Category Archives: News

Taxonomy of Generative AI Misuse

Read Time:47 Second

Interesting paper: “Generative AI Misuse: A Taxonomy of Tactics and Insights from Real-World Data“:

Generative, multimodal artificial intelligence (GenAI) offers transformative potential across industries, but its misuse poses significant risks. Prior research has shed light on the potential of advanced AI systems to be exploited for malicious purposes. However, we still lack a concrete understanding of how GenAI models are specifically exploited or abused in practice, including the tactics employed to inflict harm. In this paper, we present a taxonomy of GenAI misuse tactics, informed by existing academic literature and a qualitative analysis of approximately 200 observed incidents of misuse reported between January 2023 and March 2024. Through this analysis, we illuminate key and novel patterns in misuse during this time period, including potential motivations, strategies, and how attackers leverage and abuse system capabilities across modalities (e.g. image, text, audio, video) in the wild.

Blog post. Note the graphic mapping goals with strategies.

Read More

Why DCAP is Essential for Modern Data Security (A Closer Look)

Read Time:7 Minute, 5 Second

The content of this post is solely the responsibility of the author.  LevelBlue does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Almost every company has a system for organizing file storage, which employees use regularly. Streamlining data storage in a corporate environment is not just about improving business processes; it is also about ensuring security. It is challenging to protect data if you do not know where it is stored, what it contains, its value, who owns it, who has access to it, and what its most significant threats are. This is where Data-Centric Audit and Protection (DCAP) systems come into play.

The Role of DCAP in Data Security

Data-Centric Audit and Protection (DCAP) is a security approach that focuses on protecting data as its primary objective. Often, the goal of DCAP is to safeguard data that is at rest and not actively processed. This method uses content-based access control, prioritizing the content itself rather than the file system objects.

Frequent news about data breaches often stems from violations of sensitive data storage laws. This is a very common occurrence. Data is constantly in motion and being reorganized, which is a typical part of business operations. For example, a company might add new drives, copy data, forget to delete or export it, and so on. DCAP helps identify such cases, control the storage of sensitive data, and manage it effectively within the organization. Moreover, every organization now must conduct a thorough audit of its handling of personal data, which is impossible without a DCAP. By implementing DCAP, organizations can showcase their strong security posture, which can help them when applying for cyber insurance or meeting compliance requirements.

The Five Stages of Data-Centric Audit and Protection

It makes sense to divide the work of a DCAP system into several interconnected stages, during which the system identifies violations of corporate policies and helps to eliminate them.

1. Data Collection

DCAP system can monitor data on file servers, local hosts, and shared folders. It integrates with information from Active Directory and other sources. While DCAP can gather information over the network and parse logs from other systems, its primary method of data collection is through agents installed on workstations, servers, and network storage. The completeness and quality of this original data are crucial for effective auditing and secure storage of information.

2. Data Classification and Sorting

After scanning the sources, DCAP classifies the information to identify data that may be valuable to the company. It uses over a dozen content analysis technologies, such as dictionaries, morphology, digital fingerprints, the Bayesian method, and others, to accurately classify the information.

3. Analysis

Classification is just the foundation for collecting information security events and identifying threats. During the information collection stage, DCAP records access rights for each object in its database. This allows it to identify common risks, such as documents with shared access or unusual sets of permissions. DCAP can determine the real owners of files, highlight frequent users of specific data, and identify areas with redundant access.

Dynamic analysis offers even more capabilities: it monitors changes, movements, and openings of documents containing critical data, as well as modifications to access rights for documents or folders and the creation or alteration of permissions. These events, along with many others, are not only recorded by the system but also evaluated for information security risks.

4. Response

DCAP offers several response options. At a basic level, it can send notifications through various channels. Additionally, the DCAP system can execute scripts and transmit data to external systems.

In addition to the standard response functions, DCAP systems can offer expanded capabilities, such as shadow copying of data. This means that the security officer not only receives a record of the incident but also a complete copy of the data related to the event. This allows for a quick assessment of the incident’s severity and enables immediate action if necessary.

DCAP can block a user’s account if there is reason to believe it has been compromised. A similar approach is applied to identified threats. DCAP owners do not need external tools, as DCAP includes its own incident response module, where information about the incident can be sent for analysis. Incident response can be automated based on pre-defined rules or triggered by anomaly detection. Here, DCAP could potentially integrate AI capabilities to enable even faster and more sophisticated incident response capabilities.

5. Reporting

A good DCAP system includes a well-developed reporting feature, complete with a convenient dashboard featuring tables and graphic widgets. Users typically have access to several dozen preset reports covering all necessary aspects of the collected database. Each template can be customized to meet individual needs. If further customization is required, users can create their own reports from scratch using the report designer.

Technical Aspects of DCAP Implementation

Experience shows that even large IT companies often avoid writing their own software for specific tasks. Instead, they typically turn to highly specialized organizations for ready-made solutions. They receive an out-of-the-box tool that includes custom scripts tailored to their specific needs. The pilot project helps better evaluate these needs and plan the exact implementation configuration.

Modern DCAP systems support both hardware and software storage, primarily focusing on local storage. The choice of the physical form of storage is not as important; what matters is that all data is comprehensively covered and protected.

DCAP systems collect metadata, including standard metadata contained within files and specific metadata for formats like DOC, XLS, and JPG. DCAP owners often request vendor support for file marks, such as watermarks, which DCAP systems must be able to detect.

A sound DCAP system stores metadata in the most efficient and compressed way, and it supports the option to upload data. The archive of events for a year occupies a fixed amount of space. It is important to note that the files themselves are not stored; only metadata, links, and tags are kept. The disk space consumed by a DCAP database can be easily scaled.

DCAP can also track access rights to other systems and sites, as well as audit data usage, such as who opened which files, from where, and in what context the user interacts with the data. This creates a comprehensive view of user actions displayed in an easy-to-use interface. Additionally, DCAP is an effective countermeasure against ransomware, as it reduces the attack surface by strictly limiting data access.

DCAP integrates with various systems, depending on the customer’s needs. Basic information is collected from the infrastructure, such as files, accounts, and events. The rest depends on the specific tasks and cases. This data can be sent to a SIEM or access control system or retrieved from them. Integration with DLP and other systems is also supported by most vendors.

Experts highlight the importance of this integration as well as the acquisition of external data to enrich the information already collected by DCAP. The more data sources DCAP supports, the more complete and clear the picture becomes.

DCAP is very flexible, capable of sending and receiving data from various systems and processing it based on specific cases. At the same time, the system consistently works accurately without disrupting business processes.

Trends and Future Directions in DCAP Development

Today, many customers purchase DCAP but only use about half of its capabilities because they lack the resources to quickly prepare the entire infrastructure, resulting in a gradual implementation process. Increased automation and higher customer maturity are anticipated, as DCAP systems are a crucial part of a company’s cyber defense.

The market is evolving towards automation, aiming for a “one button” solution that, when pressed, ensures everything is correctly configured. Over time, DCAP will likely incorporate all DLP features and transition entirely to cloud services. Eventually, DCAP functions may be integrated into the operating system, much like firewalls and antivirus software have been.

Conclusion

DCAP systems implement “zero trust” policies, rights minimization, and auditing of access and information flows. They enable professional, competent classification of any type of data. By collecting data from various sources, DCAP identifies and highlights problems and anomalies that are not visible in other systems. This ensures order in the company’s infrastructure and a transparent organization of employees’ interaction with valuable data. DCAP reveals the actual state of the infrastructure and the ideal order. If all recommendations are followed and risks are mitigated, the attack surface is significantly reduced.

Read More

Friday Squid Blogging: SQUID Is a New Computational Tool for Analyzing Genomic AI

Read Time:19 Second

Yet another SQUID acronym:

SQUID, short for Surrogate Quantitative Interpretability for Deepnets, is a computational tool created by Cold Spring Harbor Laboratory (CSHL) scientists. It’s designed to help interpret how AI models analyze the genome. Compared with other analysis tools, SQUID is more consistent, reduces background noise, and can lead to more accurate predictions about the effects of genetic mutations.

Blog moderation policy.

Read More

People-Search Site Removal Services Largely Ineffective

Read Time:40 Second

Consumer Reports has a new study of people-search site removal services, concluding that they don’t really work:

As a whole, people-search removal services are largely ineffective. Private information about each participant on the people-search sites decreased after using the people-search removal services. And, not surprisingly, the removal services did save time compared with manually opting out. But, without exception, information about each participant still appeared on some of the 13 people-search sites at the one-week, one-month, and four-month intervals. We initially found 332 instances of information about the 28 participants who would later be signed up for removal services (that does not include the four participants who were opted out manually). Of those 332 instances, only 117, or 35%, were removed within
four months.

Read More