The Dark Side Of The New Dawn In AI

Uploaded on 2023-04-10 in TECHNOLOGY-Key Areas-Artificial Intelligence, TECHNOLOGY--Developments, FREE TO VIEW

As ChatGPT’s active users grew to 100 million in just two months fascinated by what it can do, it has already started to reveal its dark side. It has become the cause of security breaches and risked violation of privacy, compliance and governance regulations; not through attacks, but users are voluntarily (and unlawfully) uploading sensitive information to the system in order to generate insights.

One report found that over 4% of employees have already tried to put sensitive company data into the model. The recent release of GPT4, which uses Large Language Models (LLM), can accept much larger chunks of text and is likely to make this problem much worse (and quickly). 

The report came from a company that detected and blocked the 67,000 attempts of misuse across their client base. Most organizations don’t have this capability. One executive tried to paste the corporate strategy into the system to make a PowerPoint, and a doctor put in a patient’s name and medical condition to draft a report.
Cyber experts have proven that training data extraction attacks are possible in GPT, where an attacker can get the system to recall, verbatim, sensitive information it has been given. 

What Are The Shortfalls Of ChatGPT In Cyber Security?

As well as potentially having your spilled data ‘hacked’ out of GPT’s databases, just spilling it in the first place could be a breach of many different security policies, secrecy laws, and privacy regulations. And on the flip side, retrieving and using someone else’s information from GPT, that turns out to be proprietary, confidential, or copyright, could also get your company in trouble. 

The only way to stop this, apart from blocking access to GPT or other LLM tools, is training and education of humans using the technology. But it’s difficult to train every staff member, and even more challenging to make sure they understand and retain that training. It’s even harder to make sure they apply the training daily and consistently to ensure they are not exposing their employer to significant risks.  

The rise of chatbots and reliance on a machine to provide answers means we never know when we are being given the correct information.  

Chatbots have the challenge of being opaque. When they give an answer, it’s hard to fact check that answer. We run the risk of solely relying on a machine’s recommendation, even when that recommendation may be wrong.

Now let’s look at this issue in light of cybersecurity. If we ask a machine security-related questions and the answer is potentially incorrect, the consequences of being wrong can be catastrophic. 

This is why it’s critical not to rely on a black-box, algorithmic AI for regulatory or security compliance. When we are deciding what law or policy to apply, we need to be able to understand and challenge the evidence behind that decision.

Safeguarding From Emerging ChatGPT Threats

Phishing is already one of the most common and successful attack methods for bad actors. ChatGPT can put the ability to craft more believable phishing messages with ease in the wrong hands. Deepfakes are the next level. A believable email from your boss asking you to email a sensitive document, followed up by a video call that looks and sounds exactly like her? These are some of the enormous challenges we face that training alone can’t control.  

Having a data spill is essentially inevitable. We can never reduce the likelihood of a breach to zero, because we will always have trusted insiders. The approach to take now is to reduce the potential impact of a future breach.

Know what data you have, what risk it has, and what value. What rules apply to it, where it is, who is doing what to it. And know what needs to be locked down, and what can be disposed of (across the whole enterprise). This is something we can use AI for right now, and it’s really moving the needle back to the side of good governance. 

Rachael Greaves is CEO/CSO and Founder of Castlepoint Systems

You Might Also Read:

ChatGPT Language Model Risks:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

 

Cyber Security Intelligence: Captured Organised & Accessible

 

« If It’s Convenient Be Suspicious – The Human Aspect
Britain's National Cyber Force Reveals Its Operating Doctrine »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Bishop Fox

Bishop Fox

Bishop Fox is a leading authority in offensive security, providing solutions ranging from continuous penetration testing and attack surface management to product and application security assessments.

CERT-MU

CERT-MU

CERT-MU is the Mauritian National Computer Security Incident Response Team.

NTOP

NTOP

NTOP develop high-quality network traffic analysis and DDoS protection software used by small individuals as well by large telecom operators.

360 Total Security

360 Total Security

360 company is the largest provider of Internet and mobile security products in China.

AKATI Sekurity

AKATI Sekurity

AKATI Sekurity is a security-focused consulting firm providing services specializing in Information Security and Information Forensics.

Johnson Controls International

Johnson Controls International

Johnson Controls is a global diversified technology company with a focus on smart cities, energy, infrastructure and transportation including the security of automation and control systems.

Risk Ident

Risk Ident

RISK IDENT specializes in supporting enterprises in identifying and preventing criminal activity like payment fraud, account takeovers and identity theft.

Veracity Industrial Networks

Veracity Industrial Networks

Veracity provides an innovative industrial network platform that improves the reliability, efficiency, and security of industrial networks and devices.

DreamIt Ventures

DreamIt Ventures

DreamIt Ventures is an early stage venture fund that accelerates startups building transformative tech products in the fields of Healthtech, Securetech, and Urbantech.

CISO Global

CISO Global

CISO Global (formerly Cerberus Sentinel) are on a mission to demystify and accelerate our clients’ journey to cyber resilience, empowering organizations to securely grow, operate, and innovate.

Open Data Security (ODS)

Open Data Security (ODS)

Open Data Security is a market leader in the information security sector, offering services to companies, governments and individuals, helping them shield from hackers and cyber attacks.

TOTM Technologies

TOTM Technologies

TOTM Technologies provides end-to-end identity management and biometrics products, powering Digital identity and Digital onboarding solutions.

ANSSI Burkina Faso

ANSSI Burkina Faso

ANSSI is responsible for managing the security of information systems and cyberspace in Burkina Faso.

Bleach Cyber

Bleach Cyber

Bleach Cyber helps small businesses with an affordable and user-friendly solution for managing cloud security.

HEAL Security

HEAL Security

HEAL Security is the global authority for cybersecurity data, research and insights across the healthcare sector.

Applied Insight

Applied Insight

Applied Insight work closely with government agencies and industry to overcome technical and cultural hurdles to innovation, empowering them with the latest cloud, data and cyber capabilities.