Monday, May 27, 2024

Introducing The American Privacy Rights Act - What You Need To Know

 


In the last couple of years of blogging, except for writing about AI, one of the hot topics I wrote about (and still continue to do so) is Data Privacy, and all of the laws that surround it.  I don’t ever recall this ever being such a widely debated topic until the COIVD-19 pandemic hit.  But of course by then, the total number of Cyberattacks multiplied, with Ransomware leading the way.

Phishing emails and redirecting unsuspecting victims to fake and phony websites became the norm.  Then, once CISOs finally started to figure out that migrating 100% to the Cloud (such as in Azure or the AWS), was the way to go, then Data Exfiltration Attacks became the norm, and still does so even to this day.

To protect people, countries around the world started to create and implement Data Privacy Laws, such as the GDPR, CCPA, HIPAA, etc.  The aim around these key pieces of legislation was twofold:

*To give citizens much more control as to how their personal datasets were being used;

*To put businesses on alert that they have to start taking data security seriously.  If not, they would be subject to a very exhaustive audit and face extremely harsh financial penalties.

While the intention of these laws is certainly very plausible, there has been one key problem:  There has been no uniformity in them.  While this has been achieved to a certain degree with the GDPR (as all member EU nations have to follow it), the same cannot be said of the other laws that have been enacted.  This is especially true here in the United States, as each of the 50 states are now creating their own Data Privacy Laws.

Because of this, many businesses, no matter how large or small they might be, are now wondering which law they need to abide by.  For example, what if an entity has transactions in all of the states?  Do they have to abide by each and every one of them? 

Theoretically, the answer to this would be “yes”.  But in the real world, this is not going to happen.  For instance, US based businesses are already having a tough time trying to come into compliance with the GDPR.  How on earth can this happen across 50 disparate Data Privacy Laws?  It would be an administrative nightmare to even think about.

So in response to this, the US Federal Government has finally taken the effort to at least try and create a Data Privacy Law that can be implemented on a national level.  The end result of this would be a set  of standards and best practices that each and every business in the US can follow, without any question.  Of course, this would then do away with each state’s own version of it.

So what is this new bill, you may be asking?  It is called the “American Privacy Rights Act”.  To see the exact text on this bill, click on the link below:

http://cyberresources.solutions/blogs/APRA.pdf

I did some poking around this on Google, and the only updates have been made in April of this year, but nothing substantial has happened.  It is hoped though that it will pass and become a Federal Law before this year’s Presidential Election. 

But given the way things are today, it will be a miracle if this actually happens (trying to be apolitical).  It was introduced as a bill by Science and Transportation Chair Maria Cantwell (D-WA) and House Committee on Energy and Commerce Chair Cathy McMorris Rodgers (R-WA).

So, in order to make this bill a strong piece of legislation, it is important that it “learns” from the mistakes that were made  when the GDPR was first introduced.  Of course, there were many, but the top three ones are as follows:

*The GDPR even since its inception was gargantuan.  The early stages of it were not made public, and because of that, many businesses were shocked as to how much they would have to revamp their existing controls in order to start to come into compliance.

*After the GDPR was finally passed, the tenets and provisions of it were first released to the C-Suite, in an effort to champion it from a top-down approach.  But there was hardly any communication about it from the upper brass, and as a result, the levels of Cyber Hygiene totally deteriorated.

*Businesses had no . a how to ask for help in coming into compliance with GDPR, if they were having a lot of problems with the new law.  I am not sure if the EU had a government resource in place that could provide help, btu whatever was provided seemed to be very disjointed and disparate.

My Thoughts On This:

In my view, it is highly unlikely that the APRA will be passed even before the year is out.  But even despite all of the bickering, there seems to be an overall, strong momentum to eventually have something in place.  So, American businesses should start now to get prepared for it.  Two of the best ways to do this are:

*Hire a Data Privacy Officer.  You don’t have to have a direct hire position, rather, you can hire somebody on a contract basis, for a fraction of the cost.  This is very similar to hiring a vCISO.

*Start to review the tenets and provisions of both the GDPR and the CCPA.  Even if your business is not bound to them, imagine that you are, and assess your current IT and Network Infrastructure.  Based on this, then either put in new controls and/or upgrade the existing ones that you already have.

*Be open and transparent.  This is an issue that just does not affect the IT Department (contrary to popular belief), it impacts everybody in the organization. 

*Have regularly scheduled Security Awareness Programs to educate your employees as to what is happening in preparation for a possible passage of the APRA, and what they need to do maintain strong levels of Cyber Hygiene.

*Understand where all of your datasets reside it.  This is a must know, there is no way of getting around it.  But you are not alone in this, there are both AI and ML tools that are coming out that can help you keep track of what is where in your databases.

In the end, coming into compliance will be a royal pain, and it could cost some money.  For example, it has been cited that to come into compliance with the GDPR, companies have to spend an average of 1.3 Million Euros.  But in the end, that pales in comparison to what the actual cost of an audit and the financial penalties could be if you don’t come into compliance.

Sunday, May 26, 2024

What Is a Large Language Model, And How Do I Secure Them? Find Out Here

 


In the world of AI today, we are certainly hearing a lot of buzzwords that are floating around today.  A lot of them of them come from the vendors themselves, most notably those of Google, Microsoft, and OpenAI.  But on a technical level, the only one that most people have at least heard of is that of “Generative AI”. 

Simply put, this is where you submit a query to ChatGPT, and the output to it (which is actually the answer you are looking for) can come in a wide variety of formats, ranging from the simple text answer to even an audio or video file.

But another integral part of AI that is going to also take the world by “storm” is that of Large Language Models, also known as “LLMs” for short.  But before we go any further on this, it is first important to define it, which as follows:

“Large language models (LLMs) are a category of foundation models trained on immense amounts of data making them capable of understanding and generating natural language and other types of content to perform a wide range of tasks.”

(SOURCE:  https://www.ibm.com/topics/large-language-models)

So while you think that ChatGPT already uses large amounts of data for it to learn, and answer your queries, the LLM can take datasets that are at least 100X as large and still have the ability to generate the right outputs.  Some differentiating factors between this and other areas of AI, such as Machine Learning and Neural Networks include:

*It needs to be hosted on several Virtual Machines given the size of the datasets that they process.

*It also tries to comprehend the human language that is spoken to it, and even tries to create the output in the same way.

But given its sheer power, LLMs are also prone to be in the cross hairs of the Cyberattacker.  For example, if an LLM is used in a Chatbot (or “Digital Personality”), it can actually be quickly manipulated in such a way that it can easily launch a Social Engineering Attack.  For instance, after the tool has developed a good, and trusting rapport with the end user, the conversation can then shift to him or her giving away their confidential information.

So in order to help mitigate this risk of happening, it is very important to establish a set of best practices and standards that you should follow.  Here are some starting points:

1)     Always keep an eye:

One of the cardinal rules in Cybersecurity is to always keep tabs on abnormal behavior.  But if your organization is large enough in terms of endpoints and network security devices, this can be an almost task to do for your IT Security team to accomplish in a timely fashion.  Therefore, for the purposes of automation, and to only provide those messages and warnings that are truly legitimate, you should seriously consider using a Generative AI based tool in this regard.  But keep in mind that that this too will have to be trained, so it can learn what to look out for in the future with regard to unusual trends.

2)     Create solid prompts:

The advent of ChatGPT has created a new field called “Prompt Engineering”.  This is the art of writing queries that will guide the Generative AI model or LLM into giving you the most specific answer possible.  For example, when you type in keywords in Google, within seconds, you get a list of a ton of resources that you can use to find the answer to your question.  But this is not the case with Generative AI.  The goal of it is not to give you a list of resources to use (unless you actually ask for that), its objective is to give you the best possible answer the first time around.  But in order to do this, at the sending end, you need to craft a query that will allow for it to happen.  This is not something that you can learn from taking an online class, it comes with lots of time as well as practice.  There are tools available to help you to do this, and I know for a fact that CoPilot from Microsoft, has a library of prompts that you can use and even further customize to your own needs.  But, creating open ended prompts can also pose a security risk to the LLM.  Therefore, if you are going be using something like ChatGPT quite heavily, it is highly recommended that you get better at “Prompt Engineering”.

3)     Keep training ‘em:

Unfortunately, many people think that once you have an AI model in hand, it will always work forever.  While this is true, the performance of it will degrade over time quickly if you don’t keep optimizing it.  By this I mean that you are constantly giving it datasets for it to keep on learning.  But keep in mind also that these datasets have to be cleansed and optimized, to make sure that there are no levels of skewness or outliers that persist.  Remember in the end, all AI is “Garbage In And Garbage Out”.  In other words, the outputs that you get from it are only as good as the datasets that you feed into it.

4)     Keep ‘em safe:

Not everybody in your organization needs to know the proverbial “Secret Sauce” that creates the foundation for your Generative AI model or LLM.  Therefore in this regard, access should be highly restricted to those who need  to have it.  Even in these cases, make sure that you are following the concepts of “Least Privilege” which explicitly states that the rights, privileges, and permissions that have been assigned are no longer what needs to be done in terms of the job tasks.

5)     Find the holes:

Just like anything else in Cybersecurity, even Generative AI models and LLMs are prone to having their fair share of weaknesses and gaps.  Therefore, you need to be able to find and  remediate them quickly.  Some of the best ways to do this are through Penetration Testing and Vulnerability Scanning.  Also, you can implement a methodology called “Adversarial Testing”.  In this scenario, you are taking the mindset of a Cyberattacker, and breaking down your models to see where all of the weak points are at.

My Thoughts On This:

The above list is to get you started on thinking about how important it is to secure your Generative AI models and LLMs.  If you don’t take this seriously, you could be facing a huge Data Exfiltration Attack.  Also, it is very important to keep in mind that all of the datasets you use and store for the purposes of AI now also come under the data privacy laws, those of the GDPR, CCPA, HIPAA, etc. 

If you don’t have the right controls in place and face a security breach, you could be prone to a very exhaustive audit and even face very harsh penalties as a result.  For more details on this, click on the link below:

https://www.darkreading.com/vulnerabilities-threats/bad-actors-will-use-large-language-models-defenders-can-too

Sunday, May 19, 2024

How To Quell The Fears Of Generative AI: The Steering Committee

 


As this world, and especially here in the United States dives deeper into AI, and especially that of Generative AI, many people are still left scratching their heads, especially in the business and academia communities, as to how to move forward.  For example, there are many questions that still have yet to be answered, both from the technical and social implications standpoints. 

IMHO, the Generative AI is right now in a huge bubble.  We are seeing this with the hyper inflated stock values of those companies that are involved with it, such as Nvidia, Vertiv, etc. ad all of the other companies that are involved with the GPU making process and in the construction of data centers to support all of the applications that are created by Generative AI.

But this bubble will burst, just like the “.com boom” we saw in the late 1990s.  But what is different about this is that AI in general has been around for a long time (in fact, since the 1950s), and because of that, it will still be around even longer for decades yet to come.  VC funding will come and go, but the research into Generative AI will still be strong as new algorithms are being developed on almost daily basis.

So,  in order to be prepared for all of this, businesses need to centralize their efforts in a top-down approach not only to make sure that what they are investing in will produce some sort of positive ROI, but also that the concerns of employees, customers, prospects, and other key stakeholders can also be addressed quickly and effectively.  So you are probably asking now at this point, how can all of this be started?

It can be done through what is known as the “AI Steering Committee”.  In a way, this will be similar to other committees that exist in a business, but its exclusive focus will be that of just Generative AI, and nothing more.  Some of the key members that should be an integral part of this include the following:

Ø  The CISO and a member of the IT Security team, with a managerial title.

Ø  A legal representative, such as that of an attorney, but it is imperative that they are well versed in AI and the Data Privacy Laws.

Ø  If a business has one, the Chief Compliance Officer (they make sure that all of the Data Privacy Laws are being adhered to).

Ø  Key representatives of those that will be involved in the Generative AI process.  Examples of this include AI scientists, AI engineers/architects, etc.

Ø  Any other key stakeholders, especially those from Third Party Suppliers.

Ø  A consultant who can provide advice and direction on the “social impacts” of Generative AI, especially as it relates to customers and employees.

So, once this committee is formed, the next step is to actually get some action items created so that things can move forward.  Here are some suggestions on how to do this:

1)     Start with a Risk Assessment:

Just like how you would conduct a Cyber Risk Assessment,  the same holds true for Generative AI.  But, here the committee needs to figure first if and how Generative AI has been deployed to begin with, and if so, what the impacts it has had both in terms of the technical and marketing standpoints.  If there already have been some  projects that have been implemented, then you and your committee need to figure out if it has posed any kind of risk.  By this I mean, are there any gaps or vulnerabilities that have been identified in the Generative AI app?  If so, what steps, if any, have been taken to remediate it?  Out of anything else, this is what will matter the most.  If there are any holes, this could make the app prone to data leakages, or worst yet, even Data Exfiltration Attacks.  Also, since the data that is housed in a Generative AI Model is now coming under the scrutiny of the Data Privacy Laws (such as the GDPR, CCPA, HIPAA, etc.) the committee also needs to make sure that the right Controls are in place.  This entire process of adding new ones or upgrading existing ones needs to be thoroughly documented. For more information on this, click on the link below:

https://www.darkreading.com/cyber-risk/building-ai-that-respects-our-privacy

2)     Used a Phased In Approach:

Like with anything else that is new, you do not want to deploy 100% all at once.  You need to implement it in various steps, or phases, so that you will not get buy in from your employees, but most importantly, your customers.  This will give time for people who are resistant to change to adapt, at a pace that works for them.  As it relates to Generative AI, the first step here would be thoroughly test a new app in a Sandbox Environment.  If everything checks out, then start to do pilot studies with employees and customers over a period of time to see how responsive they are to it.  If all turns out to be positive, even in the smallest of degrees, then deploy the Generative AI app into the production environment, a bit at a time.  This process is of course very general, but you sort of get the idea.  A lot here will depend upon how the existing processes are currently set up in your business.

3)     Be Positive:

As the fears and concerns still surround Generative AI in general, it will be imperative for the AI Committee to maintain a positive attitude, but yet to be cautious.  In this regard, it is critical that a 24 X 7 X 365 hotline be available so that all key stakeholders can relay their concerns on a real-time basis.  But the key here is that they must be addressed quickly, if not seeds of doubt will start to get planted about Generative AI, and how your company plans to use it.  It is key that the AI Committee be as transparent as possible, and if you don’t know the answer to a question, simply say:  “I don’t know, let me get back to you once I get more information”.  But don’t ignore this person, always keep them updated as much as possible.

My Thoughts On This:

Now how this proposed AI Steering Committee will move forward into the future will depend  a lot on how the actual members of it take their role seriously.  Today, Generative AI is still like a big jigsaw puzzle, and in order for it to be solved, centralization is key, starting with the AI Steering Committee.

Sunday, May 5, 2024

4 Ways How Generative AI Can Combat Deepfakes

 


Just last week, I authored an entire article for a client about Deepfakes.  For those of you who do not know what they are, it is basically a replication made of an individual, but it is primarily used for sinister purposes. 

But the catch here is it is Generative AI that is used to create, and they very often come in the way of videos, most often posted on YouTube.  One of the best examples of Deepfakes is in the Election Cycles.  They are created to create an impostor video of the real politician, but it gets more dangerous here. 

For example, the video will very often have a link to it that will take you to a phony website, asking you to donate money to their campaign.  But in the end, the money that you donate is not going to that cause, rather, it was probably sent to an offshore bank account located in a nation-state Threat Actor, such as Russia, China, or North Korea.  Just to show the extent that Deepfakes have created, consider these statistics:

*Deepfakes are growing at a rate of 900% on an annual basis.

*One victim of a Deepfake Attack actually ended up paying over $25 Million after a fake video of their CFO was posted on the Social Media Platforms.

So what exactly can be done to curtail the rising danger of Deepfakes?  Well, the thinking is that the Federal Government (and for that matter, those around the world) need to start implementing serious pieces of legislation that will provide steep financial penalties and prison time.  But unfortunately, these actions have not taken place yet, due two primary reasons:

*The legislations that are passed simply cannot keep up with the daily advances that are being made in Generative AI.

*Even if a perpetrator is located, it can take law enforcement a very long time to justice, given the huge caseloads that they already have on the books related to security breaches.

*Trying to combat Deepfakes on a global basis takes intelligence and information sharing amongst the nations around the world, some  of which are not ready for this task or simply are unwilling to participate.

So, now the thinking is that the business community should take the fight directly now to the Cyberattacker.  But what tools can be used?  Believe it or not, Generative AI can also be used here, but for the good.  Here are some thoughts that have been floating around the Cyber world:

*It can be used to carefully analyze any kind of inconsistencies between what is real and what is fake.  For example, in a video, there will always be subtle changes in lighting, or unnatural facial movements.  These are very difficult to spot for the human eye, but to a Gen AI tool programmed with the right algorithms, it can seek them out, and fairly quickly.

*While Deepfakes are great at replicating images, they are not so good yet at recreating the voice of the victim.  In fact, the voice will almost sound “robotic like”.  If Voice Recognition can be used in conjunction with Gen AI here, this will probably be yield the first, definitive proof that a Deepfake has been used for malicious purposes.  Also, this kind of evidence should also hold up in a Cout of Law in case the perpetrator is ever brought to justice.

*If the company even makes use of other Biometric Modalities such as that of Facial Recognition, it can also be used to great level of certainty to determine if an image or a video is an actual Deepfake or not.

*Another option that a company can use is what is known as “Content Watermarking”.  These are hidden identifiers that can be placed in an actual image, and at the present time, a fake replication of these will not be able to notice them.  Thus, this is an easier way to tell if an image or video is real or not.

My Thoughts On This:

Even to implement the above-mentioned solutions, it is going to cost money for a company to do.  Given the mass layoffs in the tech sector as of late, and how Cybersecurity is still a “back seat” issue with many C-Suites, these solutions will not be deployed in the near term.  And IMHO, it’s a disaster that is waiting to happen, as once again, Gen AI is advancing at a clip that really nobody can keep with yet.

In fact , according to a recent report from Cisco, only 3% of companies in Corporate America have even increased their funding to fight off the nefarious purposes that Gen AI can bring to the table.  More details about this study can be found at the link below:

https://www.darkreading.com/vulnerabilities-threats/innovation-not-regulation-will-protect-corporations-from-deepfakes

To view the actual letter that was signed by some of the major Gen AI pioneers mandating further Federal Government intervention, click on the link below:

https://openletter.net/l/disrupting-deepfakes

 

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...