API security: the new security battleground

Read Time:5 Minute, 27 Second

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

“While defenders pursue the most powerful and advanced solutions they can find, the enemy needs only a single user with a bad password or an unpatched application to derail an entire defensive position.” This quote by Dr. Chase Cunningham from his book, “Cyber Warfare – Truth, Tactics, and Strategies,” seems a fitting way to begin the topic of cybersecurity battlegrounds.

Regardless of the techniques used, going big, expensive, and glossy – while potentially useful – doesn’t replace the need for a well-reasoned approach to securing assets founded on traditional activities and principles. Innumerable assets are housed behind APIs, and the widespread use of APIs means they are high-profile targets. Securing them is of the utmost importance.

Two historical books came to mind for this topic:

Art of War, by Sun Tzu
Book of Five Rings, by Miyamoto Musashi

I chose these two due to their applicability to the topic (oddly enough because they are less specific to modern security – something about their antiquity allows for a broader application).

After revisiting the books, I decided to take Musashi’s five (5) principles (scrolls; Earth, Water, Fire, Wind, and Void) and match them as best as possible with 5 of the numerous teachings from Sun Tzu. I then applied them to securing APIs in the growing cybersecurity arena where there are an increasing number of threat actors.

Earth

Musashi’s focus in the Earth Scroll is seeing the bigger picture. Practitioners need to know the landscape or the 30,000 ft view. Sun Tzu said, “The supreme art of war is to subdue the enemy without fighting.”

How to Apply

One needs to understand the nature of API attacks and attackers in securing APIs. One example of a common exploit category is Security Misconfiguration.

Some fundamental API security activities that can prevent attacks before they even get started including following an SDLC, implementing access control, deploying some form of edge protection, using continuous monitoring and alerting, and using appropriate architecture and design patterns.

API attackers are ruthless and relentless. Most criminals want an easy win and using good defense will fend off a high percentage of attacks.

Encryption is a must, both in transit and at rest. The enemy can be thwarted by not being able to use what was stolen.

WATER

It’s important to be experienced and flexible – or fluid – on an individual level, and that includes one’s role in the company. Sun Tzu said, “Be flexible.”

How to Apply

Gathering cyber threat intelligence (CTI) makes it possible to adapt to changing threats in real time. Intelligence gathering, even using Contextual Machine Learning (CML), means that one doesn’t depend on past information, hearsay, rumors, or peer information. Rely on as much clear, relevant, and current information as possible about threats and risks for one’s own company.

In addition to CTI, focus on a well-designed and tested incident response plan.

Intelligence and responding to incidents go a long way toward making company security agile and adaptable.

FIRE

The Fire aspect is about the actual use of the weapons (tools) on the battlefield. Sun Tzu said, “The enlightened ruler lays his plans well ahead; the good general cultivates his resources.”

Now that the proper foundations have been built, it’s time to use the API tools that have been implemented.

How to Apply

Manage and maintain the API resources and identify the strengths and weaknesses of the API system, Ensuring secure authentication and authorization methods for API access.

Also, set fire to vulnerabilities through regular security testing. This should include vulnerability scanning and pentesting, if not red/blue/purple teaming, or even something like Chaos Monkey to test uptime (an oft-overlooked aspect of API security).

Wind

This is also interpreted as “Style.” Here, the goal is to study (not just passively observe) opponents. Sun Tzu said, “If you know the enemy and know yourself, you need not fear the result of a hundred battles.”

How to Apply

For the modern day, we’ll expand this to studying how other companies have dealt with cybercrime and cyberattacks. One will improve by studying others based on facets such as industry, regulations, and org size.

It’s easy for a company to a) think it’s alone or b) believe it does better than anyone. This can lead to isolation. Org leaders have every reason to set their org apart – distinction is a major component in having a chance at creating a profitable, if not lasting, business. But there aren’t all that many ways to uniquely secure a business – phishing is phishing whether against an international enterprise or a local coffee shop; an API for a fintech org is much the same as an API for ice cream shop (the architectures available are only in a few flavors) – many people can use it and abuse it.

Intelligence sharing with other companies can be helpful in creating a secure community.

Void

The idea here – also called Emptiness, is understood as “no mind.” This doesn’t mean that no brain activity is involved, but points more to intuition, awareness, and acting on instinct. Action doesn’t always require thinking things through, getting input from others, and planning something. Some things – whether by natural inclination or by training – are just second nature.

Sun Tzu said, “Utilize your strengths.”

How to Apply

Play to your strengths: individual, departmental, corporate. There’s no one else like you or your company.

Leverage the strengths of your API resources to enhance security. Make sure you know your tools in and out. Often, they’re expensive and very likely, they’re not used to full capacity.

Focus on continuous learning and improvement. This requires a team of individuals who work well together and are independently passionate about defending data.

This intuitiveness is not based on industry, spreadsheets, or data analysis but depends on relevant stakeholders’ individual and collective expertise. Often, it will be addressing many fronts at once, such as improved IR, developer training, choosing a platform that provides numerous API protections (while also avoiding a single point of failure), getting legal and compliance teams to determine next steps in the privacy regulation landscape, and performing regular incident response and disaster recovery exercises.

Epilogue

To paraphrase the classic ending of many of Musashi’s teachings, these ideas should be given careful and thorough reflection.

Read More

Managing security in the cloud through Microsoft Intune

Read Time:44 Second

For many years, the Group Policy feature of Microsoft’s Windows has been the go-to solution for controlling workstations, providing deployment, and in general, making a network manageable by information professionals. It does, however, require a traditional domain with an Active Directory deployment — many users already have an Active Directory (AD) and will have an AD domain for many years into the future.

What if you didn’t have such a domain to deal with, or were starting over fresh with a totally distributed network linked together only by cloud connections? You would probably turn to Microsoft’s Intune, a cloud-based unified endpoint management service for both corporate and bring-your-own-device technology. Intune extends the functionality of some Active Directory features and that of the Microsoft Endpoint Configuration Manager to the Microsoft Azure cloud.

To read this article in full, please click here

Read More

AI-fueled search gives more power to the bad guys

Read Time:47 Second

Concerns about the reach of ChatGPT and how easier it may get for bad actors to find sensitive information have increased following Microsoft’s announcement of the integration of ChatGPT into Bing and the latest update of the technology, GPT-4. Within a month of the integration, Bing had crossed the 100 million daily user threshold. Meanwhile, GPT-4 improved the AI which now has better reasoning skills, is more accurate and has the ability to see images.

When ChatGPT was released in November 2022, hackers quickly jumped on the technology to help them write more convincing phishing emails and exploit code, but that was the old ChatGPT. According to Open AI, the new AI’s bar exam score rose from the 10% to 90%, its medical knowledge score went from 53% to 75%, its quantitative GRE score rose from 25% to 80%, and the list goes on.

To read this article in full, please click here

Read More

5 cyber threats retailers are facing — and how they’re fighting back

Read Time:26 Second

There are many reasons retailers are juicy targets for hackers. They earn and handle tremendous amounts of money, store millions of customer credit card numbers, and have frontline staff who may lack cybersecurity training. To save money, some retailers use older equipment that isn’t adequately updated, secured, or monitored to deal with cyberattacks. According to a 2022 data breach report from Verizon, the retail industry reported 629 incidents in 2022, 241 of which had “confirmed data disclosure.”

To read this article in full, please click here

Read More

CVE-2022-27598

Read Time:21 Second

A vulnerability have been reported to affect multiple QNAP operating systems. If exploited, the vulnerability allow remote authenticated users to get secret values. The vulnerabilities affect the following QNAP operating systems: QTS, QuTS hero, QuTScloud, QVP (QVR Pro appliances) We have already fixed the vulnerabilities in the following operating system versions: QTS 5.0.1.2346 build 20230322 and later QuTS hero h5.0.1.2348 build 20230324 and later

Read More

CVE-2022-27597

Read Time:21 Second

A vulnerability have been reported to affect multiple QNAP operating systems. If exploited, the vulnerability allow remote authenticated users to get secret values. The vulnerabilities affect the following QNAP operating systems: QTS, QuTS hero, QuTScloud, QVP (QVR Pro appliances) We have already fixed the vulnerabilities in the following operating system versions: QTS 5.0.1.2346 build 20230322 and later QuTS hero h5.0.1.2348 build 20230324 and later

Read More

Legacy, password-based authentication systems are failing enterprise security, says study

Read Time:42 Second

Authentication-related attacks grew in 2022, taking advantage of outdated, password-based authentication systems, according to a study commissioned by HYPR, a passwordless multifactor authentication (MFA) provider based in the US.

The study, conducted by independent technology market research firm Vanson Bourne, surveyed 1000 IT professionals from organizations around the world with more than 50 employees. These included respondents from the US (300), UK (250), France (100), Germany (100), China (100), Australia (75) and Japan (75).

Rush of MFA bombing pushed authentication related breaches

Three out of five respondents said their organizations had been targeted by authentication-related attacks in 2022. Also, out of 88% respondents targeted by one or more cyberattacks in the last 12 months, 43% reported phishing or smishing to be the main form of attacks.

To read this article in full, please click here

Read More