Protecting APIs From Advanced Security Risks

An API means an Application Programming Interface which works as software intermediary for communicating among your apps. In turn, it enables sharing and extraction of data among apps in an effective accessible manner. Your web APIs here effectively establish connections between apps and platforms or services like games, social networks, devices, databases and some more. In IoT apps and devices, APIs serve well to gather data apart from being capable enough to control other connected devices too.

The APIs are in general developed as REST APIs and SOAP APIs. SOAP or Simple Object Access Protocol APIs are XML based and helps as messaging protocol among computers for exchanging information. These APIs are developed basing up on WS Security standards using XML encryption, SAML token and XML Signature for dealing security for transactional messaging. It can support successfully W3C and OASIS recommendations too. Similarly, REST APIs or Representational State Transfer APIs are developed for remote computer systems using HTTP for obtaining data and to perform certain operations significantly. Here, these APIs enable secure communication using SSL authentication and HTTPS. JSON standards are used in these APIs for consuming payloads to simplify data transfer over the browsers. Here, REST is all about stateless and that means each HTTP request is made to contain all the necessary or needed information with no necessity for server or client to retain data for satisfying the request.

Security Threats to API

API is often said as self-document information. It means its internal structure and implementation can serve as a way for a cyber attack. If any additional vulnerability like lack of encryption, weak authentication, flaws in business logic and some of the insecure endpoints can result in cyberattacks too.

Cyber-attacks often can lead to a data breach which can, in turn, result in an organization’s reputation loss yet keeping its relations at stake. Very often the data breach can attract the latest fines through the latest GPDR guidelines too. The APIs security deserves seeing it in two folds as data breach and operations disruptions. So, it is quite imperative to secure your API through its design. Very common phishing acts often happens through the end-user. This is making users invaluable allies in the attack detection process and its progress. So, often it is a remedial measure to recruit end-user input and these loops are not supposed to be hardcoded for handling a set of situations that are predetermined. Real-world examples should be examined for these end-user input loops.

Let us see in detail some of the vulnerabilities in API

• MITM or Man In The Middle: Very often MITM involves in obtaining sensitive data between two parties by secretly relaying altering communications by intercepting API messages between two. This MITM attacks often saw happening through two stages as decryption and interception. To secure against this MITM, it is suggested to have TLS or Transport Security Layer in the API. If your API is lacking this TLS is an open-handed invitation to attackers. So, enable this Transport Layer Encryption without fail to safeguard your API against MITM.

• API Injections: Inserting a malicious code into the API for staging attack is called as API Injection. These can be seen as XSS or Cross-Site Scripting and SQLI or SQL injection. Vulnerable APIs are often a great possibility for these kinds of attacks. If your API is failing to perform appropriate filter input or FIEO (escape output), then it is the best way one to launch the attack in the form of XSS through end user’s browser. This attack can also add into the API some malicious commands like SQL commands to delete or add tables to the database forms. The most effective way to control this issue is proven well through input validation.

• DDoS or Distributed Denial of Service: This is a kind of attacker where the attacker pushes long or enormous messages to the server or the network with invalid return addresses. This kind of attack can result in a non-functioning situation. It deserves proper security precautions while designing the API. It is safe to enable multiple access control method to your API to mitigate well this issue. API keys may be enough when your API contains non-sensitive information. For the APIs with sensitive information are suggested using robust authentication mechanisms, HTTPS, OAuth, Two-way TLSSAML tokens and some more.

• Broken Authentication: These broken authentication cases can allow the attacker to take control or bypass the set authentication methods in the API. Also, this situation can attack over JSON web tokens, passwords, API keys, and some more too. To mitigate this issue, it is suggested taking care authentication and authorization requirements with OAuth/OpenID tokens, API key and PKI. Also, it is wiser and safe not to share credentials across connections that are not even encrusted. Also, never reveal the session ID over the web URL too.

What Should Your Employees Know About Computer Security?

The number one threat against the security of your information system is the insider threat. Make sure that your employees know how to safely function with computers. Failing to do so is a lack of due diligence on your part.

Among what employees should know as a bare minimum is listed below:

What type of information does your company process?

What are the employees’ basic responsibilities for information security?

What are the components of the organization’s password policy?

What are the security best practices that employees should follow?

What qualifies as a clean work area that supports security?

What type of threats should employees be on guard against?

What are some common attack methods?

What actions should employees take when an attack occurs?

What are the company’s email policies?

What are the company’s social media and web surfing policies?

Your employees should be aware of how raw data is processed to create information and how it is used by your business to make important decisions and a profit.

Get it wrong and the company loses.

The people who work for you and third parties who come into contact with your system should be viewed as possible threats. That is why an information security plan should be in place and everyone should be aware. Anything less is the equivalent of having your proverbial “pants down around your ankles”.

Every employee is responsible for computer security and the assurance of your digital assets. People who obtain and process company data should be aware of all their responsibilities. Those who work for you need to be aware and accountable.

Each individual who works in your organization should be security aware and know what to do in the event of an attempted or actual attack. Anything less and your people will fail.

Everyone should know how to maintain a safe workspace, in which sensitive papers are removed from view. Workers should know how to lock their keyboards to keep passersby from observing screens and accessing terminals.

All people in the company should know how to create and maintain robust passwords or multi-factor authentication. Passwords should be complex and periodically changed. An organization-wide digital security program should be maintained and periodically evaluated.

Policies relating to security should conform to business and industry best practices. They must be part of each employee’s security awareness training. For example, the people who work for you should know that storage media from outside of the office must be properly scanned before introducing it into your information system.

Your people should be aware of the common attack methods that cyber criminals and others use. A seemingly innocent request for information over the telephone could be the beginning of a social engineering attack designed to obtain crucial information to break into the company’s system.

Email needs be a part of the organization’s policies for protecting sensitive information. Once again, having policies should be a part of an organization’s due diligence effort to keep cyber criminals at bay and out of your system. Your workers must know how to handle various situations that arise. Simply clicking on a malicious link could compromise your entire system.

The use of social media platforms and surfing the Internet could open up multiple avenues for malicious users into your system. You employees need to know what is considered to be an acceptable practice when it comes to using Internet resources. You company could be found liable, for example, if an employee wrote something disparaging about an ethnic group or your assets could even be used for illegal purposes without your knowledge.

Maintaining the confidentiality, integrity and availability of your company’s mission critical information requires that those who work for your company should have the tools to do so. Having a formal information security plan is a basic necessity. You are in real trouble and have already lost the battle against cybercriminals if you don’t have a plan. And if you do have a plan and your employees are unaware – the same holds true.

You must start treating computer security as a business process.

"Over Familiar" – This Can Happen With Your Security Company

Compromised Security.

Caution – Your Security Company Can Become too familiar.

We have already discussed the formation of security partnering between the client and service provider. This is valuable and does work extremely well. However, the integrity of this business relationship can be undone because of over familiarity.

There is no reason why there should not be a polite and respectful relationship between the contractor and you and your staff. However, one of the quickest and often the most common ways of undermining your company’s security is to allow inappropriate familiarity between staff and guard. If you notice that there are close friendships forming between your staff and security guards request the guard or guards be changed. The security contract needs to be clear on this point, if it is not included ask for this condition to be agreed upon and added into the contract.

Inappropriate behaviour or over familiarity can occur when the wrong type of guard personality is chosen for your site. It’s certainly okay for your staff and guards to be polite to each other and say something like ‘have a great weekend’, ‘how was your day’? It is inappropriate for close off site friendships or girlfriend/boyfriend relationships to develop, or lengthy, chatty phone calls or mobile texting about non security matters.

This may sound draconian. However, whilst most people have entirely innocent and friendly interaction between client’s staff and security guards there are some who cultivate these friendships who have a specific agenda. Say for example, someone on your staff, (it could even be a long serving staff member) has an intention to access a restricted area of the building for the purposes of stealing intellectual property. They could do this by becoming very friendly with the guard and the guard relaxing the security access for the benefit of that person.

I have seen this happen frequently and I would caution you that this type of interaction can lead to a short circuit in security. Common security lapses such as incident statements not being written or reported, keys and ID cards not being signed in or out or not even returned at all. Even worse, a senior security guard allowing confidential security files to be leaked to other staff. Both people were fired, but the damage was already done, it is still not known exactly to what extent this breach has had on the company.

There has even been bribes of alcohol and money accepted by security guards so that staff members could gain access to restricted areas or use the building for a party after hours.

For the sake of your company’s security… keep it polite and keep it professional.