Cybersecurity Awareness Month 2022: New Theme, New Perspective
It’s that time of year again – cybersecurity awareness month! This year’s CISA theme is See Yourself in Cyber. The intention is to bring awareness to the more human aspects of cybersecurity. Specifically, while security may seem technical and complex, ultimately, it’s all about people. Additional cybersecurity leaders including agencies such as the Department of Homeland Security, and the National Cybersecurity Alliance are also providing resources to inform the public about the latest challenges and solutions in cybersecurity.
CISA starts with these general tips on how everyone can stay safe online:
- For individuals and families, we encourage you to See Yourself taking action to stay safe online. That means enabling basic cyber hygiene practices: update your software, think before you click, have good strong passwords or a password keeper, and enable multi-factor authentication (meaning you need “More Than A Password!”) on all your sensitive accounts.
- For those considering joining the cyber community, we encourage you to See Yourself joining the cyber workforce. We’ll be talking with leaders from across the country about how we can build a cybersecurity workforce that is bigger, more diverse and dedicated to solving the problems that will help keep the American people safe.
- For our partners in industry, we encourage you to See Yourself as part of the solution. That means putting operational collaboration into practice, working together to share information in real-time, and reducing risk and building resilience from the start to protect America’s critical infrastructure and the systems that Americans rely on every day.
In addition to these highlights, CISA outlines key action steps that everyone should take:
- Think Before You Click: Recognize and Report Phishing: If a link looks a little off, think before you click. It could be an attempt to get sensitive information or install malware.
- Update Your Software: Don’t delay — If you see a software update notification, act promptly. Better yet, turn on automatic updates.
- Use Strong Passwords: Use passwords that are long, unique, and randomly generated. Use password managers to generate and remember different, complex passwords for each of your accounts. A passwords manager will encrypt passwords securing them for you!
- Enable Multi-Factor Authentication: You need more than a password to protect your online accounts, and enabling MFA makes you significantly less likely to get hacked.
They also provide a Cyber Resource Hub for assessments and measuring cyber resilience.
Extending Cybersecurity Awareness to API Security
While the continued priority of cybersecurity awareness is appreciated and admirable, there are key aspects, such as API security, that still go unnoticed.
Afterall, it’s APIs that connect applications and the very services that people use across every industry, from financial services to retail, to healthcare and crypto. And more recently, it’s the API layer that’s been the biggest target, resulting in large-scale data breaches.
The latest was the Optus data breach that resulted from an unauthenticated API endpoint. In fact, it’s being described as Australia’s biggest hack in history, as Optus customers rush to change their passports and driver’s licenses after their data was accessed. The attacker who breached their APIs claims to hold more than 11 million user records and is demanding a ransom of $1 million.
This incident speaks directly to both the lack of awareness and visibility into APIs, as well as limited (or missing) API protection that would immediately identify and block potential API attacks or abuse. With costly outcomes such as this, API security can no longer go unaddressed in the industry – companies need to be prioritizing API security at the executive level.
API Sprawl: The Direct Threat to Data, Privacy and Systems
One of the biggest shifts in the software development industry that can impact your security ecosystem is the prevalence of cloud-native, distributed, API-based applications. The exponential increase in the number of APIs, and API usage has created a new threat landscape. Most security leaders have no idea how many APIs are in their environment and what those APIs are doing.
At Traceable, we’re doing our best to provide insight into the risks associated with API Sprawl, and to provide a solution that allows teams to understand where their APIs are and what data they are processing, and to ascertain risk posture.
The Limitations of Web Application Firewalls (WAF)
In the past, companies typically secured their applications and APIs using Web Application Firewalls (WAFs) – this perimeter security was enough in a time of monolithic applications: simply secure the data within the confines of a firewall, and you are secure. However, the rise in microservice architecture, Kubernetes, and containers have introduced more attack surfaces outside of your network, and has given rise to an increased risk in sensitive data exfiltration, malicious attacks, and exposure of personally identifiable information (PII).
Another reason APIs are difficult to protect is because API malicious traffic looks normal to security tools like a WAF. In the cases of Venmo and Coinbase, those particular API attacks are perfect examples of this phenomenon. For Venmo, one of their public endpoint unsecured APIs allowed a student to scrape 200 million users’ financial transactions. This looked like normal traffic to their security solution. At Coinbase, an improper API validation allowed an attacker to make unlimited cryptocurrency trades between different currency accounts. Again, this looked like perfectly normal traffic to their security solutions.
In order to remain both secure and competitive, organizations need to consider taking a devsecops approach, as well as deploying an end-to-end API Security platform to protect their APIs. With an API Security platform, you’ll be able to catalog and secure all of your APIs and the sensitive information flowing through them, significantly reducing the effort it takes to overcome security vulnerabilities, while also reducing the likelihood of a negative outcome such as a costly API breach. In order for your company to remain secure in 2022, securing your APIs is paramount.
Traceable Resources for Cybersecurity Awareness Month
- API Security Testing: How to Eliminate API Vulnerabilities in pre-prod
- API Discovery and Governance: Comprehensive Visibility into all APIs and Sensitive Data Flows
- API Threat Protection: How to Detect and Stop Known and Unknown API Attacks
- What is API Sprawl?
- Customer Story: API Sprawl Problem Turns into API Intelligence Solution for Data Management Vendor Informatica
Traceable is the industry’s leading API security platform that identifies APIs, evaluates API risk posture, stops API attacks, and provides deep analytics for threat hunting and forensic research. With visual depictions of API paths at the core of its technology, its platform applies the power of distributed tracing and machine learning models for API security across the entire software development lifecycle. Book a demo today.