01-07-2025
NYSTEC's cybersecurity professionals guide risk mitigation in a digital world
Many organizations today have at least a basic understanding of what constitutes a functional security program. Patching, multifactor authentication (MFA), encryption, vulnerability management and incident response – among other things – can all help reduce cyber-related organizational risk. NYSTEC recommends adopting a controls-based approach, such as National Institute for Standards and Technology (NIST) Special Publication (NIST SP800-53), which provides a measurable control reference to evaluate organizational security and privacy maturity and risks.
Application programing interfaces (APIs)
Application programming interfaces, or APIs, are software interfaces that allow computers and computer programs to talk to each other across networks, such as the internet. They are extremely flexible and open a world of possibilities for extracting and sharing data within and across organizations. However, with that flexibility comes risk to data security and privacy.
The use of APIs is exploding and is growing at a rate of 30% year over year, according to Gartner, because organizations now increasingly rely on cloud-based services to use data. Cloud-based applications require a way for other applications – and users – to access data, and APIs are the answer.
Unfortunately, APIs also provide a larger attack surface than ever before. In many cases, APIs on the internet are just waiting for something to connect to them. When the incoming connection is from a known source, all is well; but unknown connections can be dangerous. Bad actors continuously scour the internet looking for open APIs, attempting to glean any information they can about the target. They then use this information to attack the API.
Defending against API attacks requires multiple lines of defense. Complex passwords, MFA and the principle of least privilege (which dictates that any user, program or system should only have the minimum level of access necessary) can all help. Individually, they provide a basic level of protection but when used together, they can significantly lower the risk related to using APIs. Since the proliferation of APIs is relatively recent, the mature standards that are used in other security areas don't exist. But the NYSTEC team has developed mature security standards and guidance documentation to help organizations assess the potential risk associated with using APIs in their environments, so they can take full advantage of these flexible tools.
expand
Security testing
Sophisticated threat actors are constantly evolving their attacks, and without a structured approach for identifying system vulnerabilities, organizations remain dangerously exposed. Security testing serves as an early warning system, revealing exploitable flaws before malicious actors do. This proactive approach enables leaders to allocate resources more effectively, address weaknesses before they escalate into incidents and ultimately preserve business continuity.
Security testing employs a variety of methods, each designed to evaluate different aspects of an organization's infrastructure and risk exposure. Vulnerability assessments provide a broad inventory of known weaknesses across systems and networks, while penetration testing simulates real-world attacks to evaluate how well defenses hold up under pressure. Other methods, like red team exercises (which simulate real-world cyberattacks to expose vulnerabilities in an organization's security defenses), and static and dynamic application security testing (SAST and DAST), play complementary roles in building a resilient cybersecurity program, enabling organizations to gain a holistic view of their defensive posture.
Regulatory bodies and industry standards increasingly mandate rigorous testing as part of a sound cybersecurity program. Frameworks like NIST SP800-53, Payment Card Industry Data Security Standard (PCI-DSS) and the New York State Department of Financial Services (DFS) Cybersecurity Regulation require organizations to conduct ongoing risk assessments and technical evaluations. Beyond legal compliance, these measures reassure investors, clients and partners that an organization takes its security responsibilities seriously. In a business environment where trust is currency, demonstrating control efficacy through testing not only mitigates legal risk. It enhances reputation and competitive standing.
Security testing also serves a critical function in verifying that technical safeguards are working as intended. Firewalls, access controls, encryption protocols and endpoint protections must be stress-tested under realistic conditions to confirm they are actively defending the environment. When testing reveals a control is misconfigured or ineffective, it provides actionable intelligence to IT and executive teams alike.
There are many elements that make up a fully mature security and privacy program, and NYSTEC's team of experts has decades of experience in helping our clients mitigate the risks faced by organizations in our increasingly interconnected digital world. Ensure the security of your environment by contacting nystec@
