When most people think about ‘hackers’ they picture a dark room with a person entrapped in a cocoon of screens deriving near impossible algorithms to break through the most super sophisticated security systems. But in reality, most hackers are looking for the easiest way to get to anything of value. Its not about target and destroy, it’s looking for a door left open, so you can stroll on through.
The recent Optus hack was one of the greatest examples of this, it was reportedly an unprotected Application Programming Interface (API) or endpoint, endpoints are used to transfer data from one program to another. This endpoint was public and used to transfer customer data. So, it wasn’t a matter of break and enter, all that was required was someone to connect to the endpoint and kindly request the data. In actuality, the back door had just been left wide open.
How could this happen!! I hear you shout. Well, the truth is, it happens every day. It happens because cyber security is not a checkbox implementation. It’s a process that the needs to be intertwined in the DNA of your IT operations.
Frequently, doors get left open due to a lack of vigilance in development operations, implementation of cyber security procedures or business providing inadequate budget for these procedures to be implemented or followed. In short, it’s really management failure, rather than poor capability.
This gives rise to a verity of situations where things can go wrong. Having run penetration testing for numerous organisations we’ve found APIs creating an open-ended to organisations for a host of reasons, some of the main ones are listed below.
- The API was created as part of a low priority project, attention wasn’t paid because it’s “only a small API”, the project gets half completed then shutdown and the API is forgotten.
- Someone built the API without permission, and/or then forgot about it and left the company
- Time poor developers being judged more on their speed to deliver systems than the systems resilience, resulting in security measures partly implemented or just never built
- Ongoing security maintenance processes not implemented. This can include anything from self-scanning at the first level, all the way to daily scripts that shutdown unused endpoints.
Great cyber security is not a black box you plug into systems that will ensure your safety, it’s a set of well thought out and resourced management processes that are continually updated and monitored to protect the organisation against random cyber-attacks.
It’s difficult to level blame on hackers when effectively organisations are giving away their data for free by unknowingly providing open endpoints to their systems.
So, what should you do if you suspect you have a security problem? You might be a business that has had a development program running hot and are concerned about the robustness your security.
Well, listed companies are required to be independently audited annually to ensure they’re following correct accounting practices. Why not consider hiring an independent IT consulting practice to penetrate your systems on an annual basis? I’m sure it will be cheaper than the alternative, just ask Optus.