Assuming that artificial intelligence is poised to become a standard part of the cybercriminal’s toolbox, what can organizations do to protect themselves?

Experts say doubling down on the basics is the best defense. AI doesn’t change the rules of the game as much as help adversaries do what they already do faster and better.

With OpenAI LLC’s ChatGPT and similar tools already entering the enterprise through the back door, information technology organizations should state guidelines for their use.

In February, Gartner published three recommendations in this vein: Have humans review output, favor Microsoft’s branded Azure OpenAI Service ChatGPT over OpenAI’s less-secure public version, and prohibit employees from disclosing confidential enterprise data in a conversation with a chatbot.

A five-point plan put forth by Infosys Ltd. in February essentially recommends using generative AI to circulate threat reports more widely in an organization, redoubling phishing education efforts and moving to a zero-trust security model.

None of these recommendations is groundbreaking, but “we still see a lot of organizations not doing the basics,” said Bryan Patton, principal strategic systems consultant at Quest Software. “If you’re not doing that, should you really be using AI?”

Attackers gravitate toward the low-hanging fruit, which makes fundamentals such as applying patches, cleaning up directories and applying role-based permissions effective foils. “Probe your data infrastructure to understand where your greatest risk is, and close the doors and windows that are most vulnerable, so that the mundane weaknesses don’t become exploitable by bad actors,” recommended Glen Pendley, chief technology officer at Tenable Network Security Inc.

Teleport’s Kontsevoy: “it will be extremely cost-efficient to trick people into believing that they are talking to a human being.” Photo: LinkedIn

No secrets

Technology already in use or on the immediate horizon can help. People continue to be the weakest link, said Ev Kontsevoy, founder and chief executive of the secure infrastructure access company Gravitational Inc. which does business as Teleport.

Access management relies too much on secrets such as passwords and challenge questions. “The mere presence of a secret on your infrastructure is a vulnerability,” he said. “The most exciting long-term possibility is to use AI to remove humans from the access loop.”

A combination of biometric controls such as fingerprints and the Trusted Platform Module chips that are used in nearly every computing device can be used to create certificates that disappear after a single use, making it impossible for an attacker to compromise user credentials. “In the future humans won’t have to touch infrastructure,” Kontsevoy said. “AI will enable that.”

Sridhar Muppidi, chief technology officer at IBM Corp.’s security division, sees a silver lining in using AI to streamline authentication. “We focus on keeping the bad guys out, but AI can also be useful in letting the good guys in,” he said. “There’s no need to use multifactor authentication every minute of the day. We can use AI to make cybersecurity more seamless.”

The potential uses of generative AI to elevate the effectiveness of phishing attacks also means organizations need to redouble their efforts to educate employees on how to avoid falling victim to them, said Yotam Segev, chief executive of data protection firm Cyera Ltd. He also recommends developing standards for human reviews of code written by AI and using one of the growing number of scanners that look for software using predictive text algorithms.

“AI can learn the context of an environment, its data and its users and establish a baseline of operational activity, behavioral analysis and anomaly detection to spot risks that turn into threats in instances of human versus machine activity and real activity versus fraud,” he said.

Image: cliff1126/Pixabay