Full Report
In this special edition of the Cybersecurity Snapshot, we bring you some of the most valuable guidance offered by the U.K. National Cyber Security Centre (NCSC) in the past 18 months. Check out best practices, recommendations and insights on protecting your AI systems, APIs and mobile devices, as well as on how to prep for post-quantum cryptography, and more.In case you missed it, here are six NCSC recommendations to help your organization fine-tune its cybersecurity strategy and operations.1 - How to migrate to quantum-resistant cryptographyIs your organization planning to adopt cryptography that can resist attacks from future quantum computers? If so, you might want to check out the NCSC’s “Timelines for migration to post-quantum (PQC) cryptography,” a white paper aimed at helping organizations plan their migration to quantum-resistant cryptography.“Migration to PQC can be viewed as any large technology transition. In the guidance, we describe the key steps in such a transition, and illustrate some of the cryptography and PQC-specific elements required at each stage of the programme,” reads a companion blog. At a high-level, the NCSC proposes these three key milestones:By 2028Define the organization’s migration goals.Assess which services and infrastructure need to have their cryptography upgraded to PQC.Draft an initial migration plan that includes, for example, the highest priority migration steps; the necessary investment; and what you’ll need from your suppliers.By 2031Execute the first, most important PQC migration steps.Refine the PQC migration plan to ensure the roadmap will be fulfilled.Ensure your infrastructure is ready to support PQC.By 2035Complete your PQC migration.Organizations need to migrate to PQC because quantum computers will be able to decrypt data protected with today’s public-key cryptographic algorithms. These powerful quantum computers are expected to become generally available at some point between 2030 and 2040.The U.S. National Institute of Standards and Technology (NIST) last year released three quantum-resistant algorithm standards that are ready to be adopted. A fourth one is slated for release next year, and a fifth one, announced last week, should be available in 2027.For more information about how to protect your organization against the quantum computing cyber threat:“How to prepare for a secure post-quantum future” (TechTarget)“Moody’s sounds alarm on quantum computing risk, as transition to PQC ‘will be long and costly’” (Industrial Cyber)“Companies Prepare to Fight Quantum Hackers” (The Wall Street Journal)“US unveils new tools to withstand encryption-breaking quantum. Here's what experts are saying” (World Economic Forum)“Quantum is coming — and bringing new cybersecurity threats with it” (KPMG)“Quantum and the Threat to Encryption” (SecurityWeek)2 - Why hardening your API security is keyAfter several high profile application programming interface (API) breaches, the NCSC published the guide “Securing HTTP-based APIs,” which urges organizations to update their methods for securing their APIs, including by using stronger authentication.“Strengthening API security should not simply be seen as a protective measure; it can also enable organisations to enhance agility, simplicity and productivity,” reads a companion NCSC blog titled “New guidance on securing HTTP-based APIs.” Unfortunately, many organizations rely on outdated API-security practices, including:Use of basic authenticationLack of rate-limiting and user-throttling capabilitiesUnprotected endpointsCode-stored credentialsUse of URLs to transmit sensitive dataLax input validationUnencrypted API traffic via HTTPsWeak logging and monitoringNCSC offers detailed recommendations to boost the security of your HTTP-based APIs in areas including:Development practicesAuthentication and authorizationProtection of in-transit dataInput validationDenial-of-service attack mitigationLogging and monitoringExposure limitationFor example, NCSC recommends adopting strong authentication frameworks like OAuth 2.0 or token-based authentication. It also suggests doing a threat modeling analysis of your API design.Another recommendation is to develop APIs’ applications in a secure development and delivery environment; and to use secure standards, such as JSON for data exchange and TLS cryptography for in-transit data.For more information about API security:“OWASP API Security Project” (OWASP)“13 API security best practices to protect your business” (TechTarget)“4 Main API Security Risks Organizations Need to Address” (Dark Reading)“API security maturity model to assess API security posture” (TechTarget)“99% of Organizations Report API-Related Security Issues” (Infosecurity Magazine)3 - Beware of global spyware campaign targeting mobile devicesThe NCSC joined other cyber agencies to issue a warning about a spyware campaign aimed at infecting mobile devices of individuals and groups tied to causes that the Chinese government opposes. However, all mobile users should take heed because the campaign is global and aggressive, meaning anyone could become a victim, according to the NCSC and cyber agencies from Australia, Canada, Germany, New Zealand and the U.S. “The indiscriminate way this spyware is spread online also means there is a risk that infections could spread beyond intended victims,” reads the NCSC advisory. Attackers are targeting supporters of various China-related movements with the BadBazaar and Moonshine spyware variants. Those targeted include journalists, non-governmental organizations, businesses and representatives of groups associated with:Taiwanese independenceTibetan rightsUyghur MuslimsHong Kong democracy advocacyFalun Gong movement Moonshine and BadBazaar are two types of trojan malware, meaning attackers hide them in legit-looking mobile applications that users voluntarily download. In this particular campaign, attackers are embedding Moonshine and BadBazaar in applications designed to appeal to the intended victims, such as a Uyghur keyboard app and a Tibet-related app.Once a user inadvertently installs a malicious app, attackers use it to obtain the mobile device’s location data in real-time; access its microphone and camera; retrieve stored messages and photos; and more. Mitigation recommendations include:Don’t root or jailbreak your mobile device, as this leaves it more vulnerable to cyber attacks.Only download apps from trusted app stores like those from Google and Apple.Periodically review your installed apps and their permissions, deleting apps you no longer use and restricting excessive permissions.Be careful with links, files and apps shared on social media sites, online forums and messaging tools. Scan links with a URL reputation service before clicking on them, and upload suspicious files or apps to a malware analyzer.To get more information, check out these NCSC resources:The announcement “NCSC and partners share guidance for communities at high risk of digital surveillance”The advisory “BadBazaar and Moonshine: Spyware targeting Uyghur, Taiwanese and Tibetan groups and civil society actors”The technical advisory “BadBazaar and Moonshine: Technical analysis and mitigations”For more information about protecting mobile devices against spyware attacks:“How to find and remove spyware from your phone” (ZDNet)“Did you know a VPN can protect you from spyware? Here's how” (Yahoo Tech)“Your Android phone could have stalkerware — here’s how to remove it” (TechCrunch)“Apple: Mercenary spyware attacks target iPhone users in 92 countries” (BleepingComputer)“Why rebooting your phone daily is your best defense against zero-click attacks” (ZDNet)4 - How corporate boards can boost their cyber governanceWith cybersecurity governance now one of their main responsibilities, boards of directors need strong cybersecurity knowledge — but many are lacking in this area. That’s why the NCSC published a package of cyber governance resources for board members.“From my experience of working with senior leaders across private and public sectors, I know that strong cyber governance is key to resilience, growth, and long-term success. Board members play a vital role in making this happen,” NCSC CEO Richard Horne wrote in a blog. The NCSC cyber governance resources for board members include:The “Cyber Governance Code of Practice,” which outlines the board’s responsibilities in these five key governance areas: Risk managementStrategyPeopleIncident planning, response and recoveryAssurance and oversight The “Cyber Governance Training” document, which provides five interactive training modules, each focusing on one of the “Code of Practice” principles The “Cyber Security Toolkit for Boards,” which explains how to implement the five key cyber governance areasFor example, the risk management the toolkit unpacks how to identify the organization’s critical assets and how to collaborate with its supply chain partners. In the strategy area, it goes into how to embed cybersecurity into the organization and what cybersecurity regulations are relevant to boards.For more information about cyber governance guidance for boards of directors:“Principles for Board Governance of Cyber Risk” (Harvard Law School)“NACD Director's Handbook on Cyber-Risk Oversight” (National Association of Corporate Directors)“A cybersecurity guide for board directors” (Corporate Governance Institute)“How boards can effectively oversee AI to drive value and responsible use” (PwC)“Guidelines on the Corporate Governance of Cybersecurity” (Board Foundation)5 - Why AI will boost the quantity and intensity of cyber attacksThe volume and impact of cyber attacks, including ransomware, will grow as malicious actors of all stripes incorporate AI into their toolboxes. Still, how the bad guys use AI and what benefits they get from it will depend on their level of skill and knowledge, the NCSC said in its January 2024 report “The near-term impact of AI on the cyber threat.”Here’s a table with a nice breakdown of how the NCSC projects that AI will supercharge the cyber attack capabilities of cyber criminals with different levels of sophistication by the end of 2025. (Source: NCSC’s “The near-term impact of AI on the cyber threat” report, January 2024)In a companion statement, the NCSC highlighted how AI will likely heighten the already critical threat from ransomware by making it easier in particular for unskilled hackers to launch more effective cyberattacks.“This enhanced access, combined with the improved targeting of victims afforded by AI, will contribute to the global ransomware threat in the next two years,” the NCSC statement reads.For more information about how to address AI-powered cyberattacks:“Skilling up the security team for the AI-dominated era” (CSO Online)“How Zero Trust Can Protect Systems Against Generative AI Agents” (Dark Reading)“How to combat AI-produced phishing attacks” (SC Magazine)6 - How to secure network edge devicesThe NCSC recently joined fellow cyber agencies to provide insights and best practices for preventing and mitigating cyber attacks against network edge hardware and software devices, which have become a major target in recent months.“In the face of a relentless wave of intrusions involving network devices globally our new guidance sets what we collectively see as the standard required to meet the contemporary threat,” NCSC Technical Director Ollie Whitehouse said in a statement.“In doing so we are giving manufacturers and their customers the tools to ensure products not only defend against cyber attacks but also provide investigative capabilities require post intrusion,” Whitehouse added.Devices at risk include routers, VPN gateways, IoT devices, web servers and internet-facing operational technology (OT) systems. These are the new guides:Security Considerations for Edge Devices, led by the Canadian Centre for Cyber Security (CCCS), includes:A description of common threats to edge devices, such as misconfigurations and mismanagement; vulnerability exploitation; and denial of service attacksExamples of edge device compromisesRecommendations for mitigating threats to edge devicesDigital Forensics Monitoring Specifications for Products of Network Devices and Applications, led by the U.K.’s National Cyber Security Centre (NCSC), explains why and how edge devices should support event logging and forensic data acquisition.Mitigation Strategies for Edge Devices: Executive Guidance and Mitigation Strategies for Edge Devices: Practitioner Guidance, two guides led by the Australian Cyber Security Centre (ACSC), focus on threat mitigation and are aimed, respectively, at executives responsible for enterprise network security; and at operational, cybersecurity and procurement staff for edge devices.For more information about network edge vulnerabilities, check out these Tenable blogs:“New CISA Hardening Guidance Provides Valuable Insights for Network Security Engineers”“Verizon 2025 DBIR: Tenable Research Collaboration Shines a Spotlight on CVE Remediation Trends”“Volt Typhoon: U.S. Critical Infrastructure Targeted by State-Sponsored Actors”“CVE-2025-0282: Ivanti Connect Secure Zero-Day Vulnerability Exploited In The Wild”“CVE-2024-21762: Critical Fortinet FortiOS Out-of-Bound Write SSL VPN Vulnerability”“CVE-2023-20198: Zero-Day Vulnerability in Cisco IOS XE Exploited in the Wild”
Analysis Summary
# Best Practices: Securing HTTP-Based APIs
## Overview
These practices are derived from guidance (such as the NCSC's recommendations) focused on updating and strengthening outdated API security methods to enhance agility, productivity, and protection against breaches. The focus is explicitly on improving the security posture of HTTP-based APIs.
## Key Recommendations
### Immediate Actions
1. **Eliminate Basic Authentication:** Immediately phase out the use of basic authentication mechanisms for all API access controls.
2. **Enforce TLS/HTTPS:** Ensure that **all** API traffic is encrypted in transit by exclusively using HTTPS. Immediately cease the use of plaintext HTTP for API communication.
3. **Review Credential Storage:** Conduct an immediate audit to identify and remove any hardcoded credentials (secrets, keys, tokens) stored directly within API source code.
4. **Validate All Inputs:** Implement strict input validation checks on all data received by API endpoints to mitigate risks from unsafe input.
### Short-term Improvements (1-3 months)
1. **Implement Strong Authentication Frameworks:** Replace weak or basic authentication with modern, strong frameworks such as **OAuth 2.0** or robust **token-based authentication**.
2. **Integrate Rate Limiting and Throttling:** Deploy mechanisms to limit the number of requests an individual user or IP address can make within a defined timeframe to prevent Denial-of-Service (DoS) attacks.
3. **Secure Endpoint Management:** Inventory and ensure all public-facing API endpoints are properly authenticated, authorized, and hardened against anonymous access.
4. **Enhance Logging and Monitoring:** Establish comprehensive logging systems for API usage, authentication failures, and unusual traffic patterns, ensuring logs are actively monitored.
### Long-term Strategy (3+ months)
1. **Conduct API Threat Modeling:** Integrate threat modeling analysis into the design phase of all new APIs to proactively identify and mitigate potential design flaws or security weaknesses before deployment.
2. **Establish Secure Development & Delivery Environment:** Ensure all API development, testing, and delivery pipelines utilize a secure Software Development Lifecycle (SDLC) environment.
3. **Standardize Secure Data Formats:** Enforce the use of secure, standardized formats like **JSON** for all routine data exchange.
4. **Adopt Post-Quantum Cryptography Readiness:** Begin planning and assessing workloads for migration to quantum-resistant cryptographic standards where data confidentiality requires long-term protection (given the context mentions quantum cryptography).
## Implementation Guidance
### For Small Organizations
- **Prioritize Quick Wins:** Focus budget and time on eradicating basic authentication and ensuring 100% HTTPS adoption immediately.
- **Use Managed Services:** Leverage API Gateways or managed cloud services that offer built-in, configurable rate limiting and token validation to reduce in-house development effort.
- **Adopt Standard Frameworks:** Adopt well-vetted, open-source authentication libraries (e.g., standard OAuth 2.0 implementations) rather than building custom authentication logic.
### For Medium Organizations
- **Formalize Threat Modeling Rollout:** Integrate mandatory, lightweight threat modeling sessions for all major API feature updates.
- **Implement Centralized Policy Engine:** Deploy an API Gateway layer to centralize authentication, authorization, and policy enforcement (like rate limiting) across multiple services.
- **Develop Secure Coding Standards:** Create and enforce mandatory secure coding standards focusing specifically on input sanitization for developers working on APIs.
### For Large Enterprises
- **Establish Cyber Governance Framework:** Develop a formal API Security Maturity Model to continually assess and drive security improvements across the enterprise portfolio.
- **Mandate Architecture Review:** Require that all new API designs pass a formal security architecture review, including comprehensive dependency scanning (e.g., focusing on open-source components).
- **Implement Zero Trust Principles:** Apply least privilege access controls strictly, ensuring that microservices and downstream systems only have the minimum necessary permissions to interact with the API backend.
## Configuration Examples
| Security Control | Configuration Best Practice | Rationale |
| :--- | :--- | :--- |
| **Authentication** | Adopt **OAuth 2.0** with PKCE or structured **Token-based** flows. | Prevents interception and replay of static credentials. |
| **Data in Transit** | Enforce **TLS 1.2 minimum, preferably TLS 1.3** across all endpoints. | Ensures confidentiality and integrity of data sent over the network. |
| **Data Format** | Strictly enforce **JSON** structure and validate payload against a strict schema definition (e.g., OpenAPI/Swagger). | Provides clear structure and allows for automated validation failures on malformed data. |
| **Data in URLs** | **Prohibit** the transmission of any sensitive data (credentials, session IDs, PII) within the URL path or query string parameters. | URLs are often logged insecurely by servers, proxies, and browsers. |
## Compliance Alignment
- **NCSC:** Directly aligns with the NCSC guidance on securing HTTP-based APIs, covering development practices, authentication, and DoS mitigation.
- **OWASP API Security Project:** Provides detailed technical controls that map directly to the immediate and short-term recommendations (e.g., authentication, input validation).
- **NIST SP 800 Series (e.g., 800-53/800-63):** Relates to strong identity management (authentication) and protection of boundary interfaces.
## Common Pitfalls to Avoid
- **Treating APIs as Traditional Web Applications:** Failing to recognize the unique threat surface and design decisions required for APIs (leading to weak authorization checks).
- **Relying on Obscurity:** Believing that securing an endpoint simply by hiding its URL is sufficient; always assume public exposure.
- **Incomplete Input Validation:** Only validating data types (e.g., checking if an input is a number) instead of validating the **content and length** against expected business logic.
- **Ignoring Legacy APIs:** Assuming older, unmaintained APIs do not require the same level of hardening as greenfield development.
## Resources
- NCSC: Guide on “Securing HTTP-based APIs”
- OWASP: API Security Project documentation
- TechTarget: Articles detailing API security guidelines and risk assessment
- (Conceptually) API Security Maturity Models for self-assessment.