In today’s digitally interconnected world, the cloud has emerged as a cornerstone of modern business operations, offering scalability, flexibility, and efficiency like never before. Leading vendors like Amazon Web Services (AWS), Microsoft, Oracle, Dell, and Oracle offer public, private, and hybrid cloud formats. However, as businesses increasingly migrate their operations to the cloud, ensuring robust security measures becomes paramount. Here, we delve into seven essential strategies for securing the cloud effectively, emphasizing collaboration between C-suite leaders and IT stakeholders.
1) Understanding the Cloud-Shared Responsibility Model:
The first step in securing the cloud is grasping the nuances of the shared responsibility model (Fig. 1.). While cloud providers manage the security of the infrastructure platform, customers are responsible for securing their data and applications, including who gets access to them and at what level (Fig 1.). This necessitates a clear delineation of responsibilities, ensuring no security gaps exist. CIOs and CISOs must thoroughly educate themselves and their teams on this model to make informed security decisions.
2) Asking Detailed Security Questions:
It is imperative to engage cloud providers in detailed discussions regarding security measures, digging far deeper than boilerplate questions and checkbox forms. C-suite executives should inquire about specific security protocols, compliance certifications, incident response procedures, and data protection mechanisms. Organizations can mitigate risks and build trust in their cloud ecosystem by seeking transparency and understanding the provider’s security posture.
3) Implementing IAM Solutions:
Identity and access management (IAM) lies at the core of cloud security. Robust IAM solutions enable organizations to authenticate, authorize, and manage user access effectively. CIOs and CISOs should invest in IAM platforms equipped with features like multi-factor authentication, role-based access control, least privilege, and privileged access management (PAM) governance. By enforcing the principle of least privilege, businesses can minimize the risk of unauthorized access and insider threats.
4) Establishing Modern Cloud Security Policies:
A proactive approach to security entails the formulation of comprehensive cloud security policies aligned with industry best practices and regulatory requirements. Business leaders must collaborate with security professionals to develop policies covering data classification, incident response, encryption standards, and employee responsibilities. Regularly updating and reviewing these policies are essential to adapting to evolving threats and technologies — can be country specific.
5) Encrypting Data in Motion and at Rest:
Encryption serves as a critical safeguard for data confidentiality and integrity in the cloud. Organizations should employ robust encryption mechanisms to protect data both in transit and at rest. Utilizing encryption protocols such as TLS for network communications and AES for data storage adds an extra layer of defense against unauthorized access. Additionally, implementing reliable backup solutions ensures data resilience in the event of breaches or disasters. Having all key files backed up via the 3-2-1 rule — three copies of files in two different media forms with one offsite — thus reducing ransomware attack damage.
6) Educating Staff Regularly:
Human error remains one of the most significant vulnerabilities in cloud security. Therefore, ongoing employee education and awareness initiatives are indispensable. C-suite leaders must prioritize security training programs to cultivate a security-conscious culture across the organization. By educating staff on security best practices, threat awareness, and incident response protocols, businesses can fortify their defense against social engineering attacks and insider threats. Importantly, this education is far more effective when interactive and gamified to ensure participation and sustained learning outcomes.
7) Mapping and Securing Endpoints:
Endpoints serve as crucial entry points for cyber threats targeting cloud environments. CIOs and CISOs should conduct thorough assessments to identify and secure all endpoints accessing the cloud infrastructure. Visually mapping endpoints is the first step to confirm how many, what type, and where they actually are at present — this can and does change. Implementing endpoint protection solutions, enforcing device management policies, and promptly deploying security patches are essential to mitigate endpoint vulnerabilities. Furthermore, embracing technologies like zero-trust architecture enhances endpoint security by continuously verifying user identities and device integrity.
In conclusion, securing the cloud demands a multifaceted approach encompassing collaboration, diligence, vendor communication and partnership, and innovation. By embracing the principles outlined above, organizations can strengthen their cloud security posture, mitigate risks, and foster a resilient business environment. C-suite leaders, in conjunction with IT professionals, must champion these strategies to navigate the evolving threat landscape and safeguard the future of their enterprises.
About the Author:
Jeremy Swenson is a disruptive-thinking security entrepreneur, futurist/researcher, and senior management tech risk consultant. He is a frequent speaker, published writer, podcaster, and even does some pro bono consulting in these areas. He holds an MBA from St. Mary’s University of MN, an MSST (Master of Science in Security Technologies) degree from the University of Minnesota, and a BA in political science from the University of Wisconsin Eau Claire. He is an alum of the Federal Reserve Secure Payment Task Force, the Crystal, Robbinsdale and New Hope Citizens Police Academy, and the Minneapolis FBI Citizens Academy.
After weeks of denials, AT&T Inc. (NYSE:T), a leading player in the telecommunications sector, has recently unveiled a substantial data breach originating from 2021, leading to the compromise of sensitive information belonging to 73 million users [1]. This data breach has since surfaced on the dark web, exposing a trove of personal data including Social Security numbers, email addresses, phone numbers, and dates of birth, impacting both current and past account holders. The compromised information encompasses names, addresses, phone numbers, and for numerous individuals, highly sensitive data such as Social Security numbers, dates of birth, and AT&T passcodes.
How can you determine if you were impacted by the AT&T data breach? Firstly, ask yourself if you ever were a customer, and do not rely solely on AT&T to notify you. By utilizing services like Have I Been Pwned, you can ascertain if your data has been compromised. Additionally, Google’s Password Checkup tool can notify you if your account details are exposed, especially if you store password information in a Google account. For enhanced security, the premium edition of Bitwarden, a top-rated recommended password manager, offers the capability to scan for compromised passwords across the internet.
One prevalent issue concerning data breaches is the tendency for individuals to overlook safeguarding their data until it’s too late. It’s a common scenario – we often don’t anticipate our personal information falling into the hands of hackers who then sell it to malicious entities online. Regrettably, given the frequency and magnitude of cyber-attacks, the likelihood of your data being exposed has shifted from an “if” to a “when” scenario.
Given this reality, it’s imperative to adopt measures to safeguard your identity and data online, including [2]:
Implementing multi-factor authentication – a crucial step in thwarting hackers’ attempts to infiltrate your accounts, even if your email address is publicly available.
Avoiding password reuse and promptly changing passwords if they are compromised in a data breach – this practice ensures that even if your login credentials are exposed, hackers cannot infiltrate other accounts you utilize, including the one that has experienced a breach.
Investing in identity protection services, either as standalone solutions or as part of comprehensive internet security suites – identity protection software can actively monitor the web for data breaches involving you, enabling you to take proactive measures to safeguard your identity.
AT&T defines a customer’s passcode as a numeric Personal Identification Number (PIN), typically consisting of four digits. Distinguishing it from a password, a passcode is necessary for finalizing an AT&T installation, conducting personal account activities over the phone, or reaching out to technical support, according to AT&T.
How to reset your AT&T passcode:
AT&T has taken steps to reset passcodes for active accounts affected by the data breach. However, as a precautionary measure, AT&T advises users who haven’t altered their passcodes within the last year to do so. Below are the steps to change your AT&T passcode:
Navigate to your myAT&T Profile.
Sign in when prompted. (If additional security measures are in place and sign-in isn’t possible, AT&T suggests opting for “Get a new passcode.”)
Locate “My linked accounts” and select “Edit” for the passcode you wish to update.
Follow the provided prompts to complete the process.
Here is AT&T’s official statement on the matter from 03/03/24 [3]:
“Based on our preliminary analysis, the data set appears to be from 2019 or earlier, impacting approximately 7.6 million current AT&T account holders and approximately 65.4 million former account holders. Currently, AT&T does not have evidence of unauthorized access to its systems resulting in exfiltration of the data set. The company is communicating proactively with those impacted and will be offering credit monitoring at our expense where applicable. We encourage current and former customers with questions to visit http://www.att.com/accountsafety for more information.”
The hackers behind this, allegedly ShiningHacker, endeavored to profit from the pilfered data by listing it for sale on the RaidForums data theft forum, initiating the bidding at $200,000 and entertaining additional offers in increments of $30,000 [4]. Moreover, they demonstrated readiness to promptly sell the data for $1 million, highlighting the gravity and boldness of the cyber offense.
Not surprisingly, AT&T is currently confronting numerous class-action lawsuits subsequent to the company’s acknowledgment of this data breach, which compromised the sensitive information of 73 million existing and former customers [5]. Among the ten lawsuits filed, one is being handled by Morgan & Morgan, representing plaintiff Patricia Dean and individuals in similar circumstances.
The lawsuit levels allegations of negligence, breach of implied contract, and unjust enrichment against AT&T, contending that the company’s deficient security measures and failure to promptly provide adequate notification about the data breach exposed customers to significant risks, including identity theft and various forms of fraud. It seeks compensatory damages, restitution, injunctive relief, enhancements to AT&T’s data security protocols, future audits, credit monitoring services funded by the company, and a trial by jury [6].
About the Author:
Jeremy Swenson is a disruptive-thinking security entrepreneur, futurist/researcher, and senior management tech risk consultant. He is a frequent speaker, published writer, podcaster, and even does some pro bono consulting in these areas. He holds an MBA from St. Mary’s University of MN, an MSST (Master of Science in Security Technologies) degree from the University of Minnesota, and a BA in political science from the University of Wisconsin Eau Claire. He is an alum of the Federal Reserve Secure Payment Task Force, the Crystal, Robbinsdale and New Hope Citizens Police Academy, and the Minneapolis FBI Citizens Academy.
Fig. 1. Zero Trust Components to Orchestration AI Mashup; Microsoft, 09/17/21; and Swenson, Jeremy, 03/29/24.
1. The Zero-Trust Security Model Becomes More Orchestrated via Artificial Intelligence (AI):
The zero-trust model represents a paradigm shift in cybersecurity, advocating for the premise that no user or system, irrespective of their position within the corporate network, should be automatically trusted. This approach entails stringent enforcement of access controls and continual verification processes to validate the legitimacy of users and devices. By adopting a need-to-know-only access philosophy, often referred to as the principle of least privilege, organizations operate under the assumption of compromise, necessitating robust security measures at every level.
Implementing a zero-trust framework involves a comprehensive overhaul of traditional security practices. It entails the adoption of single sign-on functionalities at the individual device level and the enhancement of multifactor authentication protocols. Additionally, it requires the implementation of advanced role-based access controls (RBAC), fortified network firewalls, and the formulation of refined need-to-know policies. Effective application whitelisting and blacklisting mechanisms, along with regular group membership reviews, play pivotal roles in bolstering security posture. Moreover, deploying state-of-the-art privileged access management (PAM) tools, such as CyberArk for password check out and vaulting, enables organizations to enhance toxic combination monitoring and reporting capabilities.
App-to-app orchestration refers to the process of coordinating and managing interactions between different applications within a software ecosystem to achieve specific business objectives or workflows. It involves the seamless integration and synchronization of multiple applications to automate complex tasks or processes, facilitating efficient data flow and communication between them. Moreover, it aims to streamline and optimize various operational workflows by orchestrating interactions between disparate applications in a cohesive manner. This orchestration process typically involves defining the sequence of actions, dependencies, and data exchanges required to execute a particular task or workflow across multiple applications.
However, while the concept of zero-trust offers a compelling vision for fortifying cybersecurity, its effective implementation relies on selecting and integrating the right technological components seamlessly within the existing infrastructure stack. This necessitates careful consideration to ensure that these components complement rather than undermine the orchestration of security measures. Nonetheless, there is optimism that the rapid development and deployment of AI-based custom middleware can mitigate potential complexities inherent in orchestrating zero-trust capabilities. Through automation and orchestration, these technologies aim to streamline security operations, ensuring that the pursuit of heightened security does not inadvertently introduce operational bottlenecks or obscure visibility through complexity.
2. Artificial Intelligence (AI) Powered Threat Detection Has Improved Analytics:
The utilization of artificial intelligence (AI) is on the rise to bolster threat detection capabilities. Through machine learning algorithms, extensive datasets are scrutinized to discern patterns suggestive of potential security risks. This facilitates swifter and more precise identification of malicious activities. Enhanced with refined machine learning algorithms, security information and event management (SIEM) systems are adept at pinpointing anomalies in network traffic, application logs, and data flow, thereby expediting the identification of potential security incidents for organizations.
There will be reduced false positives which has been a sustained issue in the past with large overconfident companies repeatedly wasting millions of dollars per year fine tuning useless data security lakes that mostly produce garbage anomaly detection reports [1], [2]. Literally the kind good artificial intelligence (AI) laughs at – we are getting there. All the while, the technology vendors try to solve this via better SIEM functionality for an increased price at present. Yet we expect prices to drop really low as the automation matures.
With enhanced natural language processing (NLP) methodologies, artificial intelligence (AI) systems possess the capability to analyze unstructured data originating from various sources such as social media feeds, images, videos, and news articles. This proficiency enables organizations to compile valuable threat intelligence, staying abreast of indicators of compromise (IOCs) and emerging attack strategies. Notable vendors offering such services include Dark Trace, IBM, CrowdStrike, and numerous startups poised to enter the market. The landscape presents ample opportunities for innovation, necessitating the abandonment of past biases. Young, innovative minds well-versed in web 3.0 technologies hold significant value in this domain. Consequently, in the future, more companies are likely to opt for building their tailored threat detection tools, leveraging advancements in AI platform technology, rather than purchasing pre-existing solutions.
Artificial intelligence (AI) isn’t just confined to threat detection; it’s increasingly playing a pivotal role in automating response actions within cybersecurity operations. This encompasses a range of tasks, including the automatic isolation of compromised systems, the blocking of malicious internet protocol (IP) addresses, the adjustment of firewall configurations, and the coordination of responses to cyber incidents—all achieved with greater efficiency and cost-effectiveness. By harnessing AI-driven algorithms, security orchestration, automation, and response (SOAR) platforms empower organizations to analyze and address security incidents swiftly and intelligently.
SOAR platforms capitalize on AI capabilities to streamline incident response processes, enabling security teams to automate repetitive tasks and promptly react to evolving threats. These platforms leverage AI not only to detect anomalies but also to craft tailored responses, thereby enhancing the overall resilience of cybersecurity infrastructures. Leading examples of such platforms include Microsoft Sentinel, Rapid7 InsightConnect, and FortiSOAR, each exemplifying the fusion of AI-driven automation with comprehensive security orchestration capabilities.
Microsoft Sentinel, for instance, utilizes AI algorithms to sift through vast volumes of security data, identifying potential threats and anomalies in real-time. It then orchestrates response actions, such as isolating compromised systems or blocking suspicious IP addresses, with precision and speed. Similarly, Rapid7 InsightConnect integrates AI-driven automation to streamline incident response workflows, enabling security teams to mitigate risks more effectively. FortiSOAR, on the other hand, offers a comprehensive suite of AI-powered tools for incident analysis, response automation, and threat intelligence correlation, empowering organizations to proactively defend against cyber threats. Basically, AI tools will help SOAR tools mature so security operations centers (SOCs) can catch the low hanging fruit; thus, they will have more time for analysis of more complex threats. These AI tools will employ the observe, orient, decide, act (OODA) Loop methodology [3]. This will allow them to stay up to date, customized, and informed of many zero-day exploits. At the same time, threat actors will constantly try to avert this with the same AI but with no governance.
With the escalating migration of organizations to cloud environments, safeguarding the security of cloud assets emerges as a paramount concern. While industry giants like Microsoft, Oracle, and Amazon Web Services (AWS) dominate this landscape with their comprehensive cloud offerings, numerous large organizations opt to establish and maintain their own cloud infrastructures to retain greater control over their data and operations. In response to the evolving security landscape, the adoption of cloud security posture management (CSPM) tools has become imperative for organizations seeking to effectively manage and fortify their cloud environments.
CSPM tools play a pivotal role in enhancing the security posture of cloud infrastructures by facilitating continuous monitoring of configurations and swiftly identifying any misconfigurations that could potentially expose vulnerabilities. These tools operate by autonomously assessing cloud configurations against established security best practices, ensuring adherence to stringent compliance standards. Key facets of their functionality include the automatic identification of unnecessary open ports and the verification of proper encryption configurations, thereby mitigating the risk of unauthorized access and data breaches. “Keeping data safe in the cloud requires a layered defense that gives organizations clear visibility into the state of their data. This includes enabling organizations to monitor how each storage bucket is configured across all their storage services to ensure their data is not inadvertently exposed to unauthorized applications or users” [4]. This has considerations at both the cloud user and provider level especially considering artificial intelligence (AI) applications can be built and run inside the cloud for a variety of reasons. Importantly, these build designs often use approved plug ins from different vendors making it all the more complex.
Furthermore, CSPM solutions enable organizations to proactively address security gaps and bolster their resilience against emerging threats in the dynamic cloud landscape. By providing real-time insights into the security status of cloud assets, these tools empower security teams to swiftly remediate vulnerabilities and enforce robust security controls. Additionally, CSPM platforms facilitate comprehensive compliance management by generating detailed reports and audit trails, facilitating adherence to regulatory requirements and industry standards.
In essence, as organizations navigate the complexities of cloud adoption and seek to safeguard their digital assets, CSPM tools serve as indispensable allies in fortifying cloud security postures. By offering automated monitoring, proactive threat detection, and compliance management capabilities, these solutions empower organizations to embrace the transformative potential of cloud technologies while effectively mitigating associated security risks.
About the Author:
Jeremy Swenson is a disruptive-thinking security entrepreneur, futurist / researcher, and senior management tech risk consultant. He is a frequent speaker, published writer, podcaster, and even does some pro bono consulting in these areas. He holds an MBA from St. Mary’s University of MN, an MSST (Master of Science in Security Technologies) degree from the University of Minnesota, and a BA in political science from the University of Wisconsin Eau Claire. He is an alum of the Federal Reserve Secure Payment Task Force, the Crystal, Robbinsdale and New Hope Citizens Police Academy, and the Minneapolis FBI Citizens Academy.
The National Institute of Standards and Technology (NIST) has updated its widely used Cybersecurity Framework (CSF) — a free respected landmark guidance document for reducing cybersecurity risk. However, it’s important to note that most of the framework core has remained the same. Here are the core components the security community knows:
Govern (GV): Sets forth the strategic path and guidelines for managing cybersecurity risks, ensuring harmony with business goals and adherence to legal requirements and standards. This is the newest addition which was inferred before but is specifically illustrated to touch every aspect of the framework. It seeks to establish and monitor your company’s cybersecurity risk management strategy, expectations, and policy.
1. Identify (ID): Entails cultivating a comprehensive organizational comprehension of managing cybersecurity risks to systems, assets, data, and capabilities.
2. Protect (PR): Concentrates on deploying suitable measures to guarantee the provision of vital services.
3. Detect (DE): Specifies the actions for recognizing the onset of a cybersecurity incident.
4. Respond (RS): Outlines the actions to take in the event of a cybersecurity incident.
5. Recover (RC): Focuses on restoring capabilities or services that were impaired due to a cybersecurity incident.
The new 2.0 edition is structured for all audiences, industry sectors, and organization types, from the smallest startups and nonprofits to the largest corporations and government departments — regardless of their level of cybersecurity preparedness and complexity.
Fig. 2. NIST CSF 2.0 Function Breakdown, NIST, 2024.
Here are some key updates:
Emphasis is placed on the framework’s expanded scope, extending beyond critical infrastructure to encompass all organizations. Importantly, it better incorporates and expands upon supply chain risk management processes. It also introduces a new focus on governance, highlighting cybersecurity as a critical enterprise risk with many dependencies. This is critically important with the emergence of artificial intelligence.
To make it easier for a wide variety of organizations to implement the CSF 2.0, NIST has developed quick-start guides customized for various audiences, along with case studies showcasing successful implementations, and a searchable catalog of references, all aimed at facilitating the adoption of CSF 2.0 by diverse organizations.
The CSF 2.0 is aligned with the National Cybersecurity Strategy and includes a suite of resources to adapt to evolving cybersecurity needs, emphasizing a comprehensive approach to managing cybersecurity risk. New adopters can benefit from implementation examples and quick-start guides tailored to specific user types, facilitating easier integration into their cybersecurity practices. The CSF 2.0 Reference Tool simplifies implementation, enabling users to access, search, and export core guidance data in user-friendly and machine-readable formats. A searchable catalog of references allows organizations to cross-reference their actions with the CSF, linking to over 50 other cybersecurity documents – facilitating comprehensive risk management. The Cybersecurity and Privacy Reference Tool (CPRT) contextualizes NIST resources with other popular references, facilitating communication across all levels of an organization.
NIST aims to continually enhance CSF resources based on community feedback, encouraging users to share their experiences to improve collective understanding and management of cybersecurity risk. The CSF’s international adoption is significant, with translations of previous versions into 13 languages. NIST expects CSF 2.0 to follow suit, further expanding its global reach. NIST’s collaboration with ISO/IEC aligns cybersecurity frameworks internationally, enabling organizations to utilize CSF functions in conjunction with ISO/IEC resources for comprehensive cybersecurity management.
Jeremy Swenson is a disruptive-thinking security entrepreneur, futurist/researcher, and senior management tech risk consultant. He is a frequent speaker, published writer, podcaster, and even does some pro bono consulting in these areas. He holds an MBA from St. Mary’s University of MN, an MSST (Master of Science in Security Technologies) degree from the University of Minnesota, and a BA in political science from the University of Wisconsin Eau Claire. He is an alum of the Federal Reserve Secure Payment Task Force, the Crystal, Robbinsdale and New Hope Citizens Police Academy, and the Minneapolis FBI Citizens Academy.
Fig. 1. Quantum ChatGPT Growth Plus NIST AI Risk Management Framework Mashup [1], [2], [3].
Summary:
This year is unique since policy makers and business leaders grew concerned with artificial intelligence (AI) ethics, disinformation morphed, AI had hyper growth including connections to increased crypto money laundering via splitting / mixing. Impressively, AI cyber tools become more capable in the areas of zero-trust orchestration, cloud security posture management (CSPM), threat response via improved machine learning, quantum-safe cryptography ripened, authentication made real time monitoring advancements, while some hype remains. Moreover, the mass resignation / gig economy (remote work) remained a large part of the catalyst for all of these trends.
Introduction:
Every year we like to research and comment on the most impactful security technology and business happenings from the prior year. This year is unique since policy makers and business leaders grew concerned with artificial intelligence (AI) ethics [4], disinformation morphed, AI had hyper growth [5], crypto money laundering via splitting / mixing grew [6], AI cyber tools became more capable – while the mass resignation / gig economy remained a large part of the catalyst for all of these trends. By August 2023 ChatGPT reached 1.43 billion website visits per month and about 180.5 million registered users [7]. This even attracted many non-technical naysayers. Impressively, the platform was only nine months old then and just turned a year old in November [8]. These numbers for AI tools like ChatGPT are going to continue to grow in many sectors at exponential rates. As a result, the below trends and considerations are likely to significantly impact government, education, high-tech, startups, and large enterprises in big and small ways, albeit with some surprises.
1. The Complex Ethics of Artificial Intelligence (AI) Swarms Policy Makers and Industry Resulting in New Frameworks:
The ethical use of artificial intelligence (AI) as a conceptual and increasingly practical dilemma has gained a lot of media attention and research in the last few years by those in philosophy (ethics, privacy), politics (public policy), academia (concepts and principles), and economics (trade policy and patents) – all who have weighed in heavily. As a result, we find this space is beginning to mature. Sovereign nations (The USA, EU, and elsewhere globally) have developed and socialized ethical policies and frameworks [9], [10]. While major corporations motivated by profit are all devising their own ethical vehicles and structures – often taking a legalistic view first [11]. Moreover, The World Economic Forum (WEF) has weighed in on this matter in collaboration with PricewaterhouseCoopers (PWC) [12]. All of this contributes to the accelerated pace of maturity of this area in general. The result is the establishment of shared conceptual viewpoints, early-stage security frameworks, accepted policies, guidelines, and governance structures to support the evolution of artificial intelligence (AI) in ethical ways.
For example, the Department of Defense (DOD) has formally adopted five principles for the ethical development of artificial intelligence capabilities as follows [13]:
Responsible
Equitable
Traceable
Reliable
Governable
Traceable and governable seem to be the most clear and important principles, while equitable and responsible seem gray at best and they could be deemphasized in a heightened war time context. The latter two echo the corporate social responsibility (CSR) efforts found more often in the private sector.
The WEF via PWC has issued its Nine AI Ethical Principles for organizations to follow [14], and The Office of the Director of National Intelligence (ODNI) has released their Framework for AI Ethics [15]. Importantly, The National Institute For Standards in Technology (NIST) has released their AI Risk Management Framework as outlined in Fig. 2. and 3. They also released a playbook to support its implementation and have hosted several working sessions discussing it with industry which we attended virtually [16]. It seems the mapping aspect could take you down many AI rabbit holes, some unforeseen – inferring complex risk. Mapping also impacts how you measure and manage. None of this is fully clear and much of it will change as ethical AI governance matures.
Fig. 3. NIST AI Risk Management Framework: Actors Across AI Lifecycle Stages (AI RMF) 1.0 [18].
The actors in Fig. 3. cover a wide swath of spaces where artificial intelligence (AI) plays, and appropriately so as AI is considered a GPT (general purpose technology) like electricity, rubber, and the like – where it can be applied ubiquitously in our lives [19]. This infers cognitive technology, digital reality, ambient experiences, autonomous vehicles and drones, quantum computing, distributed ledgers, and robotics to name a few. These were all prior to the emergence of generative AI on the scene which will likely put these vehicles to the test much earlier than expected. Yet all of these can be mapped across the AI lifecycle stages in Fig. 3. to clarify the activities, actors, dimensions, and if it gets to build, then more scrutiny will need to be applied.
Scrutiny can come in the form of DevSecOps but that is extremely hard to do with such exponentially massive AI code datasets required by the learning models, at least at this point. Moreover, we are not sure if any AI ethics framework does justice to quality assurance (QA) and secure coding best practices much at this point. However, the above two NIST figures at least clarify relationships, flows, inputs and outputs, but all of this will need to be greatly customized to an organization to have any teeth. We imagine those use cases will come out of future NIST working sessions with industry.
Lastly, the most crucial factor in AI ethics governance is what Fig. 3. calls “People and Planet”. This is because the people and planet can experience the negative aspects of AI in ways the designers did not imagine, and that feedback is valuable to product governance to prevent bigger AI disasters. For example, AI taking control of the air traffic control system and causing reroutes or accidents, or AI malware spreading faster than antivirus products can defend it creating a cyber pandemic. Thus, making sure bias is reduced and safety increased (DOD five AI principles) is key but certainly not easy or clear.
2. ChatGPT and Other Artificial Intelligence (AI) Tools Have Huge Security Risks:
It is fair to start off discussing the risks posed by ChatGPT and related tools to balance out all the positive feature coverage in the media and popular culture in recent months. First of all, with artificial intelligence (AI), every cyber threat actor has a new tool to better send spam, steal data, spread malware, build misinformation mills, grow botnets, launder cryptocurrency through shady exchanges [20], create fake profiles on multiple platforms, create fake romance chatbots, and to build the most complex self-replicating malware that will be akin to zero-day exploits much of the time.
One commentator described it this way in his well circulated LinkedIn article, “It can potentially be a formidable social engineering and phishing weapon where non-native speakers can create flawlessly written phishing emails. Also, it will be much simpler for all scammers to mimic their intended victim’s tone, word choice, and writing style, making it more difficult than ever for recipients to tell the difference between a genuine and fraudulent email” [21]. Think of MailChimp on steroids with a sophisticated AI team crafting millions and billions of phishing e-mails / texts customized to impressively realistic details including phone calls with fake voices that mimic your loved ones building fake corroboration [22].
SAP’s Head of Cybersecurity Market Strategy, Gabriele Fiata, took the words out of our mouths when he described it this way, “The threat landscape surrounding artificial intelligence (AI) is expanding at an alarming rate. Between January to February 2023, Darktrace researchers have observed a 135% increase in “novel social engineering” attacks, corresponding with the widespread adoption of ChatGPT” [23]. This is just the beginning. More malware as a service propagation, fake bank sites, travel scams, and fake IT support centers will multiply to scam and extort the weak including, elders, schools, local government, and small businesses. Then there is the increased likelihood that antivirus and data loss prevention (DLP) tools will become less effective as AI morphs. Lastly, cyber criminals can and will use generative AI for advanced evidence tampering by creating fake content to confuse or dirty the chain of custody, lessen reliability, or outright frame the wrong actor – while the government is confused and behind the tech sector. It is truly a digital arms race.
In the next section we will discuss the possibilities of how artificial intelligence (AI) can enhance information security increasing compliance, reducing risk, enabling new features of great value, and enabling application orchestration for threat visibility.
3. The Zero-Trust Security Model Becomes More Orchestrated via Artificial Intelligence (AI):
The zero-trust model assumes that no user or system, even those within the corporate network, should be trusted by default. Access controls are strictly enforced, and continuous verification is performed to ensure the legitimacy of users and devices. Zero-trust moves organizations to a need-to-know-only access mindset (least privilege) with inherent deny rules, all the while assuming you are compromised. This infers single sign-on at the personal device level and improved multifactor authentication. It also infers better role-based access controls (RBAC), firewalled networks, improved need-to-know policies, effective whitelisting and blacklisting of applications, group membership reviews, and state of the art privileged access management (PAM) tools. Password check out and vaulting tools like CyberArk will improve to better inform toxic combination monitoring and reporting. There is still work in selecting / building the right tech components that fit into (not work against) the infrastructure orchestra stack. However, we believe rapid build and deploy AI based custom middleware can alleviate security orchestration mismatches in many cases easily. All of this is likely to better automate and orchestrate zero-trust abilities so that one part does not hinder another part via complexity fog.
4. Artificial Intelligence (AI) Powered Threat Detection Has Improved Analytics:
Artificial intelligence (AI) is increasingly being used to enhance threat detection capabilities. Machine learning algorithms analyze vast amounts of data to identify patterns indicative of potential security threats. This enables quicker and more accurate identification of malicious activities. Security information and event management (SIEM) systems enhanced with improved machine learning algorithms can detect anomalies in network traffic, application logs, and data flow – helping organizations identify potential security incidents faster.
There will be reduced false positives which has been a sustained issue in the past with large overconfident companies repeatedly wasting millions of dollars per year fine tuning useless data security lakes (we have seen this) that mostly produce garbage anomaly detection reports [25], [26]. Literally the kind good artificial intelligence (AI) laughs at – we are getting there. All the while, the technology vendors try to solve this via better SIEM functionality for an increased price at present. Yet we expect prices to drop really low as the automation matures.
With improved natural language processing (NLP) techniques, artificial intelligence (AI) systems can analyze unstructured data sources, such as social media feeds, photos, videos, and news articles – to assemble useful threat intelligence. This ability to process and understand textual data empowers organizations to stay informed about indicators of compromise (IOCs) and new attack tactics. Vendors that provide these services include Dark Trace, IBM, CrowdStrike, and many startups will likely join soon. This space is wide open and the biases of the past need to be forgotten if we want innovation. Young fresh minds who know web 3.0 are valuable here. Thus, in the future more companies will likely not have to buy but rather can build their own customized threat detection tools informed by advancements in AI platform technology.
5. Quantum-Safe Cryptography Ripens:
Quantum computing is a quickly evolving technology that uses the laws of quantum mechanics to solve problems too complex for traditional computers, like superposition and quantum interference [27]. Some cases where quantum computers can provide a speed boost include simulation of physical systems, machine learning (ML), optimization, and more. Traditional cryptographic algorithms could be vulnerable because they were built and coded with weaker technologies that have solvable patterns, at least in many cases. “Industry experts generally agree that within 7-10 years, a large-scale quantum computer may exist that can run Shor’s algorithm and break current public-key cryptography causing widespread vulnerabilities” [28]. Quantum-safe or quantum-resistant cryptography is designed to withstand attacks from quantum computers, often artificial intelligence (AI) assisted – ensuring the long-term security of sensitive data. For example, AI can help enhance post-quantum cryptographic algorithms such as lattice-based cryptography or hash-based cryptography to secure communications [29]. Lattice-based cryptography is a cryptographic system based on the mathematical concept of a lattice. In a lattice, lines connect points to form a geometric structure or grid (Fig. 5).
This geometric lattice structure encodes and decodes messages. Although it looks finite, the grid is not finite in any way. Rather, it represents a pattern that continues into the infinite (Fig. 6).
Lattice based cryptography benefits sensitive and highly targeted assets like large data centers, utilities, banks, hospitals, and government infrastructure generally. In other words, there will likely be mass adoption of quantum computing based encryption for better security. Lastly, we used ChatGPT as an assistant to compile the below specific benefits of quantum cryptography albeit with some manual corrections [32]:
Detection of Eavesdropping: Quantum key distribution protocols can detect the presence of an eavesdropper by the disturbance introduced during the quantum measurement process, providing a level of security beyond traditional cryptography.
Quantum-Safe Against Future Computers: Quantum computers have the potential to break many traditional cryptographic systems. Quantum cryptography is considered quantum-safe, as it relies on the fundamental principles of quantum mechanics rather than mathematical complexity.
Near Unconditional Security: Quantum cryptography provides near unconditional security based on the principles of quantum mechanics. Any attempt to intercept or measure the quantum state will disturb the system, and this disturbance can be detected. Note that ChatGPT wrongly said “unconditional Security” and we corrected to “near unconditional security” as that is more realistic.
Artificial intelligence (AI) is used not only for threat detection but also in automating response actions [33]. This can include automatically isolating compromised systems, blocking malicious internet protocol (IP) addresses, closing firewalls, or orchestrating a coordinated response to a cyber incident – all for less money. Security orchestration, automation, and response (SOAR) platforms leverage AI to analyze and respond to security incidents, allowing security teams to automate routine tasks and respond more rapidly to emerging threats. Microsoft Sentinel, Rapid7 InsightConnect, and FortiSOAR are just a few of the current examples. Basically, AI tools will help SOAR tools mature so security operations centers (SOCs) can catch the low hanging fruit; thus, they will have more time for analysis of more complex threats. These AI tools will employ the observe, orient, decide, act (OODA) Loop methodology [34]. This will allow them to stay up to date, customized, and informed of many zero-day exploits. At the same time, threat actors will constantly try to avert this with the same AI but with no governance.
As organizations increasingly migrate to cloud environments, ensuring the security of cloud assets becomes key. Vendors like Microsoft, Oracle, and Amazon Web Services (AWS) lead this space; yet large organizations have their own clouds for control as well. Cloud security posture management (CSPM) tools help organizations manage and secure their cloud infrastructure by continuously monitoring configurations and detecting misconfigurations that could lead to vulnerabilities [35]. These tools automatically assess cloud configurations for compliance with security best practices. This includes ensuring that only necessary ports are open, and that encryption is properly configured. “Keeping data safe in the cloud requires a layered defense that gives organizations clear visibility into the state of their data. This includes enabling organizations to monitor how each storage bucket is configured across all their storage services to ensure their data is not inadvertently exposed to unauthorized applications or users” [36]. This has considerations at both the cloud user and provider level especially considering artificial intelligence (AI) applications can be built and run inside the cloud for a variety of reasons. Importantly, these build designs often use approved plug ins from different vendors making it all the more complex.
Artificial intelligence (AI) is being utilized to strengthen user authentication methods. Behavioral biometrics, such as analyzing typing patterns, mouse movements and ram usage, can add an extra layer of security by recognizing the unique behavior of legitimate users. Systems that use AI to analyze user behavior can detect and flag suspicious activity, such as an unauthorized user attempting to access an account or escalate a privilege [37]. Two factor authentication remains the bare standard with many leading identity and access management (IAM) application makers including Okta, SailPoint, and Google experimenting with AI for improved analytics and functionality. Both two factor and multifactor authentication benefit from AI advancements with machine learning via real time access rights reassignment and improved role groupings [38]. However, multifactor remains stronger at this point because it includes something you are, biometrics. The jury is out on which method will remain the security leader because biometrics can be faked by AI [39]. Importantly, AI tools can remove fake accounts or orphaned accounts much more quickly, reducing risk. However, it likely will not get it right 100% of the time so there is a slight inconvenience.
Conclusion and Recommendations:
Artificial intelligence (AI) remains a leading catalyst for digital transformation in tech automation, identity and access management (IAM), big data analytics, technology orchestration, and collaboration tools. AI based quantum computing serves to bolster encryption when old methods are replaced. All of the government actions to incubate ethics in AI are a good start and the NIST AI Risk Management Framework (AI RMF) 1.0 is long overdue. It will likely be tweaked based on private sector feedback. However, adding the DOD five principles for the ethical development of AI to the NIST AI RMF could derive better synergies. This approach should be used by the private sector and academia in customized ways. AI product ethical deviations should be thought of as quality control and compliance issues and remediated immediately.
Organizations should consider forming an AI governance committee to make sure this unique risk is not overlooked or overly merged with traditional web / IT risk. ChatGPT is a good encyclopedia and a cool Boolean search tool, yet it got some things wrong about quantum computing in this article for which we cited and corrected. The Simplified AI text to graphics generator was cool and useful but it needed some manual edits as well. Both of these generative AI tools will likely get better with time.
Artificial intelligence (AI) will spur many mobile malware and ransomware variants faster than Apple and Google can block them. This in conjunction with the fact that people more often have no mobile antivirus on their smart phone even if they have it on their personal and work computers, and a culture of happy go lucky application downloading makes it all the worse. As a result, more breaches should be expected via smart phones / watches / eyeglasses from AI enabled threats.
Therefore, education and awareness around the review and removal of non-essential mobile applications is a top priority. Especially for mobile devices used separately or jointly for work purposes. Containerization is required via a mobile device management (MDM) tool such as JAMF, Hexnode, VMWare, or Citrix Endpoint Management. A bring your own device (BYOD) policy needs to be written, followed, and updated often informed by need-to-know and role-based access (RBAC) principles. This requires a better understanding of geolocation, QR code scanning, couponing, digital signage, in-text ads, micropayments, Bluetooth, geofencing, e-readers, HTML5, etc. Organizations should consider forming a mobile ecosystem security committee to make sure this unique risk is not overlooked or overly merged with traditional web / IT risk. Mapping the mobile ecosystem components in detail is a must including the AI touch points.
The growth and acceptability of mass work from home (WFH) combined with the mass resignation / gig economy remind employers that great pay and culture alone are not enough to keep top talent. At this point AI only takes away some simple jobs but creates AI support jobs, yet the percents of this are not clear this early. Signing bonuses and personalized treatment are likely needed for those with top talent. We no longer have the same office and thus less badge access is needed. Single sign-on (SSO) will likely expand to personal devices (BYOD) and smart phones / watches / eyeglasses. Geolocation-based authentication is here to stay with double biometrics, likely fingerprint, eye scan, typing patterns, and facial recognition. The security perimeter remains more defined by data analytics than physical / digital boundaries, and we should dashboard this with machine learning tools as the use cases evolve.
Cloud infrastructure will continue to grow fast creating perimeter and compliance complexity / fog. Organizations should preconfigure artificial intelligence (AI) based cloud-scale options and spend more on cloud-trained staff. They should also make sure that they are selecting more than two or three cloud providers, all separate from one another. This helps staff get cross-trained on different cloud platforms and plug in applications. It also mitigates risk and makes vendors bid more competitively. There is huge potential for AI synergies with Cloud Security Posture Management (CSPM) tools, and threat response tools – experimentation will likely yield future dividends. Organization should not be passive and stuck in old paradigms. The older generations should seek to learn from the younger generations without bias. Also, comprehensive logging is a must for AI tools.
In regard to cryptocurrency, non-fungible tokens (NFTs), initial coin offerings (ICOs), and related exchanges – artificial intelligence (AI) will be used by crypto scammers and those seeking to launder money. Watch out for scammers who make big claims without details, no white papers or filings, or explanations at all. No matter what the investment, find out how it works and ask questions about where your money is going. Honest investment managers and advisors want to share that information and will back it up with details in many documents and filings [40]. Moreover, better blacklisting by crypto exchanges and banks is needed to stop these illicit transactions erroring far on the side of compliance. This requires us to pay more attention to knowing and monitoring our own social media baselines – emerging AI data analytics can help here. If you are for and use crypto mixer and / or splitter services then you run the risk of having your digital assets mixed with dirty digital assets, you have high fees, you have zero customer service, no regulatory protection, no decent Terms of Service and / or Privacy Policy if any, and you have no guarantee that it will even work the way you think it will.
As security professionals, we are patriots and defenders of wherever we live and work. We need to know what our social media baseline is across platforms. IT and security professionals need to realize that alleviating disinformation is about security before politics. We should not be afraid to talk about this because if we are, then our organizations will stay weak and outdated and we will be plied by the same artificial intelligence (AI) generated political bias that we fear confronting. More social media training is needed as many security professionals still think it is mostly an external marketing thing.
It’s best to assume AI tools are reading all social media posts and all other available articles, including this article which we entered into ChatGPT for feedback. It was slightly helpful pointing out other considerations. Public-to-private partnerships (InfraGard) need to improve and application to application permissions need to be more scrutinized. Everyone does not need to be a journalist, but everyone can have the common sense to identify AI / malware-inspired fake news. We must report undue AI bias in big tech from an IT, compliance, media, and a security perspective. We must also resist the temptation to jump on the AI hype bandwagon but rather should evaluate each tool and use case based on the real-world business outcomes for the foreseeable future.
About the Authors:
Jeremy Swenson is a disruptive-thinking security entrepreneur, futurist / researcher, and senior management tech risk consultant. He is a frequent speaker, published writer, podcaster, and even does some pro bono consulting in these areas. He holds an MBA from St. Mary’s University of MN, an MSST (Master of Science in Security Technologies) degree from the University of Minnesota, and a BA in political science from the University of Wisconsin Eau Claire. He is an alum of the Federal Reserve Secure Payment Task Force, the Crystal, Robbinsdale and New Hope Citizens Police Academy, and the Minneapolis FBI Citizens Academy.
Matthew Versaggi is a senior leader in artificial intelligence with large company healthcare experience who has seen hundreds of use-cases. He is a distinguished engineer, built an organization’s “College of Artificial Intelligence”, introduced and matured both cognitive AI technology and quantum computing, has been awarded multiple patents, is an experienced public speaker, entrepreneur, strategist and mentor, and has international business experience. He has an MBA in international business and economics and a MS in artificial intelligence from DePaul University, has a BS in finance and MIS and a BA in computer science from Alfred University. Lastly, he has nearly a dozen professional certificates in AI that are split between the AI, technology, and business strategy.
[37] Muneer, Salman Muneer, Muhammad Bux Alvi, and Amina Farrakh; “Cyber Security Event Detection Using Machine Learning Technique.” International Journal of Computational and Innovative Sciences. Vol. 2, no (2): pg. 42-46. 2023: https://ijcis.com/index.php/IJCIS/article/view/65.
[38] Azhar, Ishaq; “Identity Management Capability Powered by Artificial Intelligence to Transform the Way User Access Privileges Are Managed, Monitored and Controlled.” International Journal of Creative Research Thoughts (IJCRT), ISSN:2320-2882, Vol. 9, Issue 1: pg. 4719-4723. January 2021: https://ssrn.com/abstract=3905119
Fig. 1. Swenson, Jeremy, Stock; AI and InfoSec Trade-offs. 2024.
Disruptive technology refers to innovations or advancements that significantly alter the existing market landscape by displacing established technologies, products, or services, often leading to the transformation of entire industries. These innovations introduce novel approaches, functionalities, or business models that challenge traditional practices, creating a substantial impact on how businesses operate (ChatGPT, 2024). Disruptive technologies typically emerge rapidly, offering unique solutions that are more efficient, cost-effective, or user-friendly than their predecessors.
The disruptive nature of these technologies often leads to a shift in market dynamics, digital cameras or smartphones for example. These with new entrants or previously marginalized players gain prominence while established entities may face challenges in adapting to the transformative changes (ChatGPT, 2024). Examples of disruptive technologies include the advent of the internet, mobile technology, and artificial intelligence (AI), each reshaping industries and societal norms. Here are four of the leading AI tools:
1. OpenAI’s GPT:
OpenAI’s GPT (Generative Pre-trained Transformer) models, including GPT-3 and GPT-2, are predecessors to ChatGPT. These models are known for their large-scale language understanding and generation capabilities. GPT-3, in particular, is one of the most advanced language models, featuring 175 billion parameters.
2. Microsoft’s DialoGPT:
DialoGPT is a conversational AI model developed by Microsoft. It is an extension of the GPT architecture but fine-tuned specifically for engaging in multi-turn conversations. DialoGPT exhibits improved dialogue coherence and contextual understanding, making it a competitor in the chatbot space.
3. Facebook’s BlenderBot:
BlenderBot is a conversational AI model developed by Facebook. It aims to address the challenges of maintaining coherent and contextually relevant conversations. BlenderBot is trained using a diverse range of conversations and exhibits improved performance in generating human-like responses in chat-based interactions.
4. Rasa:
Rasa is an open-source conversational AI platform that focuses on building chatbots and voice assistants. Unlike some other models that are pre-trained on large datasets, Rasa allows developers to train models specific to their use cases and customize the behavior of the chatbot. It is known for its flexibility and control over the conversation flow.
Here is a list of the pros and cons of AI-based infosec capabilities.
Pros of AI in InfoSec:
1. Improved Threat Detection:
AI enables quicker and more accurate detection of cybersecurity threats by analyzing vast amounts of data in real-time and identifying patterns indicative of malicious activities. Security orchestration, automation, and response (SOAR) platforms leverage AI to analyze and respond to security incidents, allowing security teams to automate routine tasks and respond more rapidly to emerging threats. Microsoft Sentinel, Rapid7 InsightConnect, and FortiSOAR are just a few of the current examples
2. Behavioral Analysis:
AI can perform behavioral analysis to identify anomalies in user behavior or network activities, helping detect insider threats or sophisticated attacks that may go unnoticed by traditional security measures. Behavioral biometrics, such as analyzing typing patterns, mouse movements and ram usage, can add an extra layer of security by recognizing the unique behavior of legitimate users. Systems that use AI to analyze user behavior can detect and flag suspicious activity, such as an unauthorized user attempting to access an account or escalate a privilege.
3. Enhanced Phishing Detection:
AI algorithms can analyze email patterns and content to identify and block phishing attempts more effectively, reducing the likelihood of successful social engineering attacks.
4. Automation of Routine Tasks:
AI can automate repetitive and routine tasks, allowing cybersecurity professionals to focus on more complex issues. This helps enhance efficiency and reduces the risk of human error.
5. Adaptive Defense Systems:
AI-powered security systems can adapt to evolving threats by continuously learning and updating their defense mechanisms. This adaptability is crucial in the dynamic landscape of cybersecurity.
6. Quick Response to Incidents:
AI facilitates rapid response to security incidents by providing real-time analysis and alerts. This speed is essential in preventing or mitigating the impact of cyberattacks.
Cons of AI in InfoSec:
1. Sophistication of Attacks:
As AI is integrated into cybersecurity defenses, attackers may also leverage AI to create more sophisticated and adaptive threats, leading to a continuous escalation in the complexity of cyberattacks.
2. Ethical Concerns:
The use of AI in cybersecurity raises ethical considerations, such as privacy issues, potential misuse of AI for surveillance, and the need for transparency in how AI systems operate.
3. Cost and Resource Intensive:
Implementing and maintaining AI-powered security systems can be resource-intensive, both in terms of financial investment and skilled personnel required for development, implementation, and ongoing management.
4. False Positives and Negatives:
AI systems are not infallible and may produce false positives (incorrectly flagging normal behavior as malicious) or false negatives (failing to detect actual threats). This poses challenges in maintaining a balance between security and user convenience.
5. Lack of Human Understanding:
AI lacks contextual understanding and human intuition, which may result in misinterpretation of certain situations or the inability to recognize subtle indicators of a potential threat. This is where QA and governance come in case something goes wrong.
6. Dependency on Training Data:
AI models rely on training data, and if the data used is biased or incomplete, it can lead to biased or inaccurate outcomes. Ensuring diverse and representative training data is crucial to the effectiveness of AI in InfoSec.
About the author:
Jeremy Swenson is a disruptive-thinking security entrepreneur, futurist / researcher, and senior management tech risk consultant. He is a frequent speaker, published writer, podcaster, and even does some pro bono consulting in these areas. He holds an MBA from St. Mary’s University of MN, an MSST (Master of Science in Security Technologies) degree from the University of Minnesota, and a BA in political science from the University of Wisconsin Eau Claire. He is an alum of the Federal Reserve Secure Payment Task Force, the Crystal, Robbinsdale and New Hope Citizens Police Academy, and the Minneapolis FBI Citizens Academy.
Fig. 1. Former OpenAI CEO Sam Altman and Microsoft CEO Satya Nadella. Getty Images, 2023.
#chatGPT #Microsoft #openai #boardgovernance
Update: Sam Altman is returning to OpenAI as CEO, ending days of drama and negotiations with the help of heavy investor Microsoft and Silicon Valley insiders (Bloomberg, 11/22/23). In sum, there were more issues without Sam than with him and the board realized that pretty fast. So now some board members have to be shown the door.
Some may view a fired executive like Sam Altman as damaged goods but we all know that corporate boards get these things wrong all the time, and it’s more about office politics and cliques than substantive performance.
The board described their decision as a “deliberative review process which concluded that he was not consistently candid in his communications with the board, hindering its ability to exercise its responsibilities. The board no longer has confidence in his ability to continue leading OpenAI.” Yet the board’s statement makes little sense and is out of context for an emerging technology at a time such as this.
As a result of this nonsensical firing, there was likely no job interview when Sam Altman joined Microsoft. He was already validated as a thought leader in the tech and generative AI community, so it was hardly needed. Microsoft CEO Satya Nadella was a fan and already invested billions into OpenAI. He saw the open opportunity and took it fast before another tech company could. The same thing happened when Oracle CEO Larry Ellison hired Mark Hurd in 2010 after HP fired him and the results were great.
This begs the question of how valuable are job interviews in the area of emerging tech or for people with visible achievements. What is the H.R. screener or some tech director in a fiefdom going to ask you? They would hardly understand the likely answers in a meaningful way anyway. I know many tech and business leaders who have wasted time in dumb interviews in contexts such as these and it is a poor reflection of the companies setting them up this way.
In other words, plenty of people will not want to work for OpenAI because of how Altman was publicly treated while Microsoft looks more inclusive and forward-thinking. So I am sure many people will leave OpenAI to follow Altman at Microsoft and that is really how OpenAI shot themselves in the foot especially considering Microsoft’s size.
Any failings and risks designed into ChatGPT are as much the problem of OpenAIs as it is every other company working in this vastly unknown and emerging area of tech. To blame that on Altman in this context seems unreasonable and thus he is a fall guy.
There are good and bad things with AI just like with any technology, yet the good far outweighs the bad in this context. Microsoft knows that there are problems in AI in cyber security, fraud, IP theft, and more. The bigger and more capable their AI team the better they can address these issues, now with Altman’s help.
Now, of course, Altman has to be evaluated on his performance at Microsoft making sure AI stays viable and within the approved guardrails, and hopefully innovates a few solutions to make society better. Yet the free market of other tech companies and regulators also have that responsibility.
About the Author:
Jeremy Swenson is a disruptive-thinking security entrepreneur, futurist/researcher, and senior management tech risk consultant. Over 17 years he has held progressive roles at many banks, insurance companies, retailers, healthcare orgs, and even governments including being a member of the Federal Reserve Secure Payment Task Force. Organizations relish in his ability to bridge gaps and flesh out hidden risk management solutions while at the same time improving processes. He is a frequent speaker, published writer, podcaster, and even does some pro bono consulting in these areas. As a futurist, his writings on digital currency, the Target data breach, and Google combining Google + video chat with Google Hangouts video chat have been validated by many. He holds an MBA from St. Mary’s University of MN, an MSST (Master of Science in Security Technologies) degree from the University of Minnesota, and a BA in political science from the University of Wisconsin Eau Claire.
Backing up data is one of the best things you can do to improve your response to ransomware, a data breach, an infrastructure failure, or another type of cyber-attack. Without a good comprehensive backup method that works and is tested, you likely will not be able to recover from where you left off thereby harming your business and customers.
The 3-2-1 backup method requires saving multiple copies of data on different device types and in different locations. More specifically, the 3-2-1 method follows these three requirements:
3 Copies of Data: Have three copies of data—the original, and at least two copies.
2 Different Media Types: Use two different media types for storage. This can help reduce any impact that may impact one specific storage media type more than the other.
1 Copy Offsite: Keep one copy offsite to prevent the possibility of data loss due to a site-specific failure.
Here are some pointers to make your backup more effective:
Select the right data to back up: Critical data includes word processing documents, electronic spreadsheets, databases, financial files, human resources files, and accounts receivable/payable files. Not everything is worth backing up as it’s a waste of space. For example, data that is 8 years old with no business use is not worth backing up.
Backup on a schedule: Backup data automatically on a repeatable schedule, if possible, bi-weekly, weekly, or even daily if needed. Pick a day or time range when the backup will run, say Thursdays at 10:00 p.m. CST (when most users are not working.
Have backup test plans and follow them: Your backup plan must be written down in a clear and detailed way describing the backup process, roles, interconnections, and milestones which can gauge if it’s working, as well as the service time to recovery expected. Then of course test the backup at least every six months or after a key infrastructure change happens.
Automate backups: Use software automation to execute the backups to save user time, and to reduce the risk of human error.
About the Author:
Jeremy Swenson is a disruptive-thinking security entrepreneur, futurist/researcher, and senior management tech risk consultant. Over 17 years he has held progressive roles at many banks, insurance companies, retailers, healthcare orgs, and even governments including being a member of the Federal Reserve Secure Payment Task Force. Organizations relish in his ability to bridge gaps and flesh out hidden risk management solutions while at the same time improving processes. He is a frequent speaker, published writer, podcaster, and even does some pro bono consulting in these areas. As a futurist, his writings on digital currency, the Target data breach, and Google combining Google + video chat with Google Hangouts video chat have been validated by many. He holds an MBA from St. Mary’s University of MN, an MSST (Master of Science in Security Technologies) degree from the University of Minnesota, and a BA in political science from the University of Wisconsin Eau Claire.
It’s fair to say there has been a lot of hype and regional bubbles in the real estate market over the last five years. From hyper explosive growth in Denver spurred in part by the marijuana and outdoor recreation sectors to mass biz-tech growth in Austin Texas due to favorable taxes and land plots. Yet part of this has been due to the pandemic mortgage rate decrease, the pandemic drawing out the value of single-family homes, detached townhomes, and/or anything but renting an apartment where contagion spread is more likely. Yet here are five detailed reasons why the real estate market is generally overvalued and headed down soon.
1) For new buyers and those looking to refinance, mortgage rates are still too high. Even with the recent decline from 7.31% to 7.20% on average for a 30-year fixed traditional loan (Yaёl Bizouati-Kennedy, Yahoo Finance, 09/06/23). According to the National Association of Realtors, the average monthly mortgage payment rose 85% in the past 19 months, from $1,212 in January 2022 to $2,246 in August 2023 (US Bank, The impact of today’s higher interest rates on the housing market, 08/30/23). Yet income has not gone up on average enough to get close to matching this payment increase.
2) Most of the people who wanted to move to other cities due to the mass work-from-home shift drawn out by the pandemic have already moved and secured mortgages in the lower 2.25% to 4.50% range. They have little incentive to move again considering higher moving costs and higher mortgage costs. Plus, many of them are now settled down with families and friends and are thus doubly less likely to move anytime soon.
3) Both new purchase and refinancing mortgage application numbers are at a huge 28-year low. “Mortgage applications declined to the lowest level since December 1996, despite a drop in mortgage rates. Both purchase and refinance applications fell, with the purchase index hitting a 28-year low” (Joel Kan, Mortgage Bankers Association, 09/06/23). Additionally, it is not likely to get better anytime soon and has already brought demand down. Slight mortgage rate increases or decreases will not do much to reduce this trend because income has not gone up enough and overall inflation has not decreased enough.
4) The millennial generation on average when compared to other generations is overly individualistic, spends a lot on fancy cars and vanity (YOLO), and does not save much. Thus, this generation has a higher-than-average number of people who will not qualify for a mortgage in this environment at present. The next generation, Zoomers — although generally farther from the homeownership age, are not on track to save either. Both of these generations are on average far worse financial planners than previous generations. “A Bankrate survey observed that 54% of younger millennials and 46% of Gen Z respondents said their emergency savings had declined since 2020. The survey also revealed that millennials were more likely than other generations to have higher credit card debts than savings balances” (Megan Sauer, CNBC, 06/14/2022). What’s the point in saving money if you are an Instagram model or video game streamer? There are no large-scale plans to solve anytime soon by either the government or private sector.
5) Although a study from April 2023 indicated that one-third of home buyers are cash buyers (Al Yoon, Insider, 06/08/23). Yet this cannot logically last with inflation making most things cost more, estate financial transitions, and divorces on the rise taking more of that cash reserve. Cash buyers are running out of cash and there are fewer of them left after the housing boom and bid war from 2018 to mid-2023. The other issue with cash buyers is they need to prove where the cash came from. Sadly, a higher percentage of that is from fraud due to increased crypto money laundering, NFT pump-and-dump scams, and related ventures. With Western authorities cracking down on these fraudsters, their dirty money will less often be used to purchase homes.
About the author:
Jeremy Swenson is a disruptive-thinking security entrepreneur, futurist/researcher, and senior management tech risk consultant. Over 17 years he has held progressive roles at many banks, insurance companies, retailers, healthcare orgs, and even governments including being a member of the Federal Reserve Secure Payment Task Force. Organizations relish in his ability to bridge gaps and flesh out hidden risk management solutions while at the same time improving processes. He is a frequent speaker, published writer, podcaster, and even does some pro bono consulting in these areas. As a futurist, his writings on digital currency, the Target data breach, and Google combining Google + video chat with Google Hangouts video chat have been validated by many. He holds an MBA from St. Mary’s University of MN, a MSST (Master of Science in Security Technologies) degree from the University of Minnesota, and a BA in political science from the University of Wisconsin Eau Claire.
The California Department of Financial Protection closed Silicon Valley Bank (SVB) on Fri 03/10/23 and the FDIC took control of and seized its deposits in the largest U.S. banking failure since the 2008 to 2012 mortgage financial crisis, and the second largest ever. Although SVB was well known in San Francisco and Boston where they had all of their 17 branches; they were little to known to the wider public. SVB specialized in financing start-ups and had become the 16th largest U.S. bank by assets. Their numbers at the end of 2022 were impressive with $209 billion in assets and approximately $175.4 billion in deposits.
As a precursor to their failure, SVB recorded six straight quarterly losses as economic conditions turned unfavorable. Then on Mon 02/27/23 their CEO Greg Becker sold $3.6 million of stock in a pre-arraigned 10b5-1 plan designed to reduce conflict of interest, yet it’s still potentially questionable due to the gain he got and the odd timing weeks before their collapse. Yet other executives that sold in recent weeks may not have the protection of the 10b5-1 and that would be a worse example of conflict of interest.
Some degree of support is needed for SVB because most there are not to blame; but so too is criticism so that the financial system can get better and innovate in the free market. You cannot just blindly support people (mostly sr. mgmt.) and organizations (crypto tie in) who are largely responsible for startup failures, frozen loans and payrolls, huge job loss, loss of deposited money over 250k, and great economic downturn – all the while the SVB mgmt. team gets very rich.
Obviously, the competencies and character of some of the SVB mgmt. team was not as good as other community banks and credit unions who aggressively avoided and overcame such failings. They likely put in more work with a deeper concern for the community, clients, and regulatory compliance – generally speaking. These many small community banks and credit unions are often 90 or 100 plus years old and did not grow at as fast a pace as SVB – super fast growth equals fast failure. Conversely, SVB is only 40 years young and most of its growth happened in the later part of that period. This coming from a guy who has consulted/worked at more than 10 financial institutions among other things including bank launch, tech risk, product, and compliance.
The company’s downward spiral blew up by late Weds 03/08/23, when it surprised investors with news that it needed to raise $2.25 billion to strengthen its balance sheet. This was influenced significantly by the Fed rate increases which forced the bank to raise lending rates, and that in turn made it hard for startups and medium-sized businesses to find approved funding. SVB also locked too much of their capital away in low-interest bonds. To strengthen their balance sheet in a slightly silly and desperate move, SVB sold $21 billion in securities at a large $1.8 billion loss. The details, timing, and governance of this make little sense, since the bank knew regulators were already watching closely. As a result, their stock fell 60% Thurs to $106.04 following the restructuring news.
As would be expected this fueled a higher level of deposit outflows from SVB; a $25 billion decline in deposits in the final three quarters of 2022. This spooked a lot of people, including CFOs, founders, VCs, and some unnamed tech celebrities — most of who started talking about the need to withdraw their money from SVB. SVB had almost 90% of its deposits uninsured by the FDIC which is far out of line with what traditional banks have. This is because the FDIC only covers deposits up to $250k. In contrast, Bank of America has about 32% of its deposits not insured by the FDIC – an enormous difference of 58%.
Crypto firm Circle revealed in a tweet late Fri 03/10/23 that it held $3.3 billion with the bank. Roblox corp. held 5% of its $3 billion in cash ($150 million) at the bank. Video streamer Roku held an estimated $487 million at SVB, representing approximately 26% of the company’s cash and cash equivalents as of Fri. Crypto exchange platform BlockFi — who filed for bankruptcy in November — listed $227 million in uninsured holdings at the bank. Some other SVB customers included Ziprecruiter, Pinterest, Shopify, and CrowdStrike. VCs like Y. Combinator regularly referred startups to them.
Yet after these initial outflows people start talking negatively, the perception became greater than reality. It did not matter whether the bank had a liquidity crisis or not. Heard psychology created a snowball effect in that no one wanted to be the last depositor at a bank — observing the lessons learned from prior banking mortgage crisis from 2008 to 2012 where Washington Mutual failed.
In sum, customers withdrew a massive $42 billion of deposits by the end of Thurs 03/09/23, according to a California regulatory filing. As a result, SIVB stock continued to plummet down another 65% before premarket trading was halted early Fri by regulators.
“All insured depositors will have full access to their insured deposits no later than Monday morning, March 13, 2023. The FDIC will pay uninsured depositors an advance dividend within the next week. Uninsured depositors will receive a receivership certificate for the remaining amount of their uninsured funds. As the FDIC sells the assets of Silicon Valley Bank, future dividend payments may be made to uninsured depositors.
Silicon Valley Bank had 17 branches in California and Massachusetts. The main office and all branches of Silicon Valley Bank will reopen on Monday, March 13, 2023. The DINB will maintain Silicon Valley Bank’s normal business hours. Banking activities will resume no later than Monday, March 13, including on-line banking and other services. Silicon Valley Bank’s official checks will continue to clear. Under the Federal Deposit Insurance Act, the FDIC may create a DINB to ensure that customers have continued access to their insured funds.”
That’s largely a bank run, and it is really bad news for SVB and many startups and medium businesses. SVB has been a foundational piece of the tech startup ecosystem. It was also known to industry commentators and tech risk researchers that SVB struggled with tech risk compliance, overall governance, and even had no chief risk officer in the eight months prior.
With reasoning and no direct evidence, only circumstantial evidence — as I had a couple of interviews with them and was less than impressed with their competency and trajectory — I speculate that crypto ties were a significant negative factor here because many of the companies and tech sub-domains SVB served are entangled with crypto and crypto-related entitles. Examples of this include their dealings with Circle — it manages part of the USDC stablecoin reserve of the American Circle, which confirmed to have a little more than $3 billion dollars of reserve blocked with SVB.
A Fri 03/10/23 Tweet from reporter Lauren Hirsch described BlockFi’s risky crypto entanglements with SVB this way: “Per new bankruptcy filing, BlockFi has $227m in Silicon Valley Bank. The bankruptcy trustee warned them on Mon that bc those funds are in a money market mutual fund, they’re not FDIC secured — which could be a prblm w/ keeping in compliance of bankruptcy law”.
Crypto compliance and insight for a big bank is very complex, undefined, and risk prone. The biggest tech venture bank has to be involved with a few crypto related failings and controversies, and the above are just a few examples but I am sure there are more. I just don’t have the data to back that up now, but I am sure it’s being investigated and/or litigated.
Note * This is a complex, evolving, and new development — some info may be incomplete and/or out of date at the time you view this.
About the Author:
Jeremy Swenson is a disruptive-thinking security entrepreneur, futurist/researcher, and senior management tech risk consultant. Over 17 years he has held progressive roles at many banks, insurance companies, retailers, healthcare orgs, and even governments including being a member of the Federal Reserve Secure Payment Task Force. Organizations relish in his ability to bridge gaps and flesh out hidden risk management solutions while at the same time improving processes. He is a frequent speaker, published writer, podcaster, and even does some pro bono consulting in these areas. As a futurist, his writings on digital currency, the Target data breach, and Google combining Google + video chat with Google Hangouts video chat have been validated by many. He holds an MBA from St. Mary’s University of MN, an MSST (Master of Science in Security Technologies) degree from the University of Minnesota, and a BA in political science from the University of Wisconsin Eau Claire.
Abstract Forward Consulting 