• Secure AI
  • Posts
  • Secure AI #4: AI + GRC = Reduced Pain of Compliance

Secure AI #4: AI + GRC = Reduced Pain of Compliance

Author

Charles Gillman
September 06, 2023

Welcome to Secure AI, where we discuss the intersection of Cybersecurity, Privacy and IT Governance, Risk & Compliance.

A bit of a break between newsletters, but we’re back with some interesting content. This week’s article touches on some use cases for AI for GRC.

Also, check out Google Workspaces, which gains an AI security boost, and ChatGPT Enterprise was released with security in mind - SOC2 certification and SSO plus no usage caps and higher performance. What’s not to like?

Also, check out the (rather lengthy) but great article on “Demystifying LLMs and Threats”, which has a great LLM primer before it dives into prompt injection.

In this newsletter…

  • This Weeks Article - AI + GRC = Reduced Pain of Compliance

  • AI Security News - Latest news & news you may have missed

  • AI Risk & Governance News - Latest GRC-related AI news

  • Vendor AI Security News - AI news from the vendor world

  • AI Security Tool of the Week - Security tools for AI

  • Recommended Reading - Deeper dives into AI & Security

This Weeks Article

AI + GRC = Reduced Pain of Compliance

One of the killer uses of AI for me is using AI for GRC tasks. LLMs are great at writing and also reviewing boring security policies. An LLM can output a decent security policy with the right prompts. Conversely, by feeding in existing policies (via a private LLM or de-identified), again with the right prompts, the LLM can give feedback on policy gaps and areas for improvement.

Where LLMs also excel is in performing cross-walks of security controls. For example, asking the LLM, “Is clause 5.1 in ISO27001 the same as control CC1.3 in SOC2?”. There are a couple of companies in Australia already working on AI-augmented GRC tools for compliance and risk management, myrisk.io* and 6-Clicks*.

There are now lots of tools that allow you to “converse” with PDF and other files. This means you can load up a PDF of your security framework like ISO27001 into one of these tools and start asking questions like “Give me a list of 3 types of evidence that I can present to an ISO27001 auditor to meet Annex A.5.8”. This can give you a good starting point when first implementing a given security framework.

One of the least favourite tasks for any security professional has to be filling in a vendor security questionnaire. So my favourite use-case for GenAI for GRC has to be the Converyor tool, which takes your security information as input and uses that to fill out security questionnaires. It is a huge timesaver and avoids dreary copy and pasting of responses.

* Note: I have no commercial affiliations with these companies

AI Security News

ChatGPT used to find Mac malware on the Dark Web

A cybersecurity firm says it asked ChatGPT to find new Mac security threats, and after some delving, it found one sold on a Russian server.

appleinsider.com/articles/23/08/02/chatgpt-uncovers-mac-malware-on-the-dark-web

AI bots are making CAPTCHA tech useless

Bots have gotten so good at imitating how the human brain and vision work that they score higher than actual people

qz.com/ai-bots-recaptcha-turing-test-websites-authenticity-1850734350

Demystifying LLMs and Threats

Based off of my presentation for CSA

medium.com/csima/demystifing-llms-and-threats-4832ab9515f9

ATHI — An AI Threat Modeling Framework for Policymakers

A framework for thinking about harms and impacts that can come from AI systems

danielmiessler.com/p/athi-an-ai-threat-modeling-framework-for-policymakers

Google Workspace to gain AI-enabled security, digital sovereignty controls

The enhancements are designed to better protect sensitive data, harden admin access controls, and provide more flexibility on where data is stored and processed.

www.csoonline.com/article/650163/google-workpace-to-gain-ai-enabled-security-digital-sovereignty-controls.html

Generative AI fueling significant rise in cyberattacks

Organizations increasingly willing to pay ransoms to recover from attacks while rising stress levels are forcing security workers to consider quitting.

www.csoonline.com/article/649944/generative-ai-fueling-significant-rise-in-cyberattacks.html

Microsoft Vulnerability Severity Classification for AI Systems

The Microsoft severity classification for common vulnerability types for systems involving Artificial Intelligence or Machine Learning (AI/ML).

www.microsoft.com/en-us/msrc/aibugbar

OpenAI to use GPT-4 LLM for content moderation, warns against bias

The company expects to eliminate undesired biases introduced during training with the involvement of humans in the loop.

www.computerworld.com/article/3704618/openai-to-use-gpt-4-llm-for-content-moderation-warns-against-bias.html

In case you missed it…

Introducing ChatGPT Enterprise

Get enterprise-grade security & privacy and the most powerful version of ChatGPT yet.

openai.com/blog/introducing-chatgpt-enterprise

AI Risk & Governance News

A pro-innovation approach to AI regulation – Law Society response

We’ve responded to the government’s white paper on regulating the use of artificial intelligence technology.

www.lawsociety.org.uk/campaigns/consultation-responses/a-pro-innovation-approach-to-ai-regulation

Why and how to create corporate genAI policies

Adoption of generative AI is happening at a breakneck pace, but potential threats posed by the technology will require organizations to set up guardrails to protect sensitive data and customer privacy — and to avoid running afoul of regulators.

www.computerworld.com/article/3705028/why-and-how-to-create-corporate-generative-ai-policies.html

Vendor AI News

eSentire introduces LLM Gateway to help businesses secure generative AI

The open-source framework aims to help security teams improve their governance and monitoring of generative AI and large language models.

www.csoonline.com/article/649989/esentire-introduces-llm-gateway-to-help-businesses-secure-generative-ai.html

Tool of the Week

GitHub - estebanpdl/osintgpt: An open-source intelligence (OSINT) analysis tool leveraging GPT

An open-source intelligence (OSINT) analysis tool leveraging GPT-powered embeddings and vector search engines for efficient data processing

github.com/estebanpdl/osintgpt

Recommended Reading

Are You Copying My Model? Protecting the Copyright of Large Language Models for EaaS via Backdoor Watermark

To protect the copy stealer’s EaaS right of LLMs for EaaS, we propose an Embedding Watermark method called EmbMarker that implants backdoors on embeddings.

arxiv.org/pdf/2305.10036.pdf

Poisoning Web-Scale Training Datasets is Practical

In this paper, we introduce two new dataset poisoning attacks that intentionally introduce malicious examples to a model’s performance.

arxiv.org/pdf/2302.10149.pdf

Remember, AI won’t take your job,
but someone who knows how to leverage AI probably will