Tenable Holdings Inc.

04/04/2025 | News release | Archived content

Cybersecurity Snapshot: SANS Recommends Six Controls To Secure AI Systems, While NCSC Warns About Outdated API Security Methods

Check out the security controls that SANS Institute says are essential for protecting your AI systems. Plus, the U.K. NCSC urges organizations to adopt newer API security practices. In addition, CISA and other cyber agencies warn that attackers are using "fast flux" techniques to conceal their actions. And much more!

Dive into five things that are top of mind for the week ending April 4.

1 - SANS: Six critical controls for securing AI systems

How do you protect the growing number of artificial intelligence (AI) systems your organization is gleefully deploying to improve business operations?

That's a critical question cybersecurity teams grapple with every day. In an effort to help bring clarity to this issue, SANS Institute this week published draft guidelines for AI system security.

The "SANS Draft Critical AI Security Guidelines v1.1" document outlines these six key security control categories for mitigating AI systems' cyber risks.

  • Access controls methods, including:
    • Least privilege, for ensuring that users, APIs and systems have the minimum-necessary access to AI systems
    • Zero trust, for vetting all interactions with AI models
    • API monitoring, for flagging potentially malicious API usage
  • Protections for AI operational and training data, including:
    • Data integrity of AI models
    • Prevention of tampering with AI prompts
  • Secure deployment decisions, including:
    • On-premises versus cloud, based on criteria like performance expectations and regulatory requirements
    • Development environments integrated with large language models (LLMs) that don't expose secrets, such as API keys and algorithms
  • Inference security for preventing malicious input attacks, including:
    • Adoption of response policies for AI outputs
    • Prompt filtering and validations for mitigating prompt injection attacks
  • Continuous monitoring of AI models, including:
    • Refusal of inappropriate queries
    • Detection of unauthorized model changes
    • Logging of prompts and outputs
  • Governance, risk and compliance for complying with data protection and privacy regulations, including:
    • Adoption of AI risk management frameworks
    • Maintaining an AI bill of materials to track AI supply chain dependencies
    • Use of model registries to track AI model lifecycles

"By prioritizing security and compliance, organizations can ensure their AI-driven innovations remain effective and safe in this complex, ever-evolving landscape," the document reads.

In addition to the six critical security controls, SANS also offers advice for deploying AI models, recommending that organizations do it gradually and incrementally, starting with non-critical systems; that they establish a central AI governance board; and that they draft an AI incident response plan.

For more information about securing AI systems against cyberattacks, check out these Tenable resources:

2 - NCSC: Obsolete API security is a gift for cyber attackers

Organizations must update their methods for securing their application programming interfaces (APIs), including by using stronger authentication.

So said the U.K. National Cyber Security Centre (NCSC) this week in a new guidance document titled "Securing HTTP-based APIs," published in the wake of several high-profile API breaches.

"Strengthening API security should not simply be seen as a protective measure; it can also enable organisations to enhance agility, simplicity and productivity," reads a companion NCSC blog titled "New guidance on securing HTTP-based APIs."

Unfortunately, many organizations rely on outdated API-security practices, including:

  • Use of basic authentication
  • Lack of rate-limiting and user-throttling capabilities
  • Unprotected endpoints
  • Code-stored credentials
  • Use of URLs to transmit sensitive data
  • Lax input validation
  • Unencrypted API traffic via HTTPs
  • Weak logging and monitoring


NCSC offers detailed recommendations to boost the security of your HTTP-based APIs in areas including:

  • Development practices
  • Authentication and authorization
  • Protection of in-transit data
  • Input validation
  • Denial-of-service attack mitigation
  • Logging and monitoring
  • Exposure limitation

For example, NCSC recommends adopting strong authentication frameworks like OAuth 2.0 or token-based authentication. It also suggests doing a threat modeling analysis of your API design.

Another recommendation is to develop APIs' applications in a secure development and delivery environment; and to use secure standards, such as JSON for data exchange and TLS cryptography for in-transit data.

For more information about API security:

3 - Alert: Attackers using "fast flux" technique to hide their tracks

Cyber attackers are leveraging a technique called "fast flux" to evade detection and conceal their actions, so critical infrastructure organizations, internet service providers and governments must prioritize addressing this critical threat.

The warning comes via a joint cybersecurity advisory issued this week by the governments of Australia, Canada, New Zealand and the U.S.

"Fast flux represents a persistent threat to network security, leveraging rapidly changing infrastructure to obfuscate malicious activity," reads the advisory, titled "Fast Flux: A National Security Threat."

"By implementing robust detection and mitigation strategies, organizations can significantly reduce their risk of compromise by fast flux-enabled threats," the document adds.


A type of dynamic resolution technique, "fast flux" allows cyber criminals, nation-state actors and other cyber attackers to:

  • Disguise the location of their servers by quickly their changing domain name system (DNS) records, such as their IP address
  • Stand up robust and stealthy command-and-control (C2) operations
  • Set up malicious websites for phishing campaigns that are difficult to block and take down

Governments, critical infrastructure organizations, ISPs, cybersecurity service providers and protective DNS service providers should take "a multi-layered approach to detection and mitigation to reduce risk of compromise by fast flux-enabled threats," reads an alert from the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

"Fast flux" mitigation recommendations include:

  • Block access to IP addresses and domains associated with malicious "fast flux" networks, and sinkhole these domains to controlled servers to analyze their traffic.
  • Increase monitoring and logging of DNS and network traffic; and set up "fast flux" alert mechanisms.
  • Share "fast flux" detection indicators, such as domains and IP addresses, with partners and threat intelligence communities via, for example, the U.S.'s Automated Indicator Sharing and Australia's Cyber Threat Intelligence Sharing Platform.
  • Train employees on phishing detection and response, and adopt policies and procedures for dealing with phishing inciddents facilitated by "fast flux" networks.

Agencies that co-authored this advisory include CISA, the U.S. Federal Bureau of Investigation (FBI), the Australian Cyber Security Centre, the Canadian Centre for Cyber Security and New Zealand's Nation Cyber Security Centre.

For more information about the "fast flux" technique:

4 - Tenable polls webinar attendees on API security

During a recent webinar about our Tenable Web Application Scanning product, we polled attendees about their API security practices, including API discovery and protection. Check out what they said.

(41 webinar attendees polled by Tenable, April 2025)

(38 webinar attendees polled by Tenable, April 2025)

To learn more about API security and about what's new in Tenable Web Application Scanning, watch the webinar on demand.

5 - U.S. House looks at cybersecurity of local, state governments

A U.S. House of Representatives subcommittee held a hearing this week about the ability of U.S. state, local, tribal and territorial (SLTT) governments to address rapidly-changing cyber threats.

Also discussed: The future of the "State and Local Cybersecurity Grant Program" (SLCGP), which was established in 2021 to help boost SLTT governments' cybersecurity preparedness and which is set to expire in September.

"Cybersecurity is a whole-of-society challenge, meaning the Federal government must continue to support and strengthen cybersecurity at the state and local levels to protect our nation's networks and critical infrastructure," said Rep. Andrew Garbarino (R-NY), Chairman of the House Subcommittee on Cybersecurity and Infrastructure Protection.

Tenable Chief Security Officer Robert Huber was one of four experts who testified during the hearing, titled "Cybersecurity is Local, Too: Assessing the State and Local Cybersecurity Grant Program."


Huber, who is also Tenable's Head of Research and President of Tenable Public Sector, emphasized the importance of the SLCGP in strengthening cybersecurity and critical infrastructure, while recommending grant process improvements to increase participation.

Check out a few minutes of Huber's participation in the hearing:

For more information about cybersecurity challenges of state and local governments: