The content material of this put up is solely the duty of the writer. AT&T doesn’t undertake or endorse any of the views, positions, or info supplied by the writer on this article.
“While defenders pursue the most powerful and advanced solutions they can find, the enemy needs only a single user with a bad password or an unpatched application to derail an entire defensive position.” This quote by Dr. Chase Cunningham from his e book, “Cyber Warfare – Truth, Tactics, and Strategies,” appears a becoming strategy to start the subject of cybersecurity battlegrounds.
Regardless of the methods used, going huge, costly, and shiny – whereas probably helpful – doesn’t change the necessity for a well-reasoned strategy to securing property based on conventional actions and rules. Innumerable property are housed behind APIs, and the widespread use of APIs means they’re high-profile targets. Securing them is of the utmost significance.
Two historic books got here to thoughts for this subject:
- Art of War, by Sun Tzu
- Book of Five Rings, by Miyamoto Musashi
I selected these two as a consequence of their applicability to the subject (oddly sufficient as a result of they’re much less particular to trendy safety – one thing about their antiquity permits for a broader software).
After revisiting the books, I made a decision to take Musashi’s 5 (5) rules (scrolls; Earth, Water, Fire, Wind, and Void) and match them as finest as doable with 5 of the quite a few teachings from Sun Tzu. I then utilized them to securing APIs within the rising cybersecurity enviornment the place there are an rising variety of risk actors.
Earth
Musashi’s focus within the Earth Scroll is seeing the larger image. Practitioners have to know the panorama or the 30,000 ft view. Sun Tzu stated, “The supreme artwork of battle is to subdue the enemy with out combating.”
How to Apply
One wants to know the character of API assaults and attackers in securing APIs. One instance of a typical exploit class is Security Misconfiguration.
Some elementary API safety actions that may forestall assaults earlier than they even get began together with following an SDLC, implementing entry management, deploying some type of edge safety, utilizing steady monitoring and alerting, and utilizing applicable structure and design patterns.
API attackers are ruthless and relentless. Most criminals need a straightforward win and utilizing good protection will fend off a excessive proportion of assaults.
Encryption is a should, each in transit and at relaxation. The enemy will be thwarted by not having the ability to use what was stolen.
WATER
It’s essential to be skilled and versatile – or fluid – on a person degree, and that features one’s function within the firm. Sun Tzu stated, “Be flexible.”
How to Apply
Gathering cyber risk intelligence (CTI) makes it doable to adapt to altering threats in actual time. Intelligence gathering, even utilizing Contextual Machine Learning (CML), signifies that one doesn’t rely upon previous info, rumour, rumors, or peer info. Rely on as a lot clear, related, and present info as doable about threats and dangers for one’s personal firm.
In addition to CTI, give attention to a well-designed and examined incident response plan.
Intelligence and responding to incidents go a good distance towards making firm safety agile and adaptable.
FIRE
The Fire facet is concerning the precise use of the weapons (instruments) on the battlefield. Sun Tzu stated, “The enlightened ruler lays his plans effectively forward; the great common cultivates his sources.”
Now that the right foundations have been constructed, it’s time to make use of the API instruments which have been applied.
How to Apply
Manage and keep the API sources and determine the strengths and weaknesses of the API system, Ensuring safe authentication and authorization strategies for API entry.
Also, set fireplace to vulnerabilities by common safety testing. This ought to embrace vulnerability scanning and pentesting, if not purple/blue/purple teaming, and even one thing like Chaos Monkey to check uptime (an oft-overlooked facet of API safety).
Wind
This can also be interpreted as “Style.” Here, the objective is to check (not simply passively observe) opponents. Sun Tzu stated, “If you know the enemy and know yourself, you need not fear the result of a hundred battles.”
How to Apply
For the trendy day, we’ll broaden this to finding out how different corporations have handled cybercrime and cyberattacks. One will enhance by finding out others based mostly on aspects similar to business, rules, and org measurement.
It’s straightforward for a corporation to a) assume it is alone or b) consider it does higher than anybody. This can result in isolation. Org leaders have each cause to set their org aside – distinction is a significant element in having an opportunity at making a worthwhile, if not lasting, enterprise. But there aren’t all that some ways to uniquely safe a enterprise – phishing is phishing whether or not in opposition to a world enterprise or a neighborhood espresso store; an API for a fintech org is far the identical as an API for ice cream store (the architectures out there are solely in a couple of flavors) – many individuals can use it and abuse it.
Intelligence sharing with different corporations will be useful in making a safe group.
Void
The thought right here – additionally referred to as Emptiness, is known as “no thoughts.” This doesn’t imply that no mind exercise is concerned, however factors extra to instinct, consciousness, and performing on intuition. Action doesn’t all the time require pondering issues by, getting enter from others, and planning one thing. Some issues – whether or not by pure inclination or by coaching – are simply second nature.
Sun Tzu stated, “Utilize your strengths.”
How to Apply
Play to your strengths: particular person, departmental, company. There’s nobody else such as you or your organization.
Leverage the strengths of your API sources to reinforce safety. Make certain your instruments out and in. Often, they’re costly and really probably, they’re not used to full capability.
Focus on steady studying and enchancment. This requires a group of people who work effectively collectively and are independently enthusiastic about defending information.
This intuitiveness shouldn’t be based mostly on business, spreadsheets, or information evaluation however depends upon related stakeholders’ particular person and collective experience. Often, it will likely be addressing many fronts directly, similar to improved IR, developer coaching, selecting a platform that gives quite a few API protections (whereas additionally avoiding a single level of failure), getting authorized and compliance groups to find out subsequent steps within the privateness regulation panorama, and performing common incident response and catastrophe restoration workouts.
Epilogue
To paraphrase the traditional ending of lots of Musashi’s teachings, these concepts ought to be given cautious and thorough reflection.