Skip to content

您的家用設備會對您構成威脅嗎?

Have you ever thought that your vacuum cleaner may not only sweep your floor but also listen to your conversations? Or that your home security cameras might be used by someone else to stalk you? Smart gadgets are making our lives easier, but they can also pose a serious risk to our property, privacy, and even life if they fall into the hands of hackers. If you don’t want to become their next cybercrime victim, let’s take a look at some of the potentially risky connected devices surrounding you and ways to protect your security.
 

Blog image 2022 11 09 1

 

Innocent-looking smart toys

AI-powered and internet-connected toys provide much more than just entertainment for children. They boost creativity and develop social, motor, problem-solving, and other skills that can significantly impact their future performance. However, buying smart toys can be a not-so-smart idea – along with bringing kids joy, they can also attract hackers and identity thieves.

Security flaws are common, even in toys from parents’ most-trusted toy brands. Mattel’s Wi-Fi-connected Barbie doll, My Friend Cayla, Fisher-Price’s Chatter Bluetooth telephone, VTech InnoTab Max, Furby Connect doll, and many other toys have been labeled by cybersecurity experts as spying devices. Because of their security gaps, hackers can turn their cameras and microphones on and use them to see and hear everything the toy sees and hears. Moreover, fraudsters can interact with your children, give them orders, extract secrets or collect data, and track their location. In addition, the data collected can be used for blackmail and ransom demands or sold on the dark web or to advertisers.

Spying webcams

The desire to protect your home space from burglars can backfire – you can find yourself being spied on by others. That’s exactly what happened to Amazon’s Ring and Google’s Nest security cameras when malicious actors hacked them to surveil, threaten, and insult people who own them.

In one case, a home’s Ring camera loudspeaker started playing a song that a girl heard, so she went to investigate. When she came into the room where the camera was located, a deep masculine voice spoke to her through the camera speaker, saying that he was Santa Claus and calling her racist slurs.

In another Ring hack case, the virtual intruder harassed a woman, calling her vulgar names and asking her to respond.

Similar situations have also occurred with Nest camera holders. A few families reported that hackers talked to them through these cameras and messed with house thermostats by cranking up the heat.

These are just a few examples of how you can unexpectedly become a victim of cybercrime, which in addition to home security cameras, can happen with baby monitors or even pet cams.

Risky home cleanliness

The truth is that robot vacuum cleaners make life much easier. You can mind your own business while a robot vacuum sweeps your house. Although it may seem that cleaning dust from the floor is its sole task, in the hands of fraudsters, it can have a wholly different purpose as a spying device that may make you a victim of cybercrime.

Researchers revealed that hackers who gained access to a robot vacuum cleaner could get a house map or its GPS as well as record people’s conversations by repurposing its LiDAR sensors to act as microphones. In addition, some robot vacuums can enable hackers to take control of the vacuum or even watch the live video feed produced by the device. All this collected data can be sold to advertisers or used by criminals to plan a robbery or other crimes.

Deadly medical devices

It is no longer surprising that we can become victims of cybercrime when our bank card details are stolen or our mobile devices or online accounts are hacked. All this is nothing compared to what can happen when malicious actors hack into medical devices such as pacemakers, implanted defibrillators, drug-infusion pumps, and other health tech gadgets, which can have fatal consequences.

In 2017, the FDA recalled 465,000 pacemakers after the security firm, MedSec, found security flaws that could allow hackers to reprogram the devices and put patients’ lives at risk. For the same reason, doctors replaced former U.S. Vice President Dick Cheney’s heart defibrillator so it couldn’t be hacked by terrorists who might try to kill him. Infusion pumps automating the delivery of medications and nutrients into patients’ bodies can also become deadly weapons if hackers increase the doses. Moreover, such hijacked healthcare devices can be used to steal personal or medical records or even urge victims to go to the hospital by sending them false messages about their medical condition, so they leave their houses unattended.

How to protect

While some of the above-mentioned connected devices have no recorded cases of anyone maliciously hacking them, various investigations by cybersecurity experts have shown that the potential for problems exists. Therefore, security measures must be put in place to avoid any possible threats.

  • Don’t recycle passwords. Create complex and unique ones for all your connected devices and accounts.

  • Where it’s possible, set up multi-factor authentication (MFA).

  • Use secure Wi-Fi and make sure its password is hard to guess.

  • If you have a problem remembering different passwords for your accounts, use a password manager.

  • Always keep the software of your devices up to date. Updates patch potential security flaws.

  • When the device is not being used, for example, a vacuum robot or kid’s toy, unplug it or turn it off, so it stops collecting data.

  • If it’s possible to use the device without the internet, disconnect it.

  • Make sure that the smartphone you have connected to your devices is malware free.

  • Stay vigilant, and don’t provide your or your kid’s personally identifiable information if it’s not necessary. For example, children’s toys can be updated without knowing your kid’s age. However, be sure to provide the correct contact details so that developers can notify you of possible updates or security flaws.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Nord Security
The web has become a chaotic space where safety and trust have been compromised by cybercrime and data protection issues. Therefore, our team has a global mission to shape a more trusted and peaceful online future for people everywhere.

【重要公告】ESET校園解決方案 於2023-01-01起全面停止販售

關於ESET
ESET成立於1992年,是一家面向企業與個人用戶的全球性的電腦安全軟體提供商,其 獲獎產品——NOD32防病毒軟體系統,能夠針對各種已知或未知病毒、間諜軟體 (spyware)、rootkits和其他惡意軟體為電腦系統提供實時保護。ESET NOD32佔用 系統資源最少,偵測速度最快,可以提供最有效的保護,並且比其他任何防病毒產品獲 得了更多的Virus Bulletin 100%獎項。ESET連續五年被評為“德勤高科技快速成長500 強”(Deloitte’s Technology Fast 500)公司,擁有廣泛的合作夥伴網絡,包括佳 能、戴爾、微軟等國際知名公司,在布拉迪斯拉發(斯洛伐克)、布里斯托爾(英國 )、布宜諾斯艾利斯(阿根廷)、布拉格(捷克)、聖地亞哥(美國)等地均設有辦事 處,代理機構覆蓋全球超過100個國家。

關於 Version 2 Digital
資安解決方案 專業代理商與領導者
台灣二版 ( Version 2 ) 是亞洲其中一間最有活力的 IT 公司,多年來深耕資訊科技領域,致力於提供與時俱進的資安解決方案 ( 如EDR、NDR、漏洞管理 ),工具型產品 ( 如遠端控制、網頁過濾 ) 及資安威脅偵測應 變服務服務 ( MDR ) 等,透過龐大銷售點、經銷商及合作伙伴,提供廣被市場讚賞的產品及客製化、在地化的專業服務。

台灣二版 ( Version 2 ) 的銷售範圍包括台灣、香港、中國內地、新加坡、澳門等地區,客戶涵 蓋各產業,包括全球 1000 大跨國企業、上市公司、公用機構、政府部門、無數成功的中小企業及來自亞 洲各城市的消費市場客戶。

runZero 3.3:對您的 Google 生態系統無與倫比的可見性

What’s new with runZero 3.3?

  • Extended visibility into Google Workspace
  • Queries for Google Workspace users and groups
  • Fingerprinting for Google assets
  • Identification of OpenSSL services
  • Improvements to the runZero Console

Extended visibility into Google Workspace

runZero 3.3 furthers the visibility into your Google ecosystem through a new integration with Google Workspace. runZero Professional+ users will be able to sync Google Workspace asset details from mobile devices, endpoints, and managed Chrome systems, while runZero Enterprise users will also be able to sync Users and Groups. Once the integrations are configured, users can view, search, analyze, export, and alert on attributes from both Google Workspace and Google Cloud Platform.

One of the key reasons to leverage the runZero integrations is to get better insight into the scope of your environment and completeness of coverage since MDM and IAM platforms can’t provide any insights into devices that haven’t been onboarded. To identify assets on your network that aren’t onboarded to Google Workspace, use the query source:runZero AND NOT source:googleworkspace. Conversely, use this query to find assets from Google Cloud Platform or Google Workspace that have not been scanned by runZero yet: (source:gcp OR source:googleworkspace) AND NOT source:runzero. These queries can help you keep pace with unmanaged and disconnected assets.

The integration also pulls in many Google Workspace attributes to give you comprehensive asset visibility. This could include attributes like when a device was last synced, whether a device has a password enabled or is encrypted, or whether it supports the use of a work profile. The Recent Users list in the asset details can also provide insight into device ownership and usage. You can filter for a specific user by using the @googleworkspace.mobile.email attribute for mobile devices or the @googleworkspace.chromeos.recentUsers attribute for ChromeOS devices. To find mobile devices that aren’t locked with a password try the query @googleworkspace.mobile.devicePasswordStatus:="Off", or use @googleworkspace.mobile.encryptionStatus:="Not Encrypted" to find ones without encryption enabled. The wildcard operator also lets you find results with a range of OS versions, such as using @googleworkspace.endpoint.osVersion:="MacOS 12.% to find Google Workspace assets running macOS Monterey.

runZero offers unmatched active network scanning, while also integrating with an ever-growing list of data sources so that you have a complete asset inventory at your fingertips. To get started, set up a connection to Google Workspace or Google Cloud Platform.

Google Workspace integration

Queries for Google Workspace users and groups

runZero Enterprise users can leverage the new queries tailored for the Google Workspace integration to quickly find and alert on accounts that match particular parameters, in addition to being able to run searches in the Users and Groups inventories. Identify administrator accounts, suspended accounts, and accounts without MFA to improve IAM efforts and better protect your environment. These queries are included in the Query Library and can also be used to create alerts.

Run queries about Google Workspace users or create an alert rule to find assets of interest.

Query and Alert on Google Workspace Results

Fingerprinting for Google assets

runZero includes fingerprints for the metadata returned by the Google integrations, including Google Cloud Platform and Google Workspace. This will help provide the most accurate operating system and hardware data about the assets in your inventory.

In addition to Google fingerprints, runZero has also improved fingerprinting coverage of Microsoft 365 Defender assets and SNMP devices. Additional support was added or improved for products by Apache, Aruba, Avaya, Axon, Cisco, CyberPower, Debian, Eaton, Epson, Fortinet, Fujifilm, Geist, Hikvision, Lexmark, Oracle, Sato, Sony, Vivi, and VMware.

Identification of OpenSSL services

In preparation for the OpenSSL vulnerability announcement, runZero released remote, unauthenticated fingerprinting for OpenSSL 3 services, allowing our users to get ahead of the mitigation process prior to the vulnerability details becoming public. This capability has since expanded to detect even more TLS implementations and track the TLS stacks in use on each asset. runZero users can find OpenSSL endpoints using the query product:openssl, in the assets, services, and software inventories.

The server-side exposure only applies to services that process client certificates. runZero already performs checks for this, even though it is not a common configuration. To identify services running OpenSSL 3.0.x variants that may be vulnerable to exploitation, use the following query in the service inventory search: _service.product:"OpenSSL:OpenSSL:3" AND tls.requiresClientCertificate:"true".

Improvements to the runZero Console

The 3.3 release includes several changes to the user interface to improve the performance of the runZero console. The tables on the Explorers, Sites, Organizations, and Your team pages now perform and load faster. This will let users query and sort the results in tables more efficiently, getting to the answers they need faster.

The release also extends the availability of the All Organizations view. All users now have a view that will show them the results from all of the organizations that they have access to. The available permissions in that view reflect their per-organization permissions so that they can manage resources just like they would when viewing a single organization.

Release notes

The runZero 3.3 release includes a rollup of all the 3.2.x updates, which includes all of the following features, improvements, and updates.

New features

  • runZero Professional and Enterprise customers can now sync assets from Google Workspace.
  • runZero Enterprise customers can now sync users and groups from Google Workspace.
  • The “All Organizations” view is now available to restricted users with a filtered scope.
  • User interface tables were revamped for Organizations, Sites, Explorers, and Teams.
  • Live validation is no longer required for Qualys VMDR and InsightVM credentials.
  • Fingerprint updates.

Product improvements

  • The subnet utilization report now supports filtering by site.
  • CSV export of assets now includes the same hostname information as the inventory view.
  • Up-to-date ARM64 builds of the standalone scanner are now available.
  • The account API endpoint for creating organizations now accepts the argument types documented.
  • Merging two assets now correctly updates the date of the newest MAC address for the resulting asset.
  • Disabling all scan probes now disables the SNMP probe.
  • Service Provider information is now displayed with a default domain before SSO settings are configured.
  • Explorers are now ordered alphabetically on the scan configuration and connector configuration pages.
  • runZero users logging in via SSO are now presented with the terms and conditions acceptance dialogue.
  • A new tls.stack attribute that tracks the TLS software provider and version has been added for assets and services.
  • A new canned query for OpenSSL 3.0.x with client certificate authentication has been added.
  • The scanner now reports OpenSSL versions via TLS fingerprinting.
  • The scanner now reports Tanium agent instances on the network.
  • The scanner now reports additional detail for SSLv3 services.
  • The search keywords has_os_eol and has_os_eol_extended are now supported on the Assets and Vulnerabilities inventory pages.
  • The “last seen” link to the most recent scan details has been restored on the asset details page.

Performance improvements

  • Improved performance when scanning from macOS hosts that have certain EDR solutions installed.
  • Improved performance of Intune integration when importing a large number of users and devices.
  • Scan task processing speed has been improved for SaaS and self-hosted customers.
  • The baseline memory usage of Explorers has been reduced.
  • Error handling of misconfigured fingerprints has been improved to reduce Explorer and scanner crashes.

Fingerprinting changes

  • Improved fingerprinting coverage of Microsoft 365 Defender for Endpoints assets.
  • Improved fingerprinting coverage of SNMP devices.
  • Tanium agent detection now sets the edr.name attribute.
  • Added fingerprinting of OpenSSL, GnuTLS, and Windows TLS stacks, including version when possible.
  • Apple ecosystem OS fingerprint updates.
  • Additional support added-or-improved for products by Apache, Aruba, Avaya, Axon, Cisco, CyberPower, Debian, Eaton, Epson, Fortinet, Fujifilm, Geist, Hikvision, Lexmark, Oracle, Sato, Sony, Vivi, and VMware.

Integration improvements

  • The AWS integration now includes an option to delete AWS-only assets that were not seen in the most recent import.
  • The Qualys integration now includes an option to import unscanned assets and is disabled by default.
  • Processing speed for large Qualys imports has been improved.
  • GCP credentials can now be configured to import assets from multiple projects.
  • The error message indicating that an AWS integration credential has insufficient permissions has been improved.

Bug fixes

  • A bug that could prevent the use of third-party credentials when using TLS thumbprints or the insecure connection option with a public URL has been resolved.
  • A bug which sometimes prevented GCP imports from completing has been fixed.
  • A bug in how Service Inventory searches were launched from the Asset details page had been resolved.
  • A bug that could prevent TLS probes from completing has been resolved.
  • A bug that could prevent updating site metrics has been resolved.
  • A bug that could prevent the Intune integration from completing long-running tasks has been resolved.
  • A bug that could prevent the GCP integration from returning all assets has been resolved.
  • A bug that could result in a recurring integration running again before the previous task finished has been resolved.
  • A bug that could prevent importing assets from Microsoft Intune has been resolved.
  • A bug that could prevent importing assets from Microsoft 365 Defender has been resolved.
  • A bug that could prevent importing assets from Microsoft 365 Defender has been resolved.
  • A bug that could cause broken asset links has been resolved.
  • A bug that could cause missing service data for services with conflicting virtual hosts has been resolved.
  • A bug that could cause inaccurate user counts for imported directory groups has been resolved.
  • A bug that affected tooltip display has been resolved.
  • A bug that prevented “open in new tab” navigation using middle/right click has been resolved.
  • A bug that could prevent Azure AD imports has been resolved.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.


About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

免費遷移工具如何最終讓您付出更多代價

Discover how the true cost of migrations can often be hidden.

Everyone likes a freebie, there’s no denying it. But the truth is, when something’s free, it usually comes at a price.

Free software is a good example of this. Usually it’s just a “taster”, something to whet your appetite or grab your attention, and further down the line you end up paying for a more robust version.

Free migration software is like this; a good foundation to start, but if you want all the bells and whistles to do it properly, then it’s worth paying a little extra.

Free Migration Tools

Migrations are incredibly complex, and the results can make or break a business. It’s not the kind of thing you want to put into the hands of the cheapest option available.

There are basically three serious options when it comes to free migration tools; Microsoft FastTrack, Google Workspace Migrate and third-party open-source software

Open-source software

There are plenty of free open-source software migration tools out there, and most of them are fit for purpose if you’re only moving small amounts of data that have no real importance. But when it comes to a large-scale data migration that’s part of the growth and development of your business, you will want to set your sights a little higher.

As you might expect, open-sourced migration software has limitations. The software takes longer to set up, will usually only migrate certain things (like files and folders, but not emails), and, most importantly, has a higher fail rate, meaning there’s more chance of your migration turning into a catastrophe.

As the software is open-sourced, there will be no guarantee of security because it will come without accreditation. For something as important as your company’s data, you should only ever use software that meets international standards of security, like CloudM.

Microsoft

FastTrack is a migration service provided by Microsoft and it’s available to all Microsoft 365 subscribers for free.

While FastTrack is suitable for simple file migrations, but it was not designed for anything more complicated.

When you are handling a big migration project, you want to be kept abreast of its progress.There is no update on the project until it’s complete, so there is no way of telling how long is left, how much data has been moved, and which files are still pending.

If you have additional requirements, special instances that need specific attention, or simply want someone to help fix unforeseen issues, then unfortunately there’s not much help available.

If any issues come up, there is no telephone or video support, only an email address to use, so a response is usually slow, by which time the issue might have done serious damage.

FastTrack is only available for customer tenants with 150 or more licenses and is also limited to a certain number of users, so for larger projects, you need more than one migration to move your data.

So to sum up Microsoft’s free migration tool, it might be worth it if you’re a small business with basic data to transfer. Anything larger or complicated should be left to bespoke migration software.

Google

For full migrations, Google will only transfer from one Google domain to another. That means if you’re on Microsoft or some other platform, you can’t use their tool.

Google does have GWMMO (Google Workspace Migration for Microsoft Outlook), but some categories of Email, Calendar, and Contacts are not supported to import in Gmail, while Journal entries, Outlook Notes, tasks, and RSS feeds aren’t imported at all through this method.

Google Migration is not always the speediest: you are allocated one server for your project and you’re migrated on that one server.

In fact, for more complicated migrations, Google often turns to third-party software themselves – like CloudM. So if your migration project needs to happen quickly, securely and effectively, you can cut out the middleman and come to us directly.

What can go wrong?

Unfortunately, a lot could go wrong during a data migration, which is why you should never go for the cheapest option. As we mentioned, migrations are complex, and the bigger the job, the more issues can potentially arise.

Losing data, leaving user information behind and data corruption are just a few of the common problems seen during a large migration.

These issues can have serious, real-world consequences. From reputation damage to hefty fines for data protection breaches, a problematic migration can be a nightmare for a company.

Any kind of problem is going to mean more work for your IT team – because here’s the thing with free migration software – if things do go wrong, who do you talk to about it? Who is accountable for lost or corrupted data? What number do you call to speak to someone? Who do you email about the issue?

Invariably, the answer is no one. And that’s where the true cost of free migration tools appears.

Migrate Reporting Status UI Graphics

Why you should use us

CloudM has a 99.8% success rate when it comes to data migrations, with over 68 million users migrated in 107 countries.

We offer a host of advantages over a free migration service, including speed, security, accountability, and perhaps most important of all, peace of mind.

Migrations can be stressful, and if you choose free software, you’ll increase that stress exponentially. You’ll have no regular updates, no sign of how successful your migration has been so far, and no idea of how long is left.

With us, you’ll have a personalized account manager, someone to oversee your project and keep you up to date with developments. You’ll be in full control of your data, you’ll know exactly what has been transferred and when, how far the project has come, and any issues that have arisen. Plus, with 24/7 product support available you know an expert is never far away.

We also provide Delta Migrations, allowing your business to carry on as normal during the project, so you have zero downtime. A Delta Migration works by migrating all your historical data – say everything up until the past three months – and then once that’s done, we do the last three months over a weekend when no one is working.

Working with us rather than a restrictive service or open-source software with no experts on hand gives you more options and greater agility in your migration. We can course correct if something comes up, and of course, handle everything for you instead of making you do all the work as free software would.

If done incorrectly, problems during a migration can lead to downtime, data loss and, in worse-case scenarios, legal troubles.

It simply isn’t worth the risk to use free, open-source software for something as important as your data. Let the professionals handle it.

You’re not just paying for the software, you’re paying for peace of mind. You’re paying for data security and accountability if anything goes wrong. You’re paying for a successful migration, and at the end of the day, that’s all that matters.

 

About CloudM

CloudM is a management platform designed for Microsoft 365 and Google Workspace. It simplifies IT management with core functions that include: seamlessly migrating data to the cloud, automating employee onboarding and offboarding processes, and securely backing up and archiving data. Its goal is to save businesses time, reduce errors, and efficiently utilize cloud resources.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

防禦流氓 API 時需要考慮的事項

Application programming interfaces (APIs) are a crucial aspect of most businesses. Its responsibility involves the transfer of information between systems within an organization or to external companies. Unfortunately, a rogue API can expose sensitive data and the organization’s internal infrastructure to misuse.

A security breach could result in the leaking of sensitive customer data such as PHI or financial data. This article will give an overview of the vulnerabilities of APIs that hackers take advantage of and how best to secure them.

What is a Rogue API?

A rogue API is an API which lacks approval or authorization by a company to provide access to its data. Instead, they get created by third-party developers who access the company’s data through a back door.

Rogue developers often do not use the same security protocols abide by the same data privacy laws as the company. Several effects of these Rogue API activities include:

  • The collection of sensitive data from a business without permission, such as customer information, financial data, or proprietary information
  • The deletion or modification of stored data on a system.
  • The corruption of important files or rendering them inaccessible.
  • Using a rogue API allows the bypass security controls on a site.
  • A damaged reputation due to financial losses.

The Importance of API Security

Access to APIs occur through public networks from any location. This makes them easily accessible to attackers and simple to reverse-engineer.

APIs functions are central to microservices architectures. They help to build client-side applications that focus on customers, employees, partners, and more. The client-side application, like a web or a mobile application, interacts with the server side via the API. Invariably, they become a natural target for cybercriminals and are very sensitive to Denial of Service (DoS) attacks.

Consequently, implementing and maintaining API security (although an exhaustive process) becomes a critical necessity. Moreover, API security practices should cover access control policies and the identification and remediation of attacks on APIs. The best way to protect data is to ensure that only approved APIs access a company’s sensitive data.

Effective Strategies to Reduce Rogue API Vulnerabilities

Here are some steps organizations can take to protect against a rogue API:

  • Use a network security solution that detects and blocks API threats.
  • Grant access to sensitive data only to those who need it.
  • Conduct constant API activity monitoring for suspicious or unauthorized activity.
  • Promptly blocking suspicious IP addresses.
  • Keep all data secure by using trusted third-party services.

Best API Security Practices Against Rogue API

Get Educated on all Security Risks

Developers need in-depth knowledge of cyber criminals’ latest techniques to penetrate a system. One strategy is to get information from trusted online sources like newsletters, malware security blogs, and security news portals.

By being up-to-date with the latest hacking trends, developers can configure their APIs and ensure they thwart the latest attacks.

Authenticate & Authorize

Businesses need to carefully control access to their API resources. First, they must carefully and comprehensively identify all related devices and users. An effective strategy involves the use of a client-side application. It has to include a token in the API call so that the service can validate the client easily.

Furthermore, standard web tokens can be used to authenticate API traffic and to define access control rules. Businesses can also use grant types to determine which users, groups, and roles need access to specific API resources. For example, a user that only needs to read a blog or post a comment should only receive permission that reflects this.

Encrypt Your Data

All data requires appropriate encryption so that only authorized users can modify and decrypt the data.

It helps to protect sensitive data and enhance the security of communication between client apps and servers. The beauty is that encrypted data prevents unauthorized entities from reading them even with gained access.

Validate the Data

Most businesses rely only on the cleansing and validation of API data from external partners. Therefore, companies must implement data cleaning and validation routines to prevent standard injection flaws and attacks.

The use of debugging tools helps to examine the API’s data flow as well as track errors and anomalies.

Identify API Vulnerabilities

One important API security best practice is to perform a risk assessment. However, you must first know the faucets of your network remain vulnerable to risk .

Overall vulnerability can be difficult pinpoint because software organizations constantly use thousands of APIs simultaneously. To succeed with API security, establish measures that eliminate vulnerabilities to mitigate risk and meet security policies.

Furthermore, the discovery of vulnerabilities requires businesses to conduct rigorous testing. A great place to begin is at the initial phase of development. After that, it becomes easy to rectify them quickly.

Limit the Sharing of Confidential Information

Sharing only necessary information is a great management best practice, which is why a client application comes in handy. It filters relevant information from the entire data record present in API responses.

A developer should remember to remove sensitive information like passwords and keys before making the API publicly available. This prevents attackers from gaining access to sensitive data or entry to the application and the core of the API.

However, releasing only relevant information is a form of lazy programming. Other consequences include slowing response times and providing hackers with more information about the API access resources.

Final Thoughts on Rogue API Defense

API gateways focus on managing and controlling API traffic. Utilizing a strong API gateway minimizes security. Additionally, a solid API gateway would let organizations validate traffic and analyze and control how the API gets utilized.

About Portnox
Portnox provides simple-to-deploy, operate and maintain network access control, security and visibility solutions. Portnox software can be deployed on-premises, as a cloud-delivered service, or in hybrid mode. It is agentless and vendor-agnostic, allowing organizations to maximize their existing network and cybersecurity investments. Hundreds of enterprises around the world rely on Portnox for network visibility, cybersecurity policy enforcement and regulatory compliance. The company has been recognized for its innovations by Info Security Products Guide, Cyber Security Excellence Awards, IoT Innovator Awards, Computing Security Awards, Best of Interop ITX and Cyber Defense Magazine. Portnox has offices in the U.S., Europe and Asia. For information visit http://www.portnox.com, and follow us on Twitter and LinkedIn.。

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.