Breaking Down What Shadow Gen AI Is All About

 

It seems like we can never get away from this one topic: Generative AI.  The bottom line is whether you love it or hate it, use it or not, etc.  it is going to be around with us for a long time to come.  There are many facets of Generative AI that touch our lives, the one that is the most influential is that of ChatGPT.  Personally, I have never used it, and I have made a promise to myself to never use it.

Anyways, differences aside, there is a new trend coming out now, and it is called “Shadow Generative AI”.  It is just like its cousin, “Shadow IT”.  With this, employees either continue to use outdated software or download non-sanctioned ones either because they are creatures of habit and do not want to use what is new, or they are trying to retaliate against something that has happened to them personally at their workplace.

The same can be said of the former.  This is the situation where employees use non-approved Generative AI models to help them to do their daily job tasks. Because of the inherent risks that it can bring, many businesses in Corporate America are now cracking down on this.  Consider some of these stats:

*Using non approved Generative AI models is now completely banned in the healthcare and financial sectors.

*Even technology companies are cracking down, such as Apple, Samsung, and even Amazon.

*ChatGPT that has not been approved for corporate usage is at an alarming 74%.  The same can also be said of its competitors, Geminin and Bard.

*Given the development of Generative AI, companies are finding it difficult to enforce data security policies, and at least 27% of the data that is pumped into the model is not made secure.

(SOURCE:  The Security Risk of Rampant Shadow AI)

The main culprit for the huge risk of “Shadow Generative AI” lies in the fact that it is the datasets fed that are fed into a model which is the lifeblood for it.  For example, large amounts of it are needed in not only to initially train the model, but to keep it learning going forward. 

Because of this, datasets have become a prized target not only for the Cyberattacker, but also for those rogue employees that are considering launching an Insider Attack.

So now all of this begs the question: How can a CISO and their IT Security team mitigate the risks of “Shadow Generative AI” from happening in the first place?  This can be examined from a couple of different areas but let us start at the heart of the matter: the datasets.

Every effort must be taken to ensure that they are as secure as possible.  You can even think of this is as a “Wash, Rinse, and Repeat” cycle:

1)     Before Ingestion:

Make sure that all pathways that lead from the database to the actual model are secure.  It is at this first point that the datasets will be “ingested”, and thus, this can be considered to be the most vulnerable point.  Aside from this, you must make sure that the datasets are cleansed and optimized as much as possible.  This is imperative, because if they are not, the processing of any submitted query and the output that must be created from it will be skewed.

2)     In Process:

The appropriate controls also need to be put into place to protect the model in the first instance.  This simply means that only the authorized employees should be able to gain access to it, such as the data scientists that have built the model and the data analysts that examine the processes that are taking place from within it.

3)     What Comes Out:

In the end, once all the datasets have been inputted, and processed per the query that was submitted by the end user, the result is the answer to the question, or in more technical terms, the “output”.  But even here, the appropriate safeguards must be out into place not only to ensure the privacy of the end user, but if the outputs that have derived are created for market intelligence purposes, then this can be considered as Intellectual Property, which needs to be highly protected.

This entire process must be run each time the model is submitted with a new query, or a new one has been created from scratch.

The second angle of attack here is the policies that CISO and the IT Security implement with regards to the usage of Generative AI in the workplace.  Here are some key things to be considered:

Ø  Use Obfuscation: This is where Data Tokens can be created to represent the actual datasets.  As a result, even if they are hijacked, there is very little that the Cyberattacker can do with it. 

 

Ø  Watch The Access:  In this regard, you will want to follow up on the concept of “Least Privilege”.  This is where you assign those rights, permissions, and privileges that are absolutely for the employee to do their jobs, and no more than that.  This also holds true for the Generative AI models.  The scientists and analysts that work on them should be only given what they absolutely need.

My Thoughts on This:

There is another motivating factor for the CISO and their IT Security team to be on their toes.  All of the datasets that are used are now starting to come under the purview of the data privacy laws, such as the GDPR and the CCPA.  Meaning, if the controls are not in place or have not been further optimized to protect them, they could also face an exhaustive audit and steep financial penalties.

In the end, all of this may same to be a huge rat race, and in fact, it can be quite overwhelming.  IMHO, it is thus very important to break down the “Wash, Rinse, and Repeat” cycle into the smaller tasks so that it becomes much more manageable.

What Is Being Done In 2025 To Secure Open Source Software Repositories

Just last Thursday, I submitted the final manuscript for my 20^th book.  It’s all about Supply Chain Attacks, with a heavy emphasis on both Crowd Strike and Solar Winds.  Of course, there are a lot of Supply Chain Attacks that have happened as well in the last few years, and I covered them as well.  P

one of the more notable was the Colonial Gas Pipeline breach, which impacted the flow of all gasoline by products on the East Coast, here in the United States.  To alleviate the financial damage that it was causing, the CEO even paid a ransom, up to the tune of about $4 million.

I also spent a lot of time reviewing how the other components of the US Critical Infrastructure are also at grave risk of becoming victim of a Supply Chain Attack.  But apart from this, there is also another source in which this kind of Threat Vector can be launched.  And, that is through the use of Open Source Software.

For those out there who do know what this is all about, it can be considered as a software application of sorts that are free to use and distribute.  Because of this, there are no exorbitant licensing fees, which is what you find in those applications that make use of Closed Source Software. 

In other words, you do not know what kind of programming went behind the scenes in building out these apps.  Given the nature of Open Source, there is also the huge freedom to collaborate with others, to make the programming (here on referred to as “Source Code”) optimized the way it should be, so it can best meet the needs of the client.

Many of the Open-Source platforms can be downloaded quickly from libraries that are available on the Internet, one of the most popular ones being that of Git Hub.  Normally, software developers and their teams go on the blind assumption that the people who manage these libraries will keep these platforms updated and evaluate them on a regular basis so that they are as secure as possible. 

But the truth of the matter is that they typically do not do this, and thus, there are many “backdoors” that are left wide open for the Cyberattacker to quite easily penetrate into.  And  it is from there that the next Supply Chain Attack could quite conceivably happen, with devastating attacks.

One of the key differentiators of Supply Chain Attacks from other. eat Variants is that just one point of entry is needed through just one system in the IT/Network Infrastructure of targeted business.  From here, will all the interconnectivity that has taken place over time, millions of people can be impacted in just a matter of a few hours, as we saw with the Crowd Strike fiasco.

So, now this begs the question, what will be done in 2025 to make sure that the Open-Source Software Platforms that are being used to create software applications will be made more secure?  Well, a consortium known as the Open-Source Security Foundation (“OpenSSF”) has come out with a list of recommendations that software developers all over the world should implement as quickly as possible.  Here is a sampling of what they have produced:

1)     The Use Of AI:

Yes, we all have heard of this at ad nauseum, but one of the biggest benefits of it is that it can be used to help automate the repetitive processes of a project.  Take the case of a web development project.  Most likely, at each module, there will be tasks that have to be done regularly over and over again.  Well, this is an area in which Generative AI can play a huge role in, by automating these tasks.  But a huge word of warning is needed here.  As much as Generative AI can help, it can also be a huge security risk as well!!!  Given the explosion of its use, this has now become of the prized targets of the Cyberattacker, especially when it comes to Model Poisoning and Data Leakage Attacks.  Therefore, it has been very highly suggested that guardrails be put into place, to curb off these Threat Variants and others like it that may come, especially if automation is used in the software development process.

2)     More Regulations:

Just as much as there has been an uptick with the Data Privacy Laws (such as the GDPR and the CCPA), there will now be similar pieces of legislation that come about for compliance with Open-Source Software Compliance.  In this regard, there will be tenets and provisions included in them that call for software development to instill a system of checks and balances, so that the compiled Source Code will be checked for any vulnerabilities and be quickly remediated.  In fact, the European Union is already one step ahead here, by launching what is known as the “Cyber Resilience Act”, or “CRA” for short.  Although it is geared towards the Internet of Things (IoT), there is a heavy emphasis on Source Code Security as well from within it.  Further, it also requires that a detailed Software Bill of Materials (“SBOM”) be created before the start of any sort of software development project.  Essentially, this lists out and details all of the software components that will be used.  Therefore, everybody will have firsthand knowledge of what is being used.  Also, anytime the SBOM goes through any new iterations, it must be thoroughly documented and be submitted into a Change Management Process.

My Thoughts on This:

It is great to see that more substantial efforts are being made to ensure the overall software development process (which makes use of Open-Source Platforms) is going to be made as secure as possible.  After all, the reputation of all the relevant key stakeholders could be at risk. 

If you are CISO, or even the head of a software development team, it is imperative that you stay up to date with the latest vulnerabilities that are being found in the Open-Source Software Platforms.  To do this, you can simply subscribe to the mailing list of OpenSSF.  More information about this can be found at the link below:

https://www.darkreading.com/application-security/openssf-siren-to-share-threat-intelligence-for-open-source-software

 

Risks And Opportunities For Generative AI In 2025

 

As we now go deeper into January, many people have started to predict already what the hot markets will be in Cybersecurity.  Without a doubt, one of the gold mines will be that of Generative AI.  Although ChatGPT (created by OpenAI) may not be all the glamour now, it is still being used quite by both businesses and individuals alike.  But it does one thing:  It opened the eyes of the world to what Generative AI is all about, and its opportunities, but also its huge risk potential as well.

One of the biggest concerns here is that of Deepfakes.  This is where a Cyberattacker can take an image or a video of a real person, and replicate that into a fake one, using Gen AI based models.  These are then often used to launch both Phishing and Social Engineering Attacks. 

One of the prime-time venues for this is during any kind of election season here in the United States.  In these cases, the Cyberattacker will create a fake video of the leading political candidate and put that somewhere like on You Tube.  The video will convincingly ask voters to donate money for their election, but any of it sent over will be sent to a phony, offshore bank account.

There are other threats that can also come about as well, but for now, here are some of the main concerns going into this year:

1)     LLMs:

This is acronym that stands for “Large Language Models”.  It is a part of Generative AI, and it can be technically defined as follows:

“Large language models (LLMs) are a category of foundation models trained on immense amounts of data making them capable of understanding and generating natural language and other types of content to perform a wide range of tasks.”

(SOURCE:  What Are Large Language Models (LLMs)? | IBM)

Although the models that drive them can be quite complex, the bottom line is that the goal of them is the words we speak, understand the context in which they are spoken, and provide an appropriate output.  A great example of this is the Digital Personalities that you may engage in, for example, when you have a virtual doctor’s appointment.  It is LLM that drives this kind of application, and learns from the conversation, so that it can talk back to you like a real-life human would.  But the downside of this is many of these models are proprietary in nature, which therefore makes them a very tempting target for the Cyberattacker to break into and wreak all kinds of havoc on the models.

2)     The Cloud:

Right now, the two main juggernauts are AWS and Microsoft Azure.  As companies are starting to realize the benefits of moving their entire IT and Network Infrastructures, there is one problem:  Both of these vendors also offer very enticing tools to create and deploy Generative AI models.  Although they have taken steps to help safeguard their security, especially from the standpoint of Data Exfiltration Attacks, the other main problem is that the Cloud Tenants have not set up the appropriate rights, permissions, and privileges for the authorized users to gain access.  Very often, they give out too much, which can lead to unintentional misconfigurations in the development of the Gen AI models.  As a result, this can lead to unknown backdoors being opened, or worse yet, this could lead to an Insider Attack happening.  Therefore, careful attention needs to be paid in creating both the Identity and Access Management (IAM) and Privileged Access Management (PAM) security policies.

3)     An Aid:

Over the last year or so, one of the biggest issues in Web application development is the lack of attention by the software development team in the security of the source code.  One of the driving factors behind this is that they very often make use of open-sourced APIs.  While this does have its advantages (such as not having to create source code from scratch), its main weakness is that the libraries that host them for downloading do not update them on a real time basis.  Rather, they leave this up to the software developers to do, and they do not.  In an effort to secure the source code before final delivery of the project is made to the client, businesses are now opting to use what is known as “DevSecOps”.  Long story short, this is where the software development team, the It Security team, and the Operations team all come together to serve as a counterbalance amongst one another to ensure that the source code has checked, and even double checked for any weaknesses.  Depending upon the size and scope of the project, this can be quite a tall order.  But the good news here is that Generative AI can be used as aid to help automate some of this checking process.  But, it is important to note that it should not be relied upon 100%, as human intervention is still needed in this regard.

My Thoughts on This:

Well, there you have it, some of the risks and opportunities that Generative AI brings to the table this year.  But, there is yet another area which has not received a lot of publicity yet.  And that is, the Data Privacy Laws of the GDPR, CCPA, HIPAA, etc.  Keep in mind that Generative AI Models (including those in LLMs also) need a lot of data to learn and stay optimized.

Because of this, the regulators of these Laws have placed huge scrutiny as to how businesses are safeguarding these kinds of data that are being used.  If the right controls are not put into place, the chances of a Data Leakage are much greater, and this could put the company to face a stringent audit and even face huge financial penalties.  For instance, under the tenets and provisions of the GDPR, this can be up to 4% of the total gross revenue.

This is really something to think about!!!

 

 

How To Get Cybersecurity Insurance In 2025: 3 Golden Tips

 

Well, Happy New Year to everybody out there!!! Here is to be hoped that 2025 will see a decrease in the total number of threat variants that not only impact businesses, but non for profits, government agencies and individuals. 

One theme that is going to get a lot of attention, at least at the beginning of this year, is Cybersecurity Insurance.  Just like other types of insurance policies, the thinking here is that if you merely file a claim (provided that you actually do have the insurance) you will get a payout to help recoup the costs that you experienced as a result of a security breach.

But as we have recently seen with the health insurance industry, this is not such a sure deal.  Today, many carriers that offer Cybersecurity Insurance require many things from the applicant before they can even be considered.  For example:

Ø  If you are the business owner, you must fill out a lengthy questionnaire attesting truthfully that you have all the controls in place to protect the PII Datasets.  Also, you must provide evidence that you have taken steps to address the gaps and weaknesses in your IT/Network Infrastructure.  This is typically done by either conducting a Penetration Test or a Vulnerability Scan.

Ø  After you have the above, in most cases, your questionnaire must be certified by an outside third party that you trust, or with whom you have worked in the past.

Ø  After you have submitted all this stuff with your application, the insurance company can still come on site to your place of business and conduct a random audit to make sure that what you have attested to is correct.

But there are also some other alarming stats as well, such as:

*From 2018 to 2022, premium rates have gone up year over year.

*In 2023, 79% of US businesses experienced a dramatic increase in premiums.

*SMBs with less than 250 employees were likely to be denied any kind of coverage, if they filed a claim.

The last two stats came from a whitepaper that was published by Delinea, which examined the state of the Cyber Insurance Industry in 2023.  To get more details on this, click on the link below:

2024 Data Breach Investigations Report | Verizon

The bad news here is that in 2025, along with the rising premium rates, it is even going to be harder, and more complex, especially for the SMB to procure Cyber Insurance.  But there are some key steps that you can take first to make sure that at least the application you submit shows your best foot forward to the underwriters.  Here they are:

1)     Understand Risk:

Risk is a very subjective term to define, and depending upon the industry, it can have different kinds of meanings.  But for Cybersecurity, at least in my view, this metric represents how much downtime your business can take (because of a security breach) before you start to incur some real financial losses.  The best way to do this is to conduct a detailed Risk Assessment Analysis, to take an inventory of and categorize both your physical and digital assets.  Once you have done this and have ranked each one to their degree of vulnerability, you will have a much better idea of what your actual Risk Posture is.  Also, the insurance company will look at this and see how it compares to the overall average in the Cyber Industry.  If you find that your Risk Posture is overall too high numerically, then you will want to take the steps to bring it down before you apply for any Cyber Insurance.  Of course, the more that you can lower it, the better the chances that you will be given a policy.

2)     Understand The Contract:

If you have been lucky enough to be awarded a policy, you will first receive a contract.  It is imperative that you review in detail over and over again.  Cyber Insurance can be very tricky to understand, and the coverage will vary greatly.  Of course, you will be covered for the direct costs that you incurred because of a security breach, but the very murky areas are after the fact, such as paying legal fees in case your lawsuits, regulatory fines, reputational/brand damage, etc.  Although I am by no means an insurance expert, my best advice is to hire a really good lawyer that can review the contact inside and out, and have him or her negotiate the terms of it with the insurance company so that it will be much more favorable to you.  You do not ever want to file a claim, and have it rejected because it was not covered by your contract!!!

3)     Pay Attention to Compliance:

More than ever before, businesses both here in the United States and the European Union are coming under very close scrutiny of the Data Privacy Laws, most notably those of the GDPR, CCPA, HIPAA, etc.  As a result, the insurance company that you have applied to for a policy will want to make sure that you have taken every effort to mitigate the risk of being audited by any of them.  The primary reason for this is that the financial penalties can be quite steep, and the insurance companies do not ever want to pay out such a huge amount if a claim was filed under this circumstance.

My Thoughts on This:

Filing for Cyber Insurance is going to be just as bad as doing your tax returns, in the amount of time that it will take to prepare the documents.  Thus,  in this regard, it is very important that you keep copies of all of your documents, and keep records of all of the Cyber Risk Assessments that you have done. 

Once your policy is up for renewal, you will want to show the insurance company each detail as to how you have overall fortified your Security Posture. 

Obviously, it is not easy to get Cyber Insurance, but it can be done.  It will just take a lot more due diligence on your efforts to make sure that every “I” has been dotted, and that every “t” has been crossed.

Finally, once you are awarded a policy, do not take your pedal off the gas pedal.  Keep taking those efforts to keep your Security Posture strong over the long haul.  In the end, Cyber Insurance is meant to supplement, not replace the need to be very proactive about the Cyber Threat Landscape.