by Ishan Bhattacharya

Building secure APIs will remain a challenge around enterprise applications

Aug 25, 2015

Aamir Lakhani, senior security strategist at Fortinetu2019s FortiGuard Labs, talks about few instances of security breaches that occurred recently and why they are worth keeping in mind while planning a security strategy. Lakhani also highlights how lack of proper training is making organizations vulnerable to advanced security threats.u00a0

Can you tell us about two incidents of data breaches that occurred recently and is  worth keeping in mind while implementing security solutions?

Charlie Miller and Chris Valasek’s research on car hacking and discovering critical flaws in Chrysler automobiles shows how cyber security threats affect the world outside IT. Many companies and people who believe they are safe from cyberattacks because they do not deal with the IT community directly are beginning to understand how truly connected everything is to everything, how much of a serious threat cyber-attacks truly are. Charlie Miller and Chris Valasek’s research forced a change and made Chrysler update their vehicle software.

Corporations like Chrysler lacked visibility or intelligence provided on their network, even though researchers had to literally scan millions of connected cars to find vulnerabilities. Corporations need to stop designing scenarios where they believe attacks could never happen simply because they believe they are only ones with the knowledge or access to the proper tools, and start planning on when attacks will occur.

Ashley Madison data breach targets users of a dating site that promotes cheating. Thousands of users on the site are in relationships or married but are seeking out ways to have a relationship with someone outside their committed relationship. Attackers these days are not interested in just credit cards, they are interested in exploiting people. The reason for this, it is much more valuable and a better long-term investment for attackers.

Users can simply turn off their credit cards by reporting them lost. However, when attackers can use your personal information against you, they can blackmail you for much longer periods of time. Ashley Madison saw itself as a dating site, they didn’t value their assets, but they did not realize how valuable their customer data was to attackers. We see the theme repeating of people not understanding and valuing their data.

What according to you are the major reasons behind security breaches? Is it only because of IT negligence?

Security breaches today occur because many people involved in IT operations, development, or systems administrations did not fully understand or identify their valuable data, therefore, they left them unprotected. When recently auditing a major bank, we found banking employees had very strict procedures around handling currency, received proper training, and had briefings around threats. However, almost no training was given around the computer systems, accessing applications, or control over USB storage devices. It was not surprising to discover malware and other threats on the bank’s computers. Bank employees were repeatedly attacked with cyber and social engineering attacks from hackers with relative ease.

When we look at major threats, we see a common theme: lack of awareness and lack of training. As a security professional, I help customers identify what data is truly valuable to their organization and how to protect it.

What are a few of the unique steps that Fortinet is taking to educating customers about advanced security threats?

Fortinet’s FortiGuard Labs is one of the largest and most experienced threat intelligence and threat research organizations in the world. Every day we are tracking down, fixing, and discovering new threats. With over 51 Zero-Days discovered in the just the first few months of 2015, we are beating the bad guys to their own game, and working with vendors to fix the problems. Our research is consumable via our products giving our customer’s unparalleled visibility and intelligence within their own environments.

As a security strategist, do you think Indian enterprises are now comfortable with BYOD? Or do you think BYOD is too much of an unnecessary burden which is not worth the risk?

Fortinet’s own research suggests that Indian enterprises are increasingly becoming more comfortable with BYOD type environments. Culturally India is high tech, and their users like having control of their own devices with the ability to customize their experience to something that suits their own personalities.  Enterprise organizations are starting to see some financial benefits of BYOD environments since it lowers financial support of an enterprise. However, just like the rest of the world, organizations in India are struggling to balance security and data concerns when it comes to BYOD.

Do you think that when it comes to apps, building a strong API still remains a challenge?

It absolutely does remain a challenge. From a security perspective, many vulnerabilities are found in the API infrastructure and development process. However, as any development organization will tell you, with the need or integration, of third party products, need for automation and self-provisioning, and other new technologies such as software defined anything, the lack of a feature rich API puts you at a competitive disadvantage. Therefore, building secure APIs is going to remain a challenge around enterprise applications.