0% found this document useful (0 votes)
83 views10 pages

CSJ4.1Think Like A Hacker Reducing Cyber Security Risk by Improving Api Design and Protection

This document discusses how APIs are increasingly dominating internet traffic but often lack proper security protections, expanding risks for organizations. The document notes that while APIs enable powerful integrations, experiences, and business models, they can be misused in ways that significantly expose organizations if not properly designed and managed. It promotes a proactive approach for organizations to identify, design, manage and protect their APIs to minimize attack surfaces and prevent damaging data breaches.

Uploaded by

mogogot
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
83 views10 pages

CSJ4.1Think Like A Hacker Reducing Cyber Security Risk by Improving Api Design and Protection

This document discusses how APIs are increasingly dominating internet traffic but often lack proper security protections, expanding risks for organizations. The document notes that while APIs enable powerful integrations, experiences, and business models, they can be misused in ways that significantly expose organizations if not properly designed and managed. It promotes a proactive approach for organizations to identify, design, manage and protect their APIs to minimize attack surfaces and prevent damaging data breaches.

Uploaded by

mogogot
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 10

Think like a hacker: Reducing

cyber security risk by improving


API design and protection
Received (in revised form): 5th March, 2020

Gerhard Giese
Senior Manager, Akamai Technologies, Germany

Gerhard Giese is Industry Strategist at Akamai Technologies. Gerhard started at Akamai in 2010 and
is now manager in the Financial Sector, responsible for customer advisory, information sharing and
consulting. With more than 20 years’ experience in the security field, Gerhard has accumulated in-depth
expertise in network security as well as distributed denial of service (DDoS) mitigation and data theft
prevention. He continues to interact directly with clients as a trusted security adviser, to identify the
most pressing challenges for online businesses. In addition, Gerhard regularly delivers talks at industry
conferences and works as an independent consultant for federal state authorities such as the German
Ministry of IT Defence. Prior to Akamai, Gerhard was a senior network engineer at McAfee. Gerd holds
CISSP and CCSP certifications and is a certified ethical hacker.

Akamai Technologies GmbH, Parkring 20–22, 85748 Garching bei München, Germany
Tel: +49 89 94006-0; E-mail: [email protected]

Abstract  Application programming interface (API) traffic now dominates the Internet.
Unlike traditional web forms, APIs are faster and more powerful, but often do not get the
correct protection — expanding the security risk for organisations. APIs connect people,
places and things to create seamless integrations, richer experiences and new revenue
models. This paper deals with when an API is misused, and stipulates how the exposure
to an organisation can be significant. The paper discusses why it is no longer safe to
assume APIs will be used as intended or remain hidden to prevent unauthorised access
or abuse. To stay ahead of the next cyber security exploit, API developers need to start
thinking like a hacker. The paper promotes a proactive approach to identifying, designing,
managing and protecting APIs which will minimise the attack surface and prevent
damaging data breaches.

KEYWORDS:  API, attack surface, apps, Internet of Things (IoT), pen testing, hacking,
web security

BUT FIRST, COFFEE The coffee order API calls followed


From car batteries inexplicably drained to typical, well-established security procedures
personal information accessed via a simple and protocols. In one country, however,
phone number lookup, overly broad API the number of orders that were paid for,
access can wreak havoc when exploited. but not collected, increased. Upon a closer
Even seemingly harmless irregular API look at the unclaimed orders, the company
interactions can pose a threat to business. found that almost every shop in the country
Such was the case when a coffee chain received these calls, always more than twice.
rolled out an online ordering app for their After ruling out all other technical reasons,
customers to skip the line. the company concluded that automated

48 Cyber Security: A Peer-Reviewed Journal Vol. 4, 1 48–57 © Henry Stewart Publications 2398-5100 (2020)
Reducing cyber security risk by improving API design and protection

Figure 1:  Fake order calls yielded order number to expose store sales
Source: Akamai (2019)

requests for fake orders were being sent to revenue models. When an API is misused,
the API to solicit the confirmation response the exposure can be significant.
that included a sequential order number — a Responding to the Cambridge Analytica
simple piece of information revealing the scandal which affected as many as 50m
sales at each store to the competition or a profiles, Facebook made several API changes
potential thief. to better protect user information.3 Even as
breach after breach is disclosed, companies
are still not doing enough to limit API
API GROWTH AND IMPORTANCE abuse. A computer science student scraped
API use has exploded. Today, there are 7m Venmo transactions to show that public
more than 22,000 APIs searchable on activity can still be easily obtained, a year
ProgrammableWeb.1 The glue that holds the after a privacy researcher downloaded
connected world together, APIs have grown hundreds of millions of transactions.4
rapidly in number and capabilities. Unlike
traditional web forms, they are faster, more
powerful and harder to protect, expanding OVERLOOKED BY SECURITY
the security risk for organisations. Organisations go to great lengths to secure
Gartner predicts that API abuses will be their applications and web pages but leave
the most frequent attack vector resulting in the backdoor wide open to valuable data
data breaches for enterprise web applications with unfettered API access. A false sense
by 2022.2 Usually well documented, of security exists that assumes APIs will be
APIs provide instructions for connecting used as intended by only their mobile apps.
people, places and things to create seamless Just because an API is not directly exposed,
integrations, richer experiences and new however, does not mean it is not vulnerable

© Henry Stewart Publications 2398-5100 (2020)  Vol. 4, 1 48–57  Cyber Security: A Peer-Reviewed Journal   49
Giese

Figure 2:  API traffic by user agent6


Source: Akamai (2019)

to a breach. Security by obscurity is not updates and if vulnerabilities are found,


a threat prevention strategy — a hidden the likelihood that they will get patched is
domain name or internet protocol (IP) slim to none. How often are users updating
address is not enough protection. firmware on a connected baby monitor or
An API call is not the same as a web page coffee maker?
call. Application security controls will not
protect APIs, as cyber attackers will bypass
them to focus on penetrating unprotected EVERYBODY LOVES APIS
entry points. API abuse is difficult to prevent, API proliferation is happening across all
especially when no one is looking. Areas verticals, especially media and technology.7
with complicated business logic, such as Now dominating the Internet, API traffic
business-to-business connections between traversing over the Akamai content delivery
databases or business-to-consumer checkout network, for example, accounts for 83 per
procedures, are the most vulnerable due to cent of all hits, while hypertext markup
their complexity. language (HTML) traffic fell to 17 per cent
When API vulnerabilities are discovered, — with JavaScript Object Notation (JSON)
they can be difficult to resolve. While one- content more than doubling in four years,
third of calls come from web browsers jumping from 26 per cent to 69 per cent.8
allowing easier control and fixes, the Leveraged by companies, users and attackers
remaining two-thirds come from non- alike, APIs offer a multitude of benefits and
browsers, such as mobile phones, gaming challenges to organisations.
consoles, smart televisions and others.5 The In business, APIs accelerate innovation
software inside many connected devices is by adapting to user demand more quickly
not easy to update and maintain. Devices and increasing the stability of application
get shipped without protocols for software services. Making daily life more convenient,

50   Cyber Security: A Peer-Reviewed Journal  Vol. 4, 1 48–57  © Henry Stewart Publications 2398-5100 (2020)
Reducing cyber security risk by improving API design and protection

JSON, separating functionality and backend


calls to create lean communication that
accelerates the responsiveness and agility of
applications. This is especially important
for mobile devices to provide the highest
speed for immediate actions such as viewing
schedules or booking tickets, while facing
network challenges such as lossy connections,
poor network quality and high latencies.
Mobile apps thrive on APIs, allowing
more integrations and unlimited information
exchanges to unlock new user experiences
— navigation to calendar appointments or
order payment with an e-wallet as examples
— and drive mobile adoption. New security
challenges arise with native mobile apps as
opposed to mobile clients, when someone is
using a normal browser on a mobile phone.
Typically, organisations defend against attacks
on high-value login pages with bot detection
such as multi-stage logic transparent to
humans, but not machines. These deterrents
prevent crawlers from stealing data, but
will only slow, not stop more sophisticated
threats. Since most mobile APIs do not
render JavaScript, many common bot
defences are unsuitable.
Attackers benefit from API proliferation
as well, with neglected APIs providing an
easy entry point into the application world.
Even when organisations apply security
controls to APIs, they often cannot keep up
with the rate that development teams are
rolling them out or shadow IT that creeps
in when a department starts using a new
Figure 3:  Online traffic by content type on the Akamai content
delivery network9 third-party service. Designed to minimise
Source: Akamai (2019) human interaction, APIs allow attacks to
quickly scale for data theft and modification
of content. This automation also drives down
APIs help improve customer satisfaction and, attack costs, making them more frequent.
in turn, business results. With development,
operations and security teams in separate
groups, extra work is required to enforce THREATS ARE FAMILIAR, BUT MORE
security controls across organisational VIRULENT
boundaries. There is good news and bad news about
Although most end-users do not realise it, the attacks on APIs. The good news is that
the core functionalities of web and mobile malicious behaviour looks the same as on
services have shifted from pure HTML to the web. Tactics include distributed denial

© Henry Stewart Publications 2398-5100 (2020)  Vol. 4, 1 48–57  Cyber Security: A Peer-Reviewed Journal   51
Giese

of service (DDoS) attacks that interrupt review should be conducted to ensure no


availability or overwhelm resources and corporate data such as API keys or domain
insider threats that insert intruders into the names remain exposed. Microservices-based
data flow or inject malware, spyware or architecture communications are generally
ransomware into systems. With rampant good, but if code is copied from a shared
data theft, the exploitation of weak or stolen environment, a security briefing should be
credentials is commonplace. Finally, there is required to ensure the proper controls are in
the unexpected use (or misuse) of APIs, such place before integration.
as the coffee chain application example.
Experience fighting the same attacks
on the web helps organisations identify IDENTIFYING API EXPOSURE
and mitigate attacks on APIs. The bad DevOps teams utilise APIs to automate the
news is that APIs are easier to attack than operation of their networks across multiple
traditional web forms, with those attacks clouds — this is the only way to scale to
spreading more quickly as APIs facilitate execute thousands of operations every day.
machine-to-machine communication. Since Many of those APIs need to use public
so many APIs are left totally exposed, they IP addresses to be accessible by everyone,
are increasingly becoming a popular target introducing security risk. For visibility on
for attackers. Over a period of two months, the exposure created by these APIs, it is
Akamai collected data on more than 8bn important to understand how they can be
credential stuffing attempts.10 With four discovered and exploited.
times more credential stuffing attempts There is no sure way to successfully
occurring on APIs,11 developers need conceal an API connected to the Internet.
to start thinking like a hacker to prevent Only a few tools are required to identify
online threats. API exposure and potential attack vectors.
Several of these tools are freely available for
download or part of Linux repositories. Used
PUBLISHING WITH CAUTION with good intentions, these tools can help
To minimise the attack surface, organisations organisations fortify security by checking
must exercise extreme caution when sharing for vulnerabilities. In the wrong hands, they
or using shared APIs. Developers like to can also make quick work of harmful online
reuse and disseminate both public and attacks. To identify potential exposures
private code with software development and be vigilant about malicious activity,
collaboration tools such as GitHub. This is a developers should be familiar with popular
common practice to speed up development discovery tools such as Network Mapper,
and leverage knowledge across the developer Fierce, Shodan, Sentry MBA and SNIPR.
community. Sensitive information is,
however, sometimes uploaded to GitHub
by accident — and hackers know it, easily Network Mapper
capitalising on careless mistakes with tools Network Mapper (Nmap) is an open source
such as Gitrob, or shhgit, a live feed of secrets utility for network discovery and security
published to Gitrob. auditing.12 It is flexible in supporting dozens
When sharing APIs, it is critical to ensure of techniques for mapping out networks
data cleanliness, only publishing the necessary from port scanning and ping sweeps to
details. Who in an organisation is responsible operating system (OS) and version detection.
for checking correct input values and output This tool is supported by most operating
sanitation? If an API is shared on GitHub systems and comes in many varieties, even
or other collaboration tools, a sanitation a version with a graphical user interface

52   Cyber Security: A Peer-Reviewed Journal  Vol. 4, 1 48–57  © Henry Stewart Publications 2398-5100 (2020)
Reducing cyber security risk by improving API design and protection

(GUI) for the keyboard challenged. The use organisations can put the appropriate security
is simple: with one line of bash code, the measures in place.
tool can quickly scan an entire network to
determine if any vulnerabilities exist.
Part of a standard administrator Shodan
toolbox, Nmap was used inconspicuously While most search engines only index
until recently. While Nmap is helpful in the web, Shodan finds, indexes and makes
preventing attacks, it has also been frequently searchable all connected things — from web
misused — allowing attackers to discover cams to traffic lights. Paid members even
insecure entry points. The abuse has put this create alerts when new devices are added to
valuable tool at the centre of a general debate their monitored subnets. Organisations can
of the legality of port scanning tools.13 Given block Shodan from crawling their networks,
the controversy surrounding port scans, it is but attackers will find other ways to exploit
prudent to first understand the potential legal vulnerable devices.14
ramifications and obtain prior authorisation Shodan is another helpful tool for finding
before using Nmap to avoid any unintended insecure pathways, especially in an era
consequences. of shadow IT where companies are not
always aware of what has been developed
or connected to their networks. It boosts
Fierce awareness around security risks as more and
While Nmap is a helpful solution for more things come online — exposing what
identifying APIs, it lacks speed and provides hackers already know to the rest of the world
little intelligence. For further reconnaissance, — displaying the scale of the attack surface
Fierce is a more aggressive intelligence to encourage safer practices.
collection tool. Where Nmap stays passive,
Fierce actively tries to exploit domain name
system (DNS) servers (although no actual Sentry MBA and SNIPR
exploitation is performed with the tool Widely available and easy-to-use account
itself) by using a common misconfiguration: checking tools like Sentry MBA and SNIPR
unrestricted zone transfer information. enable online threats to launch credential abuse
Zone transfer information contains the attacks without much technical expertise.
complete zone configuration including all Based on a program originally developed
registered devices as well as their names and with a disclaimer for users to only run it
IP addresses. This intelligence is of great against their own sites, Sentry MBA is a
value for attackers plotting anything from a popular tool in the underground cracking
simple DDoS to a direct web attack. If the community. Sentry MBA uses hard-coded
DNS is set up correctly, the tool will begin and outdated HTTP User-Agents, which
scanning for typical hostnames such as auth., makes it easier to detect by defenders.15 But
api. or developer., which results in a list of it can still cause significant damage, especially
names and IP addresses. In a second step, the for APIs, where it can take control and
tool executes a reverse lookup by using IPs in automate attacks.
the +/- range of the found addresses, which SNIPR is the most advanced toolkit for
results in a list of new hostnames — attractive checking credentials against popular websites.
targets to attack. It offers support, tutorial videos and an active
Fierce users are rarely administrative or community that contributes new public
well-meaning, as this tool is mostly used by configurations, credential leaks, proxy lists,
aggressors. By understanding the intelligence bug reports and enhancement requests. To
Fierce will yield about the network, minimise exposure, it is imperative that

© Henry Stewart Publications 2398-5100 (2020)  Vol. 4, 1 48–57  Cyber Security: A Peer-Reviewed Journal   53
Giese

Figure 4:  SNIPR configuration list page17


Source: Akamai (2018)

organisations check SNIPR configuration Once the audience and uses are defined,
repositories for their websites to fend off any developers need to create additional data
further abuse.16 points within the API to help differentiate
users. With better user identification, it
is easier to track anomalous behaviour
DESIGNING SAFER APIS that could lead to exploitation. To collect
To design APIs that are less likely to become additional data about API use, organisations
a conduit for attacks, developers should should require users to register, issue API
start considering the usage model, user keys and deploy traffic segregation.
and operational role of each API. Running
mobile apps on web APIs is not a good idea
as they are two completely different use MANAGING API TRAFFIC
cases. The same goes for powering multiple Sometimes legitimate API users can
user experiences with one API — user and cause unpredictable load, knowingly or
management interfaces for internal and unknowingly. In an example of API overuse,
external users, for example. Sometimes a company in Asia started receiving an
regulations, such as the revised Payment abnormal amount of traffic to one of its web
Services Directive (PSD2) and Open Banking, addresses, reaching 875,000 requests per
stipulate that use cases be kept separate. second at one point. An initial assessment
To understand the API usage model, showed all the hallmarks of a major DDoS
developers need to identify and prioritise attack; however, the incident was not an
users and use cases to more easily spot attack at all. The spike was actually the result
suspicious activity. For example, a partner of a warranty tool gone haywire. When
placing an order should not have the same security started filtering traffic, the tool kept
access as a university student. Some questions visiting the destination. As subsequent visits
to answer include: did not alter anything in the headers (such
as the User-Agent) to bypass mitigations,
• What are the use cases for the API?; the intent was not malicious. The company
• Who are the intended users?; and tool vendor verified this conclusion
• Who are the actual and current users?; and a fix was pushed within hours to the
• Which users are more important? affected systems.18

54   Cyber Security: A Peer-Reviewed Journal  Vol. 4, 1 48–57  © Henry Stewart Publications 2398-5100 (2020)
Reducing cyber security risk by improving API design and protection

In cases like this, it is important to The most effective protection against


enforce a quota to keep user requests under threats is to adopt a positive security model.
control. It is also critical to authenticate and Detailed API documentation encourages
authorise specific access for specific users, use, which can facilitate exploitation,
as developers cannot presume that users will but also fight threats by allowing security
interact with the API as expected. Deploying experts to define a positive security model
an API gateway establishes governance of that only accepts approved use. A positive
API access by regulating the number of security model allows developers to define
requests allowed per hour, per consumer. An users and behaviours — only processing
API gateway can also inspect and validate well-formatted, in-specification requests
JSON Web Tokens (JWT) and API keys, and immediately dropping any deviation
rejecting unauthorised traffic early, before — ensuring the API is not misused. A
it can overwhelm critical infrastructure and modern WAF solution provides an API to
impact API functionality. create an ongoing strategy that updates as
cybersecurity threats evolve, so the WAF
understands ‘normal’ API usage and denies
PROTECTING APIS malicious traffic even without expressly
To protect APIs, developers must insert recognising it.
security controls in the right places. A Organisations can proactively guard against
layered approach to API security provides online threats by using a content delivery
the most robust defence. Application network (CDN) as forward defence to absorb
security alone will not safeguard an API. powerful DDoS attacks without performance
Organisations must ensure that mobile and degradation. In addition, security at the
web applications cannot be exploited as edge of the network keeps threats away
well as extend the same level of security from sensitive data and infrastructure. For
consideration to the APIs that connect to APIs associated with valuable content,
them. Attackers will try to access applications such as account login or transaction pages,
through APIs directly, and if successful, will specialised bot detection identifies credential
render useless all attempts to secure app data. stuffing before it leads to fraud.
Basic encryption between an application
and API as well as session-based rate
limits will increase security. While an API CREATING A PLAN
gateway ensures legitimate users do not Organisations must recognise the significant
misbehave, the addition of a web application risk APIs pose if not properly secured. If an
firewall (WAF) insulates APIs even further organisation does not have the time, talent or
from malicious activity by offering strong resources to develop its own security solutions
protection for known and unknown threats. — often tedious and difficult to maintain — a
Like a port firewall, a WAF is meant to variety of proven technologies and services
secure internal systems against external are available in the market to protect APIs.
threats. Instead of just blocking unwanted A practical plan to start making the shift to a
access on the port level (for example, not more secure API posture follows.
allowing web traffic on Port 80), however,
a WAF will inspect the web traffic and
block potentially malicious requests like Next week
SQL injection attempts, cross-site scripting • Assess the API ecosystem: Find the APIs
and directory traversal. Mitigating web in the organisation, who owns them and
application attacks before they cause harm is whether there are any rogue systems in the
always the best strategy. domain (Nmap facilitates this process);

© Henry Stewart Publications 2398-5100 (2020)  Vol. 4, 1 48–57  Cyber Security: A Peer-Reviewed Journal   55
Giese

• Identify potential security risks: Understand a public network mapping tool. Once the
if an API can be accessed with a simple threat landscape is known, the use cases and
telnet (no encryption), the information users for every API must be defined and
retrieved and if the systems used to serve appropriate security measures put in place.
up that information are patched. Finally, recognising the dynamic nature
of API development and threats, a layered
security approach reduces cyber security risk.
Within three months Like a fresh pot of coffee brewing, keeping
• Understand who accesses APIs: Determine good traffic flowing and filtering out bad
the use case (internal, business-to-business, actors, a secure API will not let another
business-to-consumer) of the API and perfectly good cup go to waste.
whether it is serving multiple purposes
and audiences;
• Define appropriate security measures: Examine References
encryption and authentication options 1. ProgrammableWeb, available at https://www.
programmableweb.com/apis/directory (accessed 21st
as well as whether there is an organic
February, 2020).
infrastructure behind an API that needs 2. Bussa, T., Young, G., Girard, J., Zumerle, D.,
to be cleaned up, especially for customer- O’Neill, M., Orans, L., Hils, A., D’Hoinne, J.
facing APIs. and Perkins, E. (November 2017), ‘Predicts 2018:
Infrastructure Protection’, Gartner, available at
https://www.gartner.com/en/documents/3830086
(accessed 21st February, 2020).
Within six months 3. Hartmans, A. (March 2018), ‘It’s impossible to know
exactly what data Cambridge Analytica scraped from
• Select a security solution that allows Facebook — but here’s the kind of information apps
proactive API protection tailored to the could access in 2014’, Business Insider, available
organisation’s needs; at https://www.businessinsider.com/what-data-
did-cambridge-analytica-have-access-to-from-
• Set up a proof of concept to confirm
facebook-2018-3?utm_content=buffer069cc&utm_
functionality and usability; medium=social&utm_source=facebook.
• Drive a project to protect all APIs, both com&utm_campaign=buffer-bi (accessed 22nd
public and private; August, 2019).
4. Whittaker, Z. (June 2019), ‘Millions of Venmo
• Establish an annual external penetration transactions scraped in warning over privacy settings’,
test to ensure API security posture is TechCrunch, available at https://techcrunch.
continuously maintained at the highest com/2019/06/16/millions-venmo-transactions-
scraped/ (accessed 22nd August, 2019).
level. 5. McKeay, M., Fakhreddine, A. and Ragan S.
(February 2019), ‘[State of the Internet] / Security:
Retail Attacks and API Traffic’, Vol. 5, No. 2, p. 16,
CONCLUSION Akamai, available at https://www.akamai.com/us/
en/multimedia/documents/state-of-the-internet/
API proliferation benefits enterprises and state-of-the-internet-security-retail-attacks-and-
consumers with faster, value-added services api-traffic-report-2019.pdf (accessed 21st February,
for better user experiences and additional 2020).
6. Ibid., note 5.
revenue streams. The increasing threat 7. Ibid., note 6, p. 15.
of API exploitation also introduces new 8. Ibid., note 5, p. 13.
security challenges. API developers need to 9. Ibid., note 5, p. 13.
10. McKeay, M. and Fakhreddine, A. (September 2018),
start thinking like a hacker when designing, ‘[State of the Internet] / Security: Credential Stuffing
managing and protecting these valuable and Attacks’, Vol. 4, No. 4. p. 13, available at https://
vulnerable integrations. To reduce the attack www.akamai.com/us/en/multimedia/documents/
state-of-the-internet/soti-2018-credential-stuffing-
surface, organisations must first identify the
attacks-report.pdf (accessed 21st February, 2020).
threat vectors with the same visibility as an 11. Barnett R. (April 2018), ‘The Dark Side of APIs,
attacker, starting with an external view from Part 2’, The Akamai Blog, available at https://blogs.

56   Cyber Security: A Peer-Reviewed Journal  Vol. 4, 1 48–57  © Henry Stewart Publications 2398-5100 (2020)
Reducing cyber security risk by improving API design and protection

akamai.com/sitr/2018/04/part-2-the-dark-side-of- 2018), ‘Hidden in Plain Sight: The Tools and


apis.html (accessed 23rd August, 2019). Resources Used in Credential Abuse Attacks’, p. 13,
12. See NMAP.org, available at https://nmap.org/ White Paper, Akamai, available at https://www.
(accessed 19th May, 2020). akamai.com/us/en/multimedia/documents/white-
13. NMAP (September 2019), ‘Nmap Network paper/credential-abuse-analysis-white-paper.pdf
Scanning: Legal Issues’, available at https://nmap. (accessed 21st February, 2020).
org/book/legal-issues.html (accessed 5th September, 16. Ibid., note 15, p. 20.
2019). 17. Ibid., note 15, p. 19.
14. Porup, J. M. (November 2019), ‘What is Shodan? 18. McKeay, M, Fakhreddine, A. and Ragan S. (January
The search engine for everything on the internet’, 2019), ‘[State of the Internet] / Security: DDoS
CSO, available at: https://www.csoonline.com/ and Application Attacks’, Vol. 5, No. 1, pp. 11–14,
article/3276660/what-is-shodan-the-search-engine- available at https://www.akamai.com/us/en/
for-everything-on-the-internet.html (accessed 21st multimedia/documents/state-of-the-internet/
February, 2020). state-of-the-internet-security-ddos-and-application-
15. Raga Hines, L. and Wasserman, D. (November attacks-2019.pdf (accessed 21st February, 2020).

© Henry Stewart Publications 2398-5100 (2020)  Vol. 4, 1 48–57  Cyber Security: A Peer-Reviewed Journal   57

You might also like