Up Times
Worcester’s Bancroft Tower in the early snow. It was designed by Stephen Earle in 1900 and built to last.
Who’s tenacious? – Given enough time and deep pockets, determined criminal-actors can breach even strong defenses – like in the past couple of years at T-Mobile, Western Digital and Change Healthcare.
Still it is possible for your organization to have a stable digital environment in which to do your work. And while smaller organizations are definite targets, the resources you need to mount a proper defense are within your reach.
In broad strokes Bryley’s plan is that by employing strong armor and in coordinated layers, the bad guys will be the ones who lose heart – your organization becomes not worth their trouble – and so they move on to an easier target.
Even so, employees may click phishing emails or reuse passwords (these are always among the top problems that let attackers in). But a security strategy based on resilience, not perfection, means mistakes don’t spiral out of control.
COO Anna Darlagiannis-Livingstone gave this example of Bryley’s layered approach: When the SOC [Security Operations Center]1 alerts Bryley there are four people notified who can handle the possible emergency. All these alerts are texted, phoned and emailed, so if any communication method fails, the alert will still get through.
Anna continued: and then Bryley uses different vendors for EDR [Endpoint Detection and Response, used for desktop/laptop monitoring] and XDR [Extended Detection and Response, used for network monitoring] because there is some overlap in these products’ oversight. So if one vendor should have an issue, Bryley can still work to isolate a breach.
Even if a layer is compromised, there are safeguards. Even if attackers breach an employee’s computer, they can’t move deeper into your systems. Even if you can’t stop an attack, you can avoid a catastrophe. Resilience doesn’t mean no set-backs – it means you get to keep going.
1 A SOC is a 24/7 monitoring service staffed by security pros and threat hunters who investigate atypical network, cloud or endpoint (a laptop is an endpoint) events; atypical events may be signs of criminal activity.
We’ve all been affected by the speed of mechanization. And since 2022’s launch of ChatGPT the use-cases of mechanized language generation and coding have exploded. These developments have not been lost on criminals who use them to steal.
It takes AI to catch AI
Why Bryley has integrated AI into its defenses
For anyone who’s wrestled with the right way to say a thing, AI chatbots come across like a magic trick. And while OpenAI tries to dazzle us with a new announcement, criminal organizations have been figuring out how these technologies can make their operations faster and more efficient.
But let’s take a detour back through the mists of time to 2018. Before commonplace chatbots and diffusion image generators, bad guys had unleashed morphing malware to evade antivirus and anti-malware programs. Polymorphic malware was programmed to shape-shift, followed by more advanced morphing types that could also recognize a system’s defensive software and use evasion strategies tailored to its findings.
These are the sorts of attacks (and others like fileless or hard-drive-avoiding malware and insider threats) that led to the development of AI or ML (Machine Learning) defenses … [7 min. read; audio available] Continue Reading >
CMMC Phase One has begun, so military contracting officers may now include the requirement for compliance with CMMC Levels 1 and 2 in new contracts.
CMMC is now active
What defense contractors need to know about CMMC going live
As of November 10, the Department of Defense (DoD) activated the Cybersecurity Maturity Model Certification (CMMC) program. The US government’s contracting officers can now require CMMC certification as a condition for awarding new contracts.
Without CMMC certification, businesses will no longer be awarded contracts or be able to work with the DoD when CMMC is specified in a solicitation (there is a window of grace and some exceptions). Understanding when this applies and how to prepare is essential to establishing or maintaining a position in the defense market … [8 min. read; audio available] Continue Reading >
There’s an AI prompt and then there are deviations, like there’s pumpkins and pumpkins. One technique borrowed from coding may train AI agents to be less susceptible to malicious abuse.
Fuzzing to improve the security of AI agents
Porting a coding technique to fight prompt injection attacks
Prompt injections are one of the great weaknesses of AI chatbots. (Here‘s another.)
Prompt injections can hide on a webpage – really without anything to stop them at this time. For instance, white text on a white background can hide a prompt injection – a person can’t see it, yet a browser-enabled AI chatbot is given malicious instructions.
The recent integrations of AI and browsers are candidates for extreme abuse; the browser’s AI agent, for example, may have permissions to control an open bank-account tab and in another tab the chatbot processes a page with a malicious prompt to send the bank account’s money to the attacker’s bank.
Among the interesting developments in minimizing prompt injection attacks comes from researcher Avihay Cohen (trained in Large Language Models [LLMs] at MIT). The basics of this approach is to mathematically fuzz prompts to find where the LLM’s weaknesses are and establish guardrails to prompt injections. Fuzzing is deviations on the code for the purpose of testing how a program responds to different inputs, to correct poor, incorrect or dangerous responses (meantime Bryley can advise about best ways to integrate AI in your organization) … [45 min. read {abstract 4 min. read}] arxiv.org
Making it better.
‘Now what do I do?’
Simple damage control post-clicking a suspect link
Every networking set-up is unique and Bryley or your IT team may have given you specific instructions if you or an employee clicks a bad link. But here from Cisco Talos are steps meant for a personal device that also show the thinking behind containing any damage. The steps include:
If you only clicked the link, and did not enter any information: Exit the browser immediately.
If you entered your username and password: Change your password immediately for that account, and force a logout of all devices logged in … enable two-factor authentication (2FA) if available … create new, unique passwords for any other accounts that used the same credentials.
If you entered credit card or banking information: Contact your bank or card issuer right away … freeze your card and get a replacement.
If you downloaded or opened a file: Disconnect your device from the internet.
All of these share the theme of limiting attacker access and as soon as possible … [5 min. read] talosintelligence.com
“ELIZA’s famous DOCTOR script mimicked a psychotherapist, reflecting users’ words back at them and so creating the illusion of understanding,” writes Nisheet Vishnoi. “It didn’t have a model of meaning; it was based on pattern-matching and substitution. And yet many people responded as if it did.”
At the back of the chat
Just the cues people look for in the people they tend to trust
One of the reasons phishing works so well and remains the top attack vector is that criminals prey on our weaknesses, like familiarity (‘this is from someone I trust’), overconfidence (‘I’m too smart to get taken in’) and urgency (‘I better do this so I don’t get fired’).
And now we have AI agents that present so confidently, it’s easy for humans to get lulled into not thinking critically, into not being diligent, into abandoning standards. The agents write and speak without hesitation, without looking for the right word, without understanding the use-case implications of its recommendations (as a basic example, AI agents can’t perceive physical spaces, so security systems need actual site surveys).
One antidote is to be reminded of what we’re actually dealing with.
So this is a plain language survey by Yale prof Nisheet Vishnoi – including his personal experiences at the start of these innovations … [30 min. read] substack.com
Criminals are out to steal what’s important to us. Bryley can help you strategize to fight back.
Huntress’ guide to data-exfiltration attacks
What’s it mean? How’s it happen? And what to do.
Some highlights:
- Encryption doesn’t necessarily stop data from being exfiltrated, encrypting data means even if it’s stolen, it’s extremely tough to use without the decryption key.
- Keep sensitive files on a need-to-know basis. Can files leave your facility on an employee’s thumb-drive? And then how would you secure the files?
- Sometimes data exfiltration goes unnoticed for months. By the time you notice, the information could [be] on the dark web. This is one way machine-learning-based Endpoint Detection and Response (EDR) can come through for you by observing behind-the-scenes criminal activity … [7 min. read] huntress.com
Turning on Windows 11’s agentic OS features should be considered with a view to security.
Microsoft has begun rolling out agentic integrations in its OS
Can be powerful with acknowledged risks
Not only do you get lightning-fast search for files and settings, you can now start a conversation with Microsoft 365 Copilot and also launch AI agents directly from the taskbar, per the Verge’s conversation with Navjot Virk, corporate vice president of Windows experiences.
Microsoft has also published a security-warning document with these new integrated-AI features. (These features are opt-in.) Among the issues Microsoft foresees are agentic AI applications introduce novel security risks, such as cross-prompt injection … where malicious content embedded in UI elements or documents can override agent instructions, leading to unintended actions like data exfiltration or malware installation.
Like M365 Copilot needs to be thoughtfully deployed or it can lead to data-leaking headaches, consult with Bryley about setting up the new AI agents so that they are a help, but with limited permissions (using the principle of least privilege like you would an employee) to better protect your organization’s data … [10 min. read] microsoft.com
Note: The section directly above is Bryley’s curated list of external stories. Bryley does not take credit for the content of these stories, nor does it endorse or imply an affiliation with the authors or publications in which they appear.
Get Up Times, useful tech news by New Englanders in Your In-Box
- Subscribe to Up Times, the monthly New England-centric technology newsletter.
- Up Times covers:
-
- Trends in New England tech
- Security tips you can implement now
- Updates on regional and national laws and compliancies
- IT-related developments
- Networking and cybersecurity challenges New England business managers are facing
- In continuous publication since 2000, Up Times arrives monthly in your email box.
Sign up for Up Times to have tech news and tips delivered monthly via email
