9.8.22 – Forbes – Faizel Lakhani – Forbes Councils Member
Faizel Lakhani is CEO of APIsec, an API security testing company.
With continuous, proactive, intelligent security in place, false alarms wouldn’t have desensitized the Royal Guard and Police, preventing them.
On July 9, 1982, just before 7:00 a.m., Michael Fagan broke into Buckingham Palace. He wandered for 15 minutes before grabbing a shard of broken glass, stumbling into a bedroom and finding himself face-to-face with the Queen of England, alone in her nightgown.
How did an ordinary person get past the Royal Guard, cameras, motion sensors and security protocols to breach one of the most secure rooms in one of the most secure buildings in the world?
Even more concerning, the security system worked as designed. The intruder’s journey triggered multiple alarms that should have stopped him in his tracks, but they didn’t. The constant noise from the monitoring systems led to security ignoring it as yet another false alarm.
Which begs the question: How “secure” are our security systems?
Analogous scenarios play out daily in our digital world, with regular breaches of the world’s largest companies.
Why do our security measures keep failing?
To answer that, we need to understand what it means to genuinely secure systems and how we address every security program’s most significant flaws—those that aren’t truly flaws.
Vulnerable By Design
At 7:00 a.m., when Mr. Fagan entered the Queen’s chambers, nobody was there to stop him. This wasn’t a mistake or coincidence; it was by design.
If he’d entered that apartment any day before July 9, 1982, he would have found the same unimpeded path. Why? Two critical points of failure:
1. Systems were disconnected. Security and operations were wholly separate at Buckingham Palace. Security in the royal chambers only worked nights. The palace staff (operations) consisted of the Queen’s footman, out for morning exercise of the Royal dogs, and maids who were all occupied elsewhere.
Similar disconnects happen daily in companies large and small, with cross-channel communication failing to create complete security coverage.
2. The disconnect between/within departments leaves logic flaws everywhere. Not only does your database (and the Queen’s) safety rely upon cooperation between security, operations and systems, it depends on the assumption that no “feature” in your environment will ever be misused.
Buckingham Palace features many large drainpipes engineered to be sturdy for proper drainage and assembled in small sections for easy installation and repair. Mr. Fagan easily exploited those exact design features to support his weight and give him convenient footholds.
Independently, the security, operations and environment functioned (mostly) as designed. As a collective, they failed miserably, leaving the Queen exposed.
This same pattern persists today and creates vulnerabilities in the applications that power our world. Security, development and operations are disconnected, creating the perfect environment for attackers to exploit business logic flaws (an oversight in how things should work that leaves your applications vulnerable, even when they are technically operating as they should).
Here’s an example: Imagine there’s an app designed to allow you to send money to friends and family. The business logic for the application seems simple: Allow person A to send amount X to person B.
Easy. But what if person A sends negative $1000 to person B?
The application should simply reject the input. You obviously can’t send negative amounts. Suppose the developers didn’t plan for a scenario where someone would attempt to send a negative amount (business logic flaw). In that case, the application could pull $1000 out of person B’s account and add it to person A’s.
The application functioned as designed; it executed person A’s command perfectly! No errors, no glitches. Well done, payment app!
While this example seems highly unlikely (it’s not), these logic flaws face daily exploits across every industry. When bad actors interact with APIs in ways developers didn’t intend, it results in unauthorized access to another user’s account, excessive data exposure or worse.
If you want your security system to be effective, you need a few things to happen.
• You should run sophisticated, comprehensive (expensive) manual pen tests against every new release you push into production.
• Your monitoring system needs to pinpoint accuracy so as not to create excessive noise, and your officers overseeing it need to chase down every alert, real or not.
• You should account for every possible exploitable application use case so your systems can detect an attacker exploiting a logic flaw versus just watching for traditional attacks.
Does this level of security sound unrealistic? As evidenced by the events of July 9, 1982, and current daily news of new cyberattacks, it is—if we continue to apply legacy security strategies and solutions.
Manual pen testing, bug bounty programs and API monitoring continuously fail to prevent significant API exploits and damaging breaches.
And when they do sound a valid alarm? Likely, your data is already compromised, and the Queen is in mortal danger.
Security That Actually Protects You
We’ve been searching for ways to protect our valuable assets since the beginning of time, employing everything from alligator-infested moats to seemingly impenetrable digital firewalls. Because these systems require manual human interaction, they inevitably fail and security is compromised.
But we can be better.
Modern technology can remove human frailties with machine learning and automation. Best practices help us reduce organizational friction. Continuous education keeps us ahead of bad actors. And a comprehensive, three-pillar API security strategy connects the dots.
1. Visibility to know which APIs offer access points to your most critical data.
2. Automated testing to look beyond surface security vulnerabilities and detect the logic flaws that lead to massive breaches.
3. Intelligent monitoring to provide credible alerts without excess noise.
With continuous, proactive, intelligent security in place, false alarms wouldn’t have desensitized the Royal Guard and Police, preventing them from realizing an intruder was in the Royal Stamp Collection room. Palace security would have known how easily a bad actor could shimmy up a drainpipe to the royal chambers. And no one would have overlooked the gap between the efficient day-to-day operations of the Palace and ensuring the Queen’s safety.
No more false alarms to be ignored, no more unanticipated moves, no more leaving the Queen unguarded. God save the Queen…and your data!