impacted clients. 


Michelle McLean, Vice President at Salt Security, a Palo Alto, Calif.-based provider of API security, says, “APIs are the heart of applications, powering business functionality and serving up data. In the current Q3 State of API Security report, Salt Labs found that API traffic had increased 141% in the past six months while malicious API traffic increased a whopping 348%. And 94% of respondents had experienced an API security incident in the past 12 months.


“Perhaps the clearest indicator that this market has reached a tipping point comes in recent Gartner research. In its August 25, 2021, report entitled “Advance your PaaS Security,” Gartner modified its long-standing security reference architecture to add a distinct pillar dedicated to API security. For years, Gartner noted three components to securing services:

  • WAF, WAAP, API gateway, and CDNs for edge security
  • CWPP for data-plane security
  • CSPM for control-plane security


“Over those years, Gartner nested API security under the WAF/WAAP pillar. In its verbiage, the firm would acknowledge that some organizations might need dedicated API security. But the “picture” didn’t show it separately. By adding API security as a standalone core element of this security reference architecture, Gartner has acknowledged that protecting APIs requires dedicated API security tooling.

“This explosive growth in the API security market brings both good news and bad news for buyers. On the upside, customers gain choices, and competition should improve product capabilities. On the downside, separating signal from noise gets harder as the noise gets louder and more voluminous, so organizations will need to dig in and better evaluate both the technical capabilities as well as the customer penetration and success each platform delivers.”


In addition, one of the top attack vectors X-Force observed targeting cloud was threat actors pivoting from on-premises environments into cloud environments. This lateral movement was seen in almost a quarter of incidents X-Force responded to in 2020.


IBM estimates that over half of breaches to cloud environments occurred due to “shadow IT,” emerging via unauthorized systems spun up against security policies that likely lacked vulnerability and risk assessments, as well as hardened security protocols.


Cryptominers and ransomware remain the top dropped malware into cloud environments, accounting for over half of detected system compromises based on the data analyzed. Threat actors continue to pursue clouds in their malware development, with new variants of old malware focusing on Docker containers and new malware written in programming languages, like Golang, that run cross-platform.


 APIs are silently but rapidly becoming one of the most critical pieces of the software supply chain, says Setu Kulkarni, Vice President, Strategy at NTT Application Security, a San Jose, Calif.-based application security provider. He adds, “Organizations are now one vulnerable API call away from a potential major breach. An underlying challenge that gets obscured is that APIs today are facades to legacy systems that were never designed to be online or used in an integrated B2B or B2C setting. By creating an API layer, these legacy transactional systems are enabled to participate in digital transformation initiatives. This pattern of API enablement of legacy systems creates security issues which otherwise would not have been issued in the controlled trusted zones the legacy systems were designed to operate in.”

KEYWORDS: cloud security cyber security password risk management

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Leadership and Management
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Security Enterprise Services
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Cybersecurity Education & Training
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Sureview screen
    Sponsored bySureView Systems

    The Evolution of Automation in the Command Center

  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

Popular Stories

Rendered computer with keyboard

16B Login Credentials Exposed in World’s Largest Data Breach

Verizon on phone screen

61M Records Listed for Sale Online, Allegedly Belong to Verizon

Security camera

40,000 IoT Security Cameras Are Exposed Online

Security’s 2025 Women in Security

Security’s 2025 Women in Security

Red spiderweb

From Retail to Insurance, Scattered Spider Changes Targets

2025 Security Benchmark banner

Events

July 17, 2025

Tech in the Jungle: Leveraging Surveillance, Access Control, and Technology in Unique Environments

What do zebras, school groups and high-tech surveillance have in common? They're all part of a day’s work for the security team at the Toledo Zoo.

August 7, 2025

Threats to the Energy Sector: Implications for Corporate and National Security

The energy sector has found itself in the crosshairs of virtually every bad actor on the global stage.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • cybersecurity

    Almost Two Thirds of Travelers Have Experienced Data Breaches

    See More
  • cloud-computing-freepik

    44% of cloud privileges are misconfigured

    See More
  • cyber 4 responsive default

    Two-Thirds of Business Decision Makers Expect to Suffer an Information Security Breach

    See More

Related Products

See More Products
  • 9780367221942.jpg

    From Visual Surveillance to Internet of Things: Technology and Applications

  • 9780367259044.jpg

    Understanding Homeland Security: Foundations of Security Policy

  • Security of Information and Communication Networks

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing