Quantcast
Channel: Tenable Blog
Viewing all articles
Browse latest Browse all 1935

Cybersecurity Snapshot: As ChatGPT Concerns Mount, U.S. Govt Ponders Artificial Intelligence Regulations

$
0
0

As ChatGPT security worries rise, the Biden administration looks at crafting AI policy controls. Plus, Samsung reportedly limits ChatGPT use after employees fed it proprietary data. Also, how password mis-management lets ex-staffers access employer accounts. In addition, the top identity and access management elements to monitor. And much more! 

Dive into six things that are top of mind for the week ending April 14.

1 – Amid growing ChatGPT agita, White House mulls AI rules

With no end in sight to the world’s fascination with generative AI chatbots like ChatGPT, the Biden administration is considering creating “guardrails” to protect American citizens from artificial intelligence abuses.

This week, the National Telecommunications and Information Administration (NTIA), which advises the White House on telecom and information policy issues, announced it is seeking public comments about “AI accountability.”

The comments will help the Biden administration develop policies via “AI audits, assessments, certifications and other mechanisms” to promote trust in AI systems and ensure they work as intended and without harming people.

“Companies have a responsibility to make sure their AI products are safe before making them available,” reads the NTIA’s announcement.

Amid growing ChatGPT agita White House mulls AI rules

That straightforward declaration touches on key questions raised repeatedly since the release in recent months of OpenAI’s ChatGPT and other generative AI chatbots: Were they released to the public prematurely? Is the world unprepared to deal with the consequences of abuse and misuse of these products’ powerful capabilities?

Examples of topics the NTIA is interested in include: What trust and safety testing should AI system developers conduct? How can regulators encourage accountability among AI system developers?

To get more details, you can go to the NTIA’s “AI Accountability Policy Request for Comment” main page and read the full document.

For more information about regulatory efforts around ChatGPT and generative AI:

VIDEOS

After Italy blocked access to OpenAI's ChatGPT chatbot, will the rest of Europe follow? (Euronews Next)

The potential dangers as AI grows more sophisticated and popular (PBS NewsHour)

2 – And another reminder that ChatGPT keeps no secrets

It’s been a regular warning: Don’t enter confidential information into ChatGPT because all the data users input into it gets ingested into its vast data store. Once there, the AI chatbot could use it to answer other users’ questions.

Well, now we have a real-world example of this faux-pas: Samsung employees reportedly fed the AI chatbot private, sensitive information about the company, including proprietary source code and meeting minutes.

That’s according to the South Korean edition of The Economist magazine, which reported that, in response, the consumer electronics titan is now limiting ChatGPT use.

For more information about privacy concerns related to ChatGPT:

VIDEOS

NCSC Raises Privacy Concerns About ChatGPT (Tenable)

CEO behind Chat GPT-4 says he's 'a little bit scared' by AI (ABC News)

3 – What’s your No. 1 worry? How do you prioritize bug patching?

Those were two of the questions we asked participants in our recent webinar, “Tenable Research Shares Its 2022 Recap and Defender Recommendations for 2023,” in which Tenable experts discussed the recently published “Tenable 2022 Threat Landscape Report.” Check out how respondents answered.

Top cybersecurity concerns from Tenable poll

(Source: 126 webinar participants polled by Tenable, March 2023)

Criteria for patching vulnerabilities from Tenable poll
(Source: 83 webinar participants polled by Tenable, March 2023)

For more information about the “Tenable 2022 Threat Landscape Report” check out:

4 – It’s a password problem: People using ex-employers’ accounts

Could your business unwittingly be giving former employees access to its paid subscription services, commercial software, email inboxes and other digital resources? Apparently, it happens more often than one would think, and bad password management is to blame.

That’s according to a survey from Password Manager which found that 47% of U.S. employees have tapped into at least one of their former employers’ digital accounts. These former staffers use passwords they had when they worked there; get them from a current employee; or simply guess them.

What do they do? Many mooch their ex-employers’ paid tools, and some even maliciously tinker with their systems and data.

Password Manager, a website that rates and compares password managers, hired Pollfish to survey 1,000 U.S. respondents who’ve had access to employer passwords within the past five years.

How were you able to access your former employers’ passwords?

Password mismanagement lets ex-employees use employer digital tools

(Source: Password Manager survey, April 2023)

And it gets worse: Among those who’ve used former employers’ passwords, only 15% said they’ve been caught doing it, and one-third said the passwords worked for more than two years – including a small percentage who used them for 10-plus years.

For how long were you or have you been using former employers’ passwords?

Password mismanagement lets people user former employer accounts

(Source: Password Manager survey, April 2023)

The motivation for the majority of these ex-staffers is saving money on tools and services they’d otherwise have to pay for (58%), while others – around 10% – want to disrupt a former employer’s operations.

The bottom line: Companies need to get better at managing their passwords. Among Password Manager’s recommendations are:

  • Appoint a senior-level staffer to be in charge of password-management policies and processes
  • Starting during onboarding, spell out to employees what’s considered authorized and non-authorized handling of intellectual property and proprietary information
  • Create incentives for managing passwords and company accounts properly
  • Continuously update your inventory of password-protected assets, and rate their criticality
  • Create standard operating procedures and schedules for updating passwords

For more information about password management best practices for businesses:

5 – Adopting a zero-trust architecture? Check CISA’s revised model

If you’re evaluating or already implementing a zero-trust architecture, you might want to check out the newest version of the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) “Zero Trust Maturity Model – Version 2.0” (ZTMM), published this week.

In the ZTMM, CISA identifies five pillars for implementing a zero-trust architecture – identity, devices, networks, applications/workloads and data – underpinned by the principles of visibility/analytics, automation/orchestration and governance. 

The agency also outlines four stages of zero-trust maturity: traditional, initial, advanced and optimal. The initial stage was added to the ZTMM in version 2.0, which provides “a gradient of implementation” across the five pillars. Version 2.0 of the ZTMM also adds several new and updated zero-trust functions.

CISA revises zero trust maturity model

(Source: CISA’s “Zero Trust Maturity Model – Version 2.0,” April 2023)

The CISA guide builds upon these seven “tenets” of zero trust outlined by the U.S. National Institute of Standards and Technology (NIST):

  • Consider as resources all data sources and computing services 
  • Secure all communication regardless of network location
  • Grant access to individual resources on a per-session basis
  • Determine access to resources by dynamic policy
  • Monitor and measure the integrity and security posture of all owned and associated assets
  • Strictly and dynamically enforce the authentication and authorization of all resources before access is allowed
  • Collect as much information as possible about the current state of assets, network infrastructure and communications and use it to improve your security posture

For example, here’s how a zero-trust architecture would look like in the optimal stage of maturity.

CISA updates zero trust maturity model

(Source: CISA’s “Zero Trust Maturity Model – Version 2.0”, April 2023)

For more information, read CISA’s “Zero Trust Maturity Model – Version 2.0” and “Applying Zero Trust Principles to Enterprise Mobility,” as well as the Office of Management and Budget’s Federal Zero Trust Strategy and NIST’s “Implementing a Zero Trust Architecture.”

6 – Cloud Security Alliance: Top IAM attributes to monitor

Since the importance of protecting identity and access management (IAM) systems can’t be stressed enough, here’s a quick overview of the Cloud Security Alliance’s (CSA) “top 7 attributes to monitor,” as outlined in its recent blog “Configuration and Monitoring of IAM.

  • User identities, including the accuracy of user information, such as names, roles and group memberships
  • Permission grants, to ensure the permissions match users’ roles and responsibilities
  • Session management, to verify that user sessions are terminated in a proper and timely manner
  • Logs and audit trails, in order to record and track all access to sensitive data and systems
  • IAM configuration, including verifying the accuracy of authentication methods and access control policies
  • Service accounts and resource accounts, to ensure that users can’t use these “service principals” accounts to access any resources
  • Programmatic access, to check for unauthorized access and misuse of APIs, roles and machine identities

How to secure identity and access management systems

For more information about IAM security, check out these Tenable resources:


Viewing all articles
Browse latest Browse all 1935

Trending Articles