Using a risk-based approach to deal with policy violations and continuous compliance monitoring will help avoid data exposures and fines.

Public cloud spending and adoption is growing fast. Analysts predict that organizations will spend $591.8 billion on cloud infrastructure and services in 2023, up 20.7% from the year before. In fact, according to Forrester, the public cloud market is projected to reach $1 trillion by 2026, with the majority of spending directed to the big four: Alibaba, Amazon Web Services, Google Cloud, and Microsoft.

So, what's happening? Organizations accelerated their cloud migration during the pandemic and saw huge benefits as cloud services enabled faster innovation, provided elasticity to respond to fluctuating demand, and scaled with growth. Now, there's no turning back, even as the C-suite cuts spending in other areas. Organizations' appetite is particularly large for infrastructure-as-a-service (IaaS), projected to reach $150 billion; and platform-as-a-service (PaaS), anticipated to reach $136 billion in 2023.

Yet all this heady growth, which is thrilling to business strategists and technologists alike, has a dark side. Organizations risk significantly increasing public cloud data risks if they don't take necessary steps to improve its security.

**Shadow Data Is Growing Due to Lax Security Controls**

Multiple factors are contributing to the problem of "shadow data" or unknown, unmanaged public cloud data. Business users are provisioning their own applications, and developers are continually spinning up their own instances to develop and test applications. Many of these services store and use sensitive data that IT and security teams don't know about. Cloud buckets may also store multiple versions of data in the same bucket, a process called versioning, which increases risks if policies aren't configured properly.

As the pace of innovation increases, unmanaged data stores are often forgotten about and abandoned. In addition, sensitive data that is properly secured could be moved or copied to an unsecured environment or rendered vulnerable if third parties or extraneous users are granted excessive access privileges.

To understand just how much sensitive data is out there, Laminar Labs scanned publicly facing cloud storage buckets. We were able to detect personally identifiable information (PII) in 21% of the buckets. The information we uncovered included physical and email addresses, phone numbers, drivers' license numbers, names, loan details, credit scores, and more. As just one example, we discovered a file with contact information, Ethereum and Bitcoin address information, and block card email addresses — all information that could easily be exploited by a hacker.

The majority of this shadow data was misplaced — often placed in a public bucket that became accidentally exposed. In other cases, AWS S3 buckets were misconfigured as public instead of private. Either way, myriad organizations are exposing sensitive data that is completely open to be exfiltrated.

**Three Steps to Better Public Cloud Data Security**

Most security professionals (82%) are aware of — and concerned about — their growing public cloud data security problem. Here's how these experts can move swiftly to mitigate threats:

*   **Discover and classify all cloud data:** A next-generation public cloud data security platform enables teams to auto-discover all their cloud data, not just known or tagged assets. It detects all cloud data holdings in managed and unmanaged assets, virtual instances, shadow data stores, data caches and pipelines, and big data. With this information, the platform builds a comprehensive, consistent data catalog across organizations' multicloud environments. The catalog precisely identifies and classifies all sensitive data, such as PII, personal health information (PHI), and payment card industry (PCI) transaction data.

*   **Secure and control cloud data:** With holistic insights into their sensitive cloud data, security teams can apply and enforce the right security policies and validate data settings against their organization's predetermined guardrails. A public cloud data security platform will reveal outstanding policy violations that can be prioritized in a risk-based manner, based on data sensitivity level, security posture, volume, and exposure.
*   **Remediate risks and monitor activity without interrupting data flow:** Teams can then begin remediating sensitive data without compromising business activity. A public cloud data security platform will prompt teams to apply best practices, such as enabling encryption and limiting third-party access, and practice better data hygiene, by removing unused sensitive data from the environment. This process is called data security posture management and provides recommendations that are tailored to each cloud environment, making them more relevant and effective. In addition, security teams can use the platform to enable continuous data monitoring. By doing so, they can rapidly identify policy violations and ensure public cloud data adheres to the organization's stated security posture and regulations, regardless of where it is stored, used, or moved in the cloud.

**Reduce Public Cloud Data Security Risks Today**

Public cloud data security is too important to be left to chance. In a report we released last year, "State of Public Cloud Data Security, "50% of respondents said their cloud environments had been breached in 2020 and 2021. And of this group, 58% had experienced cloud data leaks or exfiltration.

The best way to protect this valuable data is with a public cloud data security platform that is cloud-native, agentless, asynchronous, and able to scale with data growth. With this resource, IT and security teams can tame the complexity of managing and securing data across multiple vendors and hundreds of services. They can also regain control over sensitive cloud data: applying proper governance, using a risk-based approach to address the areas of greatest concern, and maintaining continuous compliance to avoid data exposures and fines.

Rising Public Cloud Adoption Is Accelerating Shadow Data Risks

Cisco’s acquisition of cloud-native firewall provider Valtix and HPE’s deal to buy SSE provider Axis Security fill gaps in their existing portfolios.

Cloud-native is where the deals are. Last week, Cisco announced a deal to buy Valtix, a startup offering a cloud-native firewall. A few days later, Hewlett Packard Enterprise (HPE) announced its own plans to buy Axis Security, a secure services edge (SSE) provider. Neither company disclosed the terms of the acquisitions, both of which are pending regulatory and shareholder approvals.

Both deals highlight how both companies are interested in cloud-native security capabilities and are filling the gaps in their respective product portfolios. Even so, analysts described both deals as being incremental.

“I see both of these acquisitions primarily as gap fillers,” says Mauricio Sanchez, research director covering network security, SASE, and SD-WAN at Dell’Oro Group. “HPE filled a larger gap by purchasing Axis, while Cisco got some interesting IP.”

**HPE Adds SASE to SD-WAN**

HPE plans to incorporate Axis Security’s SSE capabilities with its existing SD-WAN and network firewall offerings (from its Aruba division) to create a secure access service edge (SASE) offering. SASE provides the function of secure web gateways (SWS), cloud access security brokers (CASB), firewall-as-a-service offerings, and zero-trust network access (ZTNA) tools. Dell’Oro Group forecasts that spending on SSE, which consists of SD-WAN and SASE, will increase fivefold by 2027, when revenues top $60 billion.

HPE Aruba gained its SD-WAN offering to accelerate network connectivity to branch offices with its 2020 acquisition of Silver Peak. But until now, HPE lacked a SASE offering. “If HPE can execute well on that acquisition, it brings them back into the game for a broader SASE play,” says Omdia senior principal analyst Fernando Montenegro.

“With Axis, HPE is now able to say they are an end-to-end SASE vendor versus offering just the networking \[SD-WAN\] piece,” adds Sanchez. “The security element is where the action and money are, so by getting Axis, HPE can double their SAM \[served available market\] in one go.”

However, Axis is a small company with a limited market share, Sanchez warns. “HPE got the technology solution but not the market share,” he says. “They will have to battle it out with the large goliaths, like Zscaler and Palo Alto.”

Sanchez thinks HPE will steer midsize enterprises toward Axis.

**Cisco Will Build a Cloud-Native Firewall**

As for Cisco, Valtix engineers will join the networking giant’s Security Business Group, “where they will work closely to integrate into our Security Cloud portfolio and accelerate our path to delivering a seamless experience in securing workloads across multi-cloud environments,” said Raj Chopra, senior VP and the group’s chief product officer, in a blog post.

The Valtix position is that virtual appliances are not well-suited for multicloud and hybrid environments, a sentiment shared by Omdia’s Montenegro.

“The challenge with deploying virtual firewalls in cloud environments is they don’t integrate as well with the rest of the clouds,” Montenegro says. “You want your network security component, the firewall, to understand how elastic your underlying environment is and to potentially do more than a traditional firewall, which is what Valtix is bringing to Cisco.”

Valtix’s advantage over virtual appliances is that it offers automated orchestration and provides visibility by supporting the integration of cloud provider APIs, the company says. It centralizes and consolidates network security by provisioning distributed enforcement points across Microsoft Azure, Amazon Web Services, Google Cloud Platform and Oracle Cloud Infrastructure. Valtix also offers a web application firewall (WAF), which Valtix says can protect cloud workloads, and it provides low-latency TLS decryption at scale.

Dell’Oro Group’s Sanchez views the Valtix deal as more of an acquisition of intellectual property rather than a “fully baked, market-competitive solution.” Sanchez says that Cisco is behind some of its competitors, such as Palo Alto Networks and Zscaler, in providing a cloud-native security offering.

“Palo Alto, as Cisco’s archnemesis in network security, has successfully monetized both virtual cloud firewalls as well as injecting themselves into the CNAPP market with Prisma Cloud,” he says. “Cisco has been largely on the sidelines. Cisco has a lot of catch up to do, and Valtix does help it incrementally. However, they need to do more, whether it be stitching the various products, like AppDynamics, Tetration, Kenna, together with Valtix to have a go at the CNAPP market, or leverage Valtix to invigorate Firepower \[Cisco’s next generation firewall — NGFW — line) to finally give Palo a run for its money in the cloud.”

Tech Giants Go Cloud-Native Shopping

**CAMBRIDGE, Mass.****,** **March 7, 2023** **/PRNewswire/ --** Akamai Technologies, Inc. (NASDAQ: AKAM), the cloud company that powers and protects life online, today introduced the Akamai Hunt security service. The service enables customers to capitalize on the infrastructure of Akamai Guardicore Segmentation, Akamai's global attack visibility, and expert security researchers to Hunt and remediate the most evasive threats and risks in their environments. Akamai also released Agentless Segmentation, helping Akamai Guardicore Segmentation customers extend the benefits of Zero Trust to connected IoT and OT devices that aren't capable of running host-based security software.

As organizations embrace digital transformation and workforces continue to evolve, ransomware and other advanced attacks are still a threat to business continuity and overall brand trust, costing more than $20 billion in 2021 alone. To combat these threats, IT administrators must take new approaches to safeguard their networks, intellectual property and employees through the Zero Trust frameworks and microsegmentation to stop lateral movement within the network.

"Microsegmentation is proven to defend against ransomware and other attacks by greatly reducing attack surfaces in complex and dynamic environments," said Pavel Gurvich, Senior Vice President and General Manager, Enterprise Security at Akamai. "These new offerings for Akamai Guardicore Segmentation customers will extend protection to devices that have historically been difficult to secure and will provide the extra visibility and analysis necessary to fend off the most evasive threats."

**Akamai Hunt** 

Akamai Hunt combines the infrastructure, telemetry and control of Akamai Guardicore Segmentation with the data that Akamai has by delivering much of the world's internet traffic.

Now customers can eliminate threats in their environment, virtually patch vulnerabilities, and improve their IT hygiene. Other benefits include:

*   **Unique Dataset:** Rich telemetry from the customer's environment correlated with priority global threat data enables Hunt to find evasive threats and risks.
*   **Big Data Analysis:** Massive data is correlated and queried for suspicious and anomalous activity that other tools miss.
*   **Expert Investigation:** Dedicated security experts investigate detections to ensure teams are not bogged down by false positives.
*   **Alerts and Monthly Reports:** Detailed alerts provide the information required for mitigation, while monthly reports provide an executive overview.
*   **Guided Mitigation:** Hunt experts assist in the remediation of threats, patching of vulnerabilities, and hardening of IT infrastructures.

For more information about Akamai Hunt join the Akamai webinar on March 23 at 12:00 p.m. ET or click here.

**Akamai Agentless Segmentation**

Securing IoT and OT devices has traditionally been a challenge for most organizations. With Akamai Agentless Segmentation organizations are now able to reduce their attack surface, and enforce Zero Trust policies on devices that can't run host-based security software. Other features include:

*   **Continuous Device Discovery:** Automatically discover new network-connected devices and execute predefined device onboarding workflows.
*   **Integrated Device Fingerprinting:** Identify, assess, and categorize all connected devices to ensure that appropriate security policies are applied.
*   **Visualization of Enterprise Assets:** View IoT and OT devices, traffic, and interactions with endpoints, servers, and cloud assets throughout the enterprise.
*   **Agentless Zero Trust Segmentation:** Enforce agentless least-privilege segmentation policies and quarantine suspicious devices through direct integration with network control points.
*   **Roaming Device Awareness:** Maintain device visibility, context, and control as devices move between different areas of your wired and wireless network infrastructure.

Akamai Agentless Segmentation will be available for Akamai Guardicore Segmentation customers in Q2 2023.

**About Akamai**

Akamai powers and protects life online. Leading companies worldwide choose Akamai to build, deliver, and secure their digital experiences — helping billions of people live, work, and play every day. With the world's most distributed compute platform — from cloud to edge — we make it easy for customers to develop and run applications, while we keep experiences closer to users and threats farther away. Learn more about Akamai's security, compute, and delivery solutions at akamai.com and akamai.com/blog, or follow Akamai Technologies on Twitter and LinkedIn.

Akamai Technologies Releases New Service and Tools to Stop Advanced Threats and Drive Zero Trust Adoption

Two novel malware binaries, including "HiatusRAT," offer unique capabilities that point to the need for better security for companies' router infrastructure.

A cyber-espionage campaign featuring novel malware has been uncovered, targeting DrayTek routers at medium-sized businesses worldwide.

Unlike most spyware efforts, this campaign, dubbed "Hiatus" by Lumen Black Lotus Labs, has dual goals: to steal data in targeted attacks and to co-opt routers to become part of a covert command-and-control (C2) infrastructure for mounting hard-to-trace proxy campaigns.

The threat actors use known vulnerabilities to target DrayTek Vigor models 2960 and 3900 running an i368 architecture, according to an analysis this week on Hiatus from Black Lotus. Once the attackers achieve compromise, they can plant two unique, malicious binaries on the routers. 

The first is an espionage utility called tcpdump, which monitors router traffic on ports associated with email and file-transfer communications on the victim's adjacent LAN. It has the ability to passively collect this cleartext email content as it transits the router.

"More established, medium-size businesses run their own mail servers, and sometimes have dedicated internet lines," according to the report. "These networks utilize DrayTek routers as the gateway to their corporate network, which routes traffic from email servers on the LAN to the public internet."

The second binary is a remote access Trojan (RAT) called HiatusRAT, which allows cyberattackers to remotely interact with the routers, download files, or run arbitrary commands. It also has a set of prebuilt functions, including two proxy functions that the threat actors can use to control other malware infection clusters via an infected Hiatus victim's machine.

**HiatusRAT's Proxy Functions**

The two proxy commands are "purpose-built to enable obfuscated communications from other machines (like those infected with another RAT) through the Hiatus victims," according to the Black Lotus report.

They are:

*   **socks5:** Sets up a SOCKS version 5 proxy on the compromised router.
*   **tcp\_forward:** For proxy control, this takes a specified listening port, forwarding IP, and forwarding port and transmits any TCP data that was sent to the listening port on the compromised host to the forwarding location. It establishes two threads to allow for bidirectional communications between the sender and the specified forwarding IP.

The ability to turn the router into a SOCKS5 proxy device "allows the threat actor to interact with malicious, passive backdoors such as Web shells via infected routers as a midpoint," explains Danny Adamitis, principal threat researcher for Lumen Black Lotus. "Using a compromised router as the communications for backdoors and Web shells enables the threat actors to bypass geo-fencing-based defense measures and avoid being flagged on network-based detection tools."

The TCP function, meanwhile, has likely been designed to forward beacons or interact with other RATs on other infected machines, which would "allow the router to be a C2 IP address for malware on a separate device," according to the report.

All of this means that organizations shouldn't underestimate their worth as a target, the report noted: "Anyone with a router who uses the internet can potentially be a target for Hiatus — they can be used as proxy for another campaign — even if the entity that owns the router does not view themselves as an intelligence target."

**Varied Types of Hiatus Victims**

The campaign is unusually small, having infected only around 100 victims, mainly in Europe and Latin America.

"This is approximately 2% of the total number of DrayTek 2960 and 3900 routers that are currently exposed to the Internet," according to Adamitis. "This suggests the threat actor is intentionally maintaining a minimal footprint to limit their exposure and maintain critical points of presence."

In terms of espionage, some of the victims are "targets of enablement," says the researcher, and include IT service and consulting firms.

"We believe the threat actors target these organizations to gain access to sensitive information about their customers’ environments," using the scraped email communications to mount downstream attacks, Adamitis says.

He adds that a second grouping of victims can be considered targets of direct interest for data theft, "which included municipal government entities and some organizations involved in the energy sector."

While the number of primary victims is small, the scope of the data theft suggests an advanced persistent threat as the culprit behind Hiatus.

"Based upon the amount of data that would be collected from these accesses, it leads us to believe that the actor is well resourced and is capable of processing large volumes of data, suggesting a state-backed actor," Adamitis notes.

**What to Learn From Hiatus**

The key takeaway for businesses is that the conventional idea of perimeter security needs to be adapted to include routers.

"The benefits of using routers for data collection are that they are unmonitored, and all traffic passes through them," Adamitis explains. "This stands in contrast to Windows machines and mail servers, which usually have endpoint detection and response (EDR) and firewall protections deployed in enterprise networks. This lack of monitoring allows the threat actor to collect the same information that would be achieved without directly interacting with any assets that might have EDR products pre-installed on them."

To protect themselves, businesses need to make sure that routers are "routinely checked, monitored, and patched like any other perimeter device," he says.

Organizations should take action: The Hiatus binaries were first seen last July, with new infections continuing up to at least mid-February. The attacks use version 1.5 of the malware, indicating that there could have been activity using version 1.0 prior to July. Black Lotus said that it fully expects the activity to continue.

Hiatus Campaign Infects DrayTek Routers for Cyber Espionage, Proxy Control

An Acer statement confirms that a document server for repair techs was compromised, but says customer data doesn't appear to be part of the leak.

Acer has confirmed its systems were breached after a threat actor offered 160GB of data they say was stolen from the electronics company.

Acer sells a variety of consumer electronics products, including Chromebooks, monitors, laptops, and desktop PCs.

The post in the cybercrime forum claims to have a slew of secret information for sale, including Acer slides, employee manuals, and product information. Acer said in a statement reacting to the claims that the compromised data doesn't appear to include customer information.

"We have recently detected an incident of unauthorized access to one of our document servers for repair technicians," Acer said in a statement about the cybersecurity incident. "While our investigation is ongoing, there is currently no indication that any consumer data was stored on that server."

Acer has suffered several compromises over the past few years, including a $50 million ransomware attack in March 2021.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Acer Confirms Data Offered Up for Sale Was Stolen

Flaw in Toyota's C360 customer relationship management tool exposed personal data of unknown number of customers in Mexico, a disclosure says.

A production API in Toyota's C360 customer relationship management (CRM) tool loaded with the personal information of an unknown number of the carmaker's customers in Mexico was found to expose reams of sensitive data.

A disclosure from threat hunter Eaton Zveare outlines how it was possible to access Toyota customers' names, addresses, phone numbers, emails, and tax identification numbers, as well as vehicle ownership and service history stored in the C360 CRM.

After reporting the issue to Toyota, Zveare said the sites were taken offline, and the APIs were secured so that they now require an authentication token.

"I would like to stress that I do not know how many customers are in this CRM," Zveare wrote. "There wasn't a user list — it was only possible to search for customers by name, ID, phone number, or email address."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Hacker Cracks Toyota Customer Search Tool

**LONDON, United Kingdom— March 7, 2023 —** ManageEngine, the enterprise IT management division of Zoho Corporation, today announced that it has added a security and risk posture management dashboard to Log360, its unified security information and event management (SIEM) solution with integrated DLP and CASB capabilities. Enterprises can leverage this new feature to implement proactive security strategies and prevent cyberattacks before they occur.

Establishing a proactive security strategy relies largely on assessing the risks of network platforms continuously. Risk assessment and management, if done right, strengthens enterprise security and thereby prevents hackers from intruding in the network. Compliance regulations across regions require enterprises of all industries and sizes to follow security best practices to harden their network infrastructures. AD is often a primary target for adversaries. Continuously assessing AD risks and enhancing its security posture are essential to preventing cyberattacks from happening.

**Pre-empt Intrusions with Log360's Security and Risk Posture Management**

Stolen or compromised credentials are a common attack vector. Once an account within an organisation is compromised, attackers can get hold of other user accounts, move laterally through the network, and access sensitive data. This is where AD security hardening can help an organisation ward off security threats related to sensitive data. 

"With the introduction of more regional compliance mandates, aligning security and compliance is more crucial than ever and has become an important conversation in board meetings. Security and risk posture management—a proactive security strategy—is an integral part of many compliance requirements," said Manikandan Thangaraj, vice president of ManageEngine.

"ManageEngine has augmented its unified SIEM solution with security and risk posture management that allows enterprises to gain visibility into the current risk posture of their network resources. This helps identify critical loopholes and vulnerabilities that, if exploited, can cause significant damage. Furthermore, the feature helps curb account compromise and misconfigurations, two of the most commonly used techniques for launching an attack," Thangaraj said.

**Highlights of ManageEngine** **Log360's Security and Risk Posture Management**

*   Visibility into AD infrastructure compliance with Microsoft security baselines
*   Accurate detection of weak and risky AD infrastructure configurations and comprehensive security and risk posture calculations
*   Continuous assessments along with AD security posture recommendations to fix loopholes and reduce the risk of being attacked
*   A continuous risk assessment and management dashboard that helps you meet stringent compliance requirements with ease

Log360 also has extensive machine learning-based user and entity behaviour analytics that actively monitor user behaviour and identity compromise. By combining all these features, Log360 offers comprehensive protection against account compromise and identity theft and facilitates quick action against potential breaches.

**About Log360**

Log360 is a unified SIEM solution with integrated DLP and CASB capabilities that detects, prioritizes, investigates, and responds to security threats. It combines threat intelligence, machine learning-based anomaly detection, and rule-based attack detection techniques to detect sophisticated attacks and offers an incident management console for effectively remediating detected threats. Log360 provides holistic security visibility across on-premises, cloud, and hybrid networks with its intuitive and advanced security analytics and monitoring capabilities. For more information about Log360, visit manageengine.com/log-management/.

**About ManageEngine**

ManageEngine is the enterprise IT management division of Zoho Corporation. Established and emerging enterprises—including 9 of every 10 Fortune 100 organisations—rely on ManageEngine's real-time IT management tools to ensure optimal performance of their IT infrastructure, including networks, servers, applications, endpoints and more. ManageEngine has offices worldwide, including the United States, the United Arab Emirates, the Netherlands, India, Colombia, Mexico, Brazil, Singapore, Japan, China and Australia, as well as 200+ global partners to help organisations tightly align their business and IT. For more information, please visit manageengine.com, follow the company blog and get connected on LinkedIn, Facebook and Twitter.

ManageEngine Launches Security and Risk Posture Management in its SIEM Solution

More than 4% of employees have put sensitive corporate data into the large language model, raising concerns that its popularity may result in massive leaks of proprietary information.

Employees are submitting sensitive business data and privacy-protected information to large language models (LLMs) such as ChatGPT, raising concerns that artificial intelligence (AI) services could be incorporating the data into their models, and that information could be retrieved at a later date if proper data security isn't in place for the service.

In a recent report, data security service Cyberhaven detected and blocked requests to input data into ChatGPT from 4.2% of the 1.6 million workers at its client companies because of the risk of leaking confidential information, client data, source code, or regulated information to the LLM. 

In one case, an executive cut and pasted the firm's 2023 strategy document into ChatGPT and asked it to create a PowerPoint deck. In another case, a doctor input his patient's name and their medical condition and asked ChatGPT to craft a letter to the patient's insurance company.

And as more employees use ChatGPT and other AI-based services as productivity tools, the risk will grow, says Howard Ting, CEO of Cyberhaven.

"There was this big migration of data from on-prem to cloud, and the next big shift is going to be the migration of data into these generative apps," he says. "And how that plays out \[remains to be seen\] — I think, we're in pregame; we're not even in the first inning."

With the surging popularity of OpenAI's ChatGPT and its foundational AI model — the Generative Pre-trained Transformer or GPT-3 — as well as other LLMs, companies and security professionals have begun to worry that sensitive data ingested as training data into the models could resurface when prompted by the right queries. Some are taking action: JPMorgan restricted workers' use of ChatGPT, for example, and Amazon, Microsoft, and Wal-Mart have all issued warnings to employees to take care in using generative AI services.

    

More users are submitting sensitive data to ChatGPT. Source: Cyberhaven

And as more software firms connect their applications to ChatGPT, the LLM may be collecting far more information than users — or their companies — are aware of, putting them at legal risk, Karla Grossenbacher, a partner at law firm Seyfarth Shaw, warned in a Bloomberg Law column.

"Prudent employers will include — in employee confidentiality agreements and policies — prohibitions on employees referring to or entering confidential, proprietary, or trade secret information into AI chatbots or language models, such as ChatGPT," she wrote. "On the flip side, since ChatGPT was trained on wide swaths of online information, employees might receive and use information from the tool that is trademarked, copyrighted, or the intellectual property of another person or entity, creating legal risk for employers."

The risk is not theoretical. In a June 2021 paper, a dozen researchers from a Who's Who list of companies and universities — including Apple, Google, Harvard University, and Stanford University — found that so-called "training data extraction attacks" could successfully recover verbatim text sequences, personally identifiable information (PII), and other information in training documents from the LLM known as GPT-2. In fact, only a single document was necessary for an LLM to memorize verbatim data, the researchers stated in the paper.

**Picking the Brain of GPT**

Indeed, these training data extraction attacks are one of the key adversarial concerns among machine learning researchers. Also known as "exfiltration via machine learning inference," the attacks could gather sensitive information or steal intellectual property, according to MITRE's Adversarial Threat Landscape for Artificial-Intelligence Systems (Atlas) knowledge base.

It works like this: By querying a generative AI system in a way that it recalls specific items, an adversary could trigger the model to recall a specific piece of information, rather than generate synthetic data. A number of real-world examples exists for GPT-3, the successor to GPT-2, including an instance where GitHub's Copilot recalled a specific developer's username and coding priorities.

Beyond GPT-based offerings, other AI-based services have raised questions as to whether they pose a risk. Automated transcription service Otter.ai, for instance, transcribes audio files into text, automatically identifying speakers and allowing important words to be tagged and phrases to be highlighted. The company's housing of that information in its cloud has caused concern for journalists.

The company says it has committed to keeping user data private and put in place strong compliance controls, according to Julie Wu, senior compliance manager at Otter.ai.

"Otter has completed its SOC2 Type 2 audit and reports, and we employ technical and organizational measures to safeguard personal data," she tells Dark Reading. "Speaker identification is account bound. Adding a speaker’s name will train Otter to recognize the speaker for future conversations you record or import in your account," but not allow speakers to be identified across accounts.  

**APIs Allow Fast GPT Adoption**

The popularity of ChatGPT has caught many companies by surprise. More than 300 developers, according to the last published numbers from a year ago, are using GPT-3 to power their applications. For example, social media firm Snap and shopping platforms Instacart and Shopify are all using ChatGPT through the API to add chat functionality to their mobile applications.

Based on conversations with his company's clients, Cyberhaven's Ting expects the move to generative AI apps will only accelerate, to be used for everything from generating memos and presentations to triaging security incidents and interacting with patients.

As he says his clients have told him: "Look, right now, as a stopgap measure, I'm just blocking this app, but my board has already told me we cannot do that. Because these tools will help our users be more productive — there is a competitive advantage — and if my competitors are using these generative AI apps, and I'm not allowing my users to use it, that puts us at a disadvantage."

The good news is education could have a big impact on whether data leaks from a specific company because a small number of employees are responsible for most of the risky requests. Less than 1% of workers are responsible for 80% of the incidents of sending sensitive data to ChatGPT, says Cyberhaven's Ting.

"You know, there are two forms of education: There's the classroom education, like when you are onboarding an employee, and then there's the in-context education, when someone is actually trying to paste data," he says. "I think both are important, but I think the latter is way more effective from what we've seen."

In addition, OpenAI and other companies are working to limit the LLM's access to personal information and sensitive data: Asking for personal details or sensitive corporate information currently leads to canned statements from ChatGPT demurring from complying.

For example, when asked, "What is Apple's strategy for 2023?" ChatGPT responded: "As an AI language model, I do not have access to Apple's confidential information or future plans. Apple is a highly secretive company, and they typically do not disclose their strategies or future plans to the public until they are ready to release them."

Employees Are Feeding Sensitive Biz Data to ChatGPT, Raising Security Fears

By working together as an industry, we can develop the technologies needed to account for human error.

With more than 20 years of experience in security, I'm more attuned to the nuances of sophisticated phishing schemes than most people. But as cybercriminals adopt more advanced tactics to steal people's data, even the most seasoned security experts can fall victim. 

In 2021, there were more than 4,145 publicly disclosed breaches that exposed information across 22 billion records. And as phishing increased in 2022, 82% of breaches involved a "human element," meaning that individuals played a role in exposing their own or their companies' secrets. 

Fortunately, technology came to my rescue one recent morning (pre-coffee, I might add), after I was almost lured in. When I clicked the link in an email purporting to be from my credit card company, my password didn't automatically autofill — a telltale sign that the URL didn't match a website for which I'd input login information. I took a closer look: Sure enough, the URL was slightly off. 

I'm not the only one on my team who's been targeted. Here are a few examples of scams that security pros almost fell for, the aspects of human psychology that the threat actors leveraged, and strategies to ensure that you (and we) don't fall victim in the future.

**Exploiting "Confirmation Bias"**

On the morning in question, I was expecting an email from American Express. So when I appeared to receive one, confirmation bias kicked in. The email looked right: The grammar and spelling were perfect, the credit card depicted looked like my own card, and I immediately recognized the four digits of the card number that were included.

I clicked. Once I realized it was a scam (thank you, technology, for not auto-filling my password), I quickly noticed other discrepancies. The digits of my credit card number were the _first_ four digits, not the closely guarded last four. And while the color and design of my credit card were accurately depicted, thousands of customers no doubt have the same card.

Confirmation bias — defined as "the tendency to process information by looking for, or interpreting, information that is consistent with one's existing beliefs" — can help us process information efficiently. But it also has drawbacks, like hindering our ability to process critical information contradicting our assumptions. 

Being aware of our tendency toward confirmation bias is key. If you receive an email, call, or text that you're not 100% sure is legitimate, take a moment to pause and verify. 

**Preying on Our Deference to Authority**

Several members of our security team recently received a text purporting to come from 1Password's CEO, Jeff Shiner. In the text, "Shiner" explained that he was heading into a meeting and unreachable by phone, but needed this person to "run a quick task now for progress."

"Boss alerts" like this are increasingly common. They're a form of "pretexting" — a type of social engineering attack in which criminals create a story (or pretext) manipulating their target into sharing private information.

If you receive an email or text (known as "smishing" attacks, as they use SMS) from your boss or another executive, take a deep breath and ask yourself a few questions before responding. Can you confirm the phone number? What is it requesting (or demanding) of you? To verify the request, consider responding via another channel, like Slack or an email address you've used before. 

**Fabricating Urgency **

Another way scammers can throw us off guard is by creating a false sense of urgency. When we're overwhelmed, we may be tempted to put out a fire quickly so we can return to our regular workload.

Victims may be alerted that if they don't pay a bill immediately, their account will be shut down or they'll incur a late fee. They may be told that if they don't click a link to confirm, a package won't be delivered.

A colleague of mine almost responded to a legitimate-looking PayPal invoice saying they owed a large sum of money for their Norton Antivirus subscription. If this was a mistake, they were told, they should respond before being charged. While the request was sent via PayPal, my colleague noticed that the email address they were instructed to respond to was a Gmail account. 

Their suspicions were confirmed when they Googled "PayPal Norton invoice" and saw multiple references to this scam. To spare other victims, they alerted PayPal. 

**Technology Can Save the Day **

While phishing training and tests can raise awareness, they can't solve the root cause of the problem. And while security experts understand the value of practices like turning on two-factor or multifactor authentication (2FA/MFA) and of updating software regularly, many consumers don't. 

At the end of the day, we are and will remain human — even those who monitor security threats for a living. Technology is an essential backstop to human error, which is why it's ultimately the answer when it comes to cybersecurity. 

We need technologies that reduce risks from phishing — whether by erecting barriers to scammers, limiting the number of phishing attempts that reach consumers, or clearly marking scams as suspicious. Passkeys, which are both extremely secure and extremely easy to use, are one of the most promising solutions. Several leading tech and security companies are now collaborating on an effort to make it easier to use passkeys across multiple systems and devices. We need to work together as an industry to develop technologies like these that account for human error. It's incumbent on us to build systems that remain secure when an insider is compromised — wittingly or unwittingly, by phishing, smishing, or whatever strategy tomorrow brings.

Scams Security Pros Almost Fell For

**LONDON, UK / March 7, 2023** - Egress, a cybersecurity company that provides intelligent email security, today released its **Email Security Risk Report 2023**. The report uncovers findings that demonstrate the prevalence of inbound and outbound email security incidents in Microsoft 365, with 92% of organizations falling victim to successful phishing attacks in the last 12 months, while 91% of organizations admit they have experienced email data loss. Not surprisingly, 99% of cybersecurity leaders confess to being stressed about email security. Specifically, 98% are frustrated with their Secure Email Gateway (SEG), with 53% conceding that too many phishing attacks bypass it.  

“The growing sophistication of phishing emails is a major threat to organizations and needs to be urgently addressed,” said Jack Chapman, VP of Threat Intelligence, Egress. “The signature-based detection used by Microsoft 365 and secure email gateways (SEGs) can filter out many phishing emails with known malicious attachments and links, but cybercriminals want to stay one step ahead. They are evolving their payloads and increasingly turning to text-based attacks that utilize social engineering tactics and attacks from a known or trusted source, such as a compromised supply chain email address.”

“Unfortunately, phishing attacks will only become more advanced in the future, as cybercriminals use AI-powered technologies, such as chatbots, to automate and improve their attacks, such as adding video and voice capabilities to text-based phishing.”

**Email Security Risks Report 2023: Key findings**

The report investigates both inbound phishing attacks and outbound data loss and exfiltration, highlighting the importance of a holistic approach to email security. Interestingly, 71% of surveyed cybersecurity leaders view inbound and outbound email security as a unified issue to tackle, recognizing their interconnected nature. The survey goes on to examine the technical controls and security awareness and training (SA&T) programs in place to reduce email security risk.

**Organizations continue to fall victim to phishing attacks**

Customer and employee churn were top of the list of negative impacts following an inbound email security incident.

*   86% of surveyed organizations were negatively impacted by phishing emails.
*   54% of organizations suffered financial losses from customer churn following a successful phishing attack.
*   40% of incidents resulted in employees exiting the organization.
*   85% of cybersecurity leaders say a successful account takeover (ATO) attack started with a phishing email. 
*   The top three types of phishing attacks that organizations fell victim to:

*   Phishing involving malicious URL or malware attachment.
*   Social engineering.
*   Supply chain compromise.

**Risky behavior and mistakes lead to costly data loss**

People making mistakes or taking risks in the name of getting the job done are far more common than malicious insiders, the survey found:

*   91% of the cybersecurity leaders surveyed said data has been leaked externally by email, with the three top causes for these incidents:

*   Reckless or risky employee behavior, such as transferring data to personal accounts for remote work.
*   Human error, including employees emailing confidential information to incorrect recipients.
*   Malicious or self-serving data exfiltration, such as taking data to a new job.

*   49% suffered financial losses from customer churn following a data loss incident.
*   48% of incidents resulted in employees exiting the organization.

**Cybersecurity leaders confess a dissatisfaction with SEG technologies**

The survey found dissatisfaction with many of the traditional SEG technologies in place to stop email security threats, with 98% of cybersecurity leaders frustrated with their SEG:

*   58% - It isn’t effective in stopping employees from accidentally emailing the wrong person or with the wrong attachment.
*   53% - Too many phishing emails end up in employees’ inboxes.
*   50% - It takes a lot of administrative time to manage.

**Is traditional security awareness and training (SA&T) effective at changing behavior?**

While 98% of the surveyed organizations carry out some kind of security awareness and training (SA&T), 96% aired a concern or limitation with their SA&T programs:

*   59% say it’s necessary for compliance with regulations or cyber insurance.
*   46% say employees skip through it as fast as possible.
*   37% admit they are not confident people remember what they’re taught.
*   29% say employees find training annoying.

**How to defend against inbound and outbound email security threats**

The report highlights that people need real-time teachable moments thatalertthem to threats and engage them at the point of risk to tangibly reduce the number of security incidents that occur.

Data throughout the report highlights that advanced email security is a necessity for everyday business. Despite investments in traditional email security and SA&T, surveyed organizations remain highly vulnerable to phishing attacks, human error, and data exfiltration. Egress recommends the only way to change the situation is to use intelligent email security solutions that augment traditional SEGs and Microsoft 365, offering the defense-in-depth required with a layered security approach. New integrated cloud email security solutions (ICES) use intelligent technology to deliver behavior-based security and are proven to provide additional security and controls that stop advanced phishing threats and detect the anomalies in human behavior that lead to data loss and data exfiltration within Microsoft 365.

To read **Egress Email Security Risk Report 2023:** _Inbound and outbound email security threats in Microsoft 365,_ including all its analysis and findings please visit https://egress.co/ufxkz.

**About Egress**

Egress makes digital communication safer for everyone. As advanced and persistent cybersecurity threats continue to evolve, we recognize that people get hacked, make mistakes, and break the rules. Egress's Intelligent Cloud Email Security suite uses patented self-learning technology to detect sophisticated inbound and outbound threats, and protect against data loss, resulting in the reduction of human activated risk. 

Used by the world’s biggest brands, Egress is private equity backed and has offices in London, New York, and Boston.

Source

DARKReading