AI tools can deliver quick and easy results and offer huge business benefits — but they also bring hidden risks.

Source: marcos alvarado via Alamy Stock Photo

COMMENTARY

Advances in artificial intelligence (AI) and machine learning (ML) technologies continue to receive significant news coverage for the potential benefits and troubling dangers they could unleash. Forecasts like the Nielsen Norman Group estimating that AI tools may improve an employee's productivity by 66% have companies everywhere wanting to leverage these tools immediately. Other experts warn that AI usage could have several negative consequences, including generating inaccurate results, data leaks, and theft. So, how can companies employ these powerful AI/ML tools without compromising their security? Below, we'll touch on the risks AI tools can present and offer eight tips that will help your company leverage these tools as securely as possible.

**The Risks of AI Tools**

In general, AI/ML is simply statistics at scale. All AI models rely on data to statistically generate results for their focus area. Therefore, most risks revolve around said data, especially confidential or sensitive data. Companies using external AI/ML tools risk that the product vendor might use your data to train their algorithms and accidentally leak or steal your intellectual property. Additionally, an AI tool that uses bad data will generate inaccurate results. Fortunately, many AI tools are quite powerful and can be used securely, with a few precautions.

**Tip 1: Remember, if it's free, you are the product.**

If you use a free AI tool or service, you should suspect it may leverage the data you provide. Many early AI services and tools, including ChatGPT, employ a usage model that's similar to social media services like Facebook and TikTok. While you don't pay money to use those sites, you are sharing your private data, which those companies use to target ads and monetize. Similarly, a free AI service can gather data from your devices and keep your prompts, which it uses to train its model. While not seemingly malicious, you never know how an AI service will monetize your data. If that company gets breached, threat actors may obtain access to your data.

**Tip 2: Have legal review agreements.**

To learn how an AI tool or service will handle your data, read the vendor's end-user license agreement, master service agreement, terms and conditions, and privacy policies. These lengthy, complex documents often use tricky language to obscure how the vendor might use your data, so company lawyers should review them. Your legal department knows the regulatory requirements for safeguarding your sensitive data, including personally identifiable information. They can interpret these documents capably and alert you if any terms put your data at risk. A data privacy officer who specializes in the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), or any other privacy compliance can also help review these agreements.

**Tip 3: Guard internal data.**

A simple risk of using external AI tools is that an employee — intentionally or not — could share sensitive or confidential data with the tool, exposing the data to misuse. To mitigate this threat, companies must ensure they apply least privilege principles to who can access confidential or sensitive data. Unfortunately, some organizations don't adequately block employees from accessing corporate data that their role doesn't require. If you limit employees to access only the precise data they need, you minimize the amount of data they might divulge to an external AI tool.

**Tip 4: Review settings and consider paying for privacy.**

Whether AI tools or services are free or paid, they often have settings for added privacy. Some tools can be set to not store your prompt data. Review your AI tool's privacy settings and configure them to your preferences. Also, while free tools likely reserve the right to use your data, you can pay licensing fees to get enterprise versions of AI tools that offer more protection. These tools often include features of not using your data and keeping it segmented. 

**Tip 5: Validate the security of AI tool vendors.**

Vendor and supply chain security validation should be a default practice for any new external tool or service partner you adopt. Digital supply chain breaches prove that vendors can become the weakest link in maintaining security. Therefore, third-party risk management (TPRM) products and processes are crucial to information security. A formal TPRM process is vital when using AI tools and service partners.

**Tip 6: Leverage local open source AI frameworks and tools.**

The accessibility of online, external AI tools that are free and user-friendly brings risk. To assure data privacy, consider avoiding external tools. Alternatively, there are free AI frameworks and tools you can deploy and create yourself. These frameworks require more work as well as AI and data science expertise, so they bring their own cost to use.

**Tip 7: Track your company's AI usage.**

It’s difficult to track every asset, software-as-a-service (SaaS) tool, or data store that your employees use, as the cloud and Web services have empowered everyone to use Web-based tools. The same goes for AI-based SaaS offerings. To monitor which external AI tools your employees utilize, how, and with what data, audit and document AI usage as part of the buying process. In identifying all the internal and external AI tools used, you better understand the risks you face. 

**Tip 8: Create an AI policy and raise risk awareness.**

In security, everything starts with policy. The risks your company faces depend on your specific organization's missions and needs, and the data you use. Companies that traffic in public data may face a low data-sharing risk and allow a permissive AI policy, while those that deal in confidential matters will have stringent rules around data use in external AI tools. Ultimately, you must craft an AI policy that's tailored to your company's needs. Once you have that policy, communicate it and the risks associated with AI tools with your employees regularly.

AI tools can deliver quick and easy results and offer huge business benefits while also bringing hidden risks. Fortunately, you can leverage AI tools securely by adopting a few precautions and be on your way to realizing the benefits these tools promise.

**About the Author(s)**

Chief Security Officer, WatchGuard Technologies

Corey Nachreiner is the chief security officer (CSO) of WatchGuard Technologies. Recognized as a thought leader in IT security, Nachreiner spearheads WatchGuard's technology and security vision and direction. He has operated at the frontline of cybersecurity for 25 years, evaluating and making accurate predictions about information security trends. As an authority on network security and an internationally quoted commentator, Nachreiner's expertise and ability to dissect complex security topics make him a sought-after speaker at forums such as Gartner, Infosec, and RSA. He is also a regular contributor to leading publications including CNET, Dark Reading, Forbes, Help Net Security, and more. Find him on www.secplicity.org.

8 Tips on Leveraging AI Tools Without Compromising Security

These office giving-friendly fidgets, stress balls, brain teasers, and more are perfect to calm the most harried cybersecurity professionals.

Whether it's a CISO feeling the anxiety of potentially being an organizational scapegoat or a SOC analyst drowning in alerts, cybersecurity pros are constantly feeling the wear and tear of daily, existential work pressure. As security teams figure out what to get their Secret Santa recipients or contribute to the White Elephant gift exchange over the holidays this year, maybe stress relief should be the name of the game. The following are some great suggestions for givers seeking a peaceful option to gift stressed-out cyber practitioners.

**About the Author(s)**

Contributing Writer, Dark Reading

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.

You May Also Like

10 Holiday Gifts for Stressed-Out Security Pros

The collaboration focuses on helping security teams detect and address cloud threats more effectively.

Source: BluePlanetStudio via Adobe Stock Photo

For many enterprises, the ability to address security threats and manage assets consistently across both cloud and on-premises environments is an ongoing challenge. A new partnership between Securonix and Wiz offers a unified approach to protect digital assets, identify risks, and proactively address security threats across multiple environments.

The collaboration brings together Wiz's cloud native application protection platform (CNAPP) with the advanced security analytics and threat detection capabilities in Securonix Unified Defense SIEM. Securonix relies on threat chains to correlate and connect seemingly unrelated security events. Integrated with Wiz's cloud-specific insights provides security teams with context to understand the threat or attack's blast radius and how it is impacting the organization's infrastructure.

The goal is to give enterprise security teams a single prioritized view of risk based on a deep cloud analysis across misconfigurations, network exposure, vulnerabilities, and malware. Mutual customers will be able to detect threats more effectively and improve their understanding of the impact of a threat on their cloud security posture, the companies said.

"Wiz analyzes the complete cloud context, while Securonix analyzes behavior analytics," said Oron Noah, director of product management at Wiz, in a statement.

**About the Author(s)**

Wiz-Securonix Partnership Promises Unified Threat Detection

Amazon Web Services announced enhancements to several of its security tools, including GuardDuty, Inspector, Detective, IAM Access Analyzer, and Secrets Manager, to name a few during its re:Invent event.

Source: Techa Tungateja via Alamy Stock Photo

Amazon Web Services has been unveiling a steady stream of announcements during its AWS re:Invent 2023 event in Las Vegas this week. As expected, the focus over the four days has been on artificial intelligence (AI) as AWS strives to show that its offerings can match – or surpass – those from Google Cloud and Microsoft Azure. But even beyond generative AI, AWS is highlighting enhancements to its threat detection, vulnerability assessment, and security policy tools.

First up: AWS has expanded Amazon GuardDuty with Amazon GuardDuty EC2 Runtime Monitoring and Amazon GuardDuty ECS Runtime Monitoring. GuardDuty EC2 Runtime Monitoring, now in preview, introduces runtime threat detection for Amazon Elastic Compute Cloud workloads to give security teams visibility into on-host, operating system-level activities. It also provides container-level context into threats. Amazon GuardDuty ECS Runtime Monitoring uses a lightweight security agent to extend threat detection for workloads running on EC2 and AWS Fargate.

AWS Secrets Manager now supports a single API call to identify and retrieve a group of secrets associated with the application. The BatchGetSecretValue API simplifies developer workflows. And administrators can now enter their own customer-specific security controls in AWS Security Hub to customize security posture monitoring.

**Generative AI to Security**

AWS is adding generative AI to its security tools Amazon Inspector and Amazon Detective. Amazon Inspector, a code-scanning tool for AWS Lambda functions, offers assisted code remediation using generative AI and automated reasoning and can provide in-context code patches for multiple vulnerability classes. Amazon Detective helps security investigations by using generative AI to analyze multiple activities related to potential security events and find group summaries.

Additionally, Amazon Inspector has agentless vulnerability scanning for Amazon Elastic Cloud Compute instances in preview. Amazon Detective now supports log retrieval from Amazon Security Lake and investigating AWS identity and access management entities for indicators of compromise.

**Identity and Access Announcements**

The AWS Identity and Access Manager (IAM) Access Analyzer continuously analyzes user accounts to identify unused access privileges and permissions to help administrators implement the principle of least privilege. Security teams can review the findings to prioritize which accounts need action. The tool also provides custom policy checks to validate that IAM policies adhere to the organization's security standards before systems are deployed.

Amazon EKS Pod Identity allows administrators to define required IAM permissions for applications in Amazon Elastic Kubernetes Service clusters. This allows the applications to connect with AWS services outside of the cluster.

Finally, AWS announced support for mutually authenticating clients presenting X509 certificates to Application Load Balancer. This helps administrators offload client authentication to the load balancer to ensure only trusted clients are able to access the organization's cloud applications.

**About the Author(s)**

Rundown of Security News From AWS re:Invent 2023

Melissa Hathaway, a former White House cybersecurity adviser, says Biden is pushing through more regulatory reforms than previous administrations.

Lack of transparency with third-party suppliers is companies' biggest cyberthreat, says CIGI's Melissa Hathaway.Source: Harvard Kennedy School Belfer Center

Melissa Hathaway hasn't shied away from advising corporate boards and government leaders on cybersecurity policy since leaving the White House a decade ago. Hathaway, a former National Security Council Cybersecurity Chief, served in two administrations, leading the Comprehensive National Cybersecurity Initiative for President George W. Bush, and launching President Barack Obama's Cyberspace Policy Review.

Currently a member of the Centre for International Governance Innovation's board of directors, Hathaway recently spoke about current digital risks at a CIGI conference last month. Hathaway also provides consulting services as president of Hathaway Global Strategies, and most recently, was tapped by data protection vendor Commvault to chair its newly formed Cyber Resilience Council. During a meeting in New York City, Hathaway shared her views on the latest global cybersecurity threats from China and Russia, and the impact of the war in Israel.

Dark Reading: How would you compare today's threat landscape to when you were working for the White House over a decade ago?

Hathaway: Ransomware is on the rise, and it has become very sophisticated. Now you can encrypt 50 terabytes of data in less than five minutes, and all an intruder needs is one path in. A lot of really destructive, malicious software is being developed, and proof pointed over in Ukraine, such as the wiper virus attacks that we saw against Viasat. You're also starting to see the infections of low-level botnets capable of high-volume distributed denial service attacks. I'd say, though, the biggest problem is that companies don't have enough transparency into the dependencies of their third-party suppliers. The path into most of the companies right now, if it's not an unpatched system, is through their third-party suppliers.

DR: Such as software supply chain vulnerabilities?

Hathaway: Yes, but it doesn't have to be just that. It could be the trusted supplier who didn't patch their own infrastructure and they're the pathway in not just the product that was bad, like what we're dealing right now with Cisco IOS.

DR: What's your take on President Biden's approach to cybersecurity?

Hathaway: The new White House strategy is focused a lot on making companies more responsible for not only their product and introducing secure development lifecycle, but also making them more responsible for their governance and enterprise risk management. And that's been needed for more than a decade. I think that this administration is really focused on making corporates responsible.

DR: Would you say this White House is doing more than previous administrations?

Hathaway: They're just taking a different approach. The Biden administration is focused on a regulatory approach which previous administrations never took.

DR: And do you think that's a good thing?

Hathaway: In 2010 I wrote that there was an important moment for the SEC, FCC, and FTC to own their authorities to get to resilience. But I think that there's a challenge when you have all the regulators going in different directions. It puts an undue cost on industry. And so there has to be some harmonization of the regulatory frameworks that the administration is pushing. But that's difficult to do. One, it requires strong leadership and understanding of how the government works. Two, it requires getting those regulators to potentially cooperate and coordinate, and they don't necessarily have it within their remit to do that. And then third, you have to decide which problem you want to solve first, second, and third.

DR: With the current policies that are being laid out and proposed, to what effect do you think the outcome of the next presidential election could change those policies if there is a change in administrations?

Hathaway: You have the new SEC Rule and it took almost 13 years to get that rule in place. If another administration were to come in, regardless of party, and wanted to change direction, it would be very difficult to change the regulations and the laws in this country. A new president could come up with another executive order or policy, but those are very difficult. I mean, it's easy to write, but then it's all about the execution. And there's really no penalties associated with those, even within the government.

DR: What are your concerns about China as a threat?

Hathaway: They are a leading cyber power and probably have more manpower of meeting their overall national objectives than we do in the US or anywhere. Part of that is a percentage of the population, but they have made it a strategic priority as part of their five-year plan, and as part of their overall strategies.

Among their strategies, they are using one industrial espionage \[element\] that was featured on 60 Minutes just two weeks ago, with the Five Eyes. Industrial espionage has been going on for more than a decade, and they're continuing to move that path forward.

Through the Belt and Road Initiative, they are positioning their national champions for the delivery of telecom, data services, and other things. And they are one of the leading providers in the Global South. And that's all part of their economic strategy and changing some of the global, I would say world order of things.

They're also leading in central bank digital currencies. They saw Bitcoin as an opportunity, and they started their policy development and experimentation with it more than about a decade ago. And now they've since rolled out a CBDC \[central bank digital currency\], and they have more than 300 million people using it. If you start to think about that \[as\] a transition in the financial services systems around the world, they've got an interbank digital currency exchange that's outside of the US dollar through the CBDCs. And so, they have a longer-term strategy.

DR: What can policymakers do about that?

Hathaway: We have to look at Russia, China, Iran, \[and\] North Korea in different lenses. They are worthy opponents. And it's not like they're second rate, they're actually all first rate in different categories. And that requires us to think about things differently. Some of the initiatives of the Biden administration are important, like secure development lifecycle, which means your code better be good. We've got too many bad products in the market that are easily exploitable. We need to really be thinking about the next generation standards — we lost on 5G, are we going to lose on 6G too? And that requires us to really think about international standards differently.

I think we also need to be thinking about what are some of the cases that we're going to have to be thinking about — when you move to 5G and you're moving to the cloud, and you've got autonomous everything, you're going to have edge compute — that's going to have a whole very different set of policies on that data movement, from my driverless car to your driverless car, and what's processing them at the edge, so neither of us will have a problem. We're not really addressing that security, the data security, data privacy, the data movement, and this edge processing that's going to go forward. That requires us to really think about a different architecture about resilience, safety, privacy, and security. And that conversation I don't really think has started in our country, and we need to start it now.

DR: Has the war in Israel already changed the equation of the threat landscape?

Hathaway: Absolutely. I think things are unstable. It adds three things: First, you're starting to see new malicious software being developed and I would say swift synthetic media, deep fakes, and other things. It's causing a lot of confusion, but there's a lot of experimentation happening from a lot of groups, not just Hamas or Hezbollah — there's a lot of experimentation happening with, I would say, the malicious activities' disinformation as well as malicious software.

I think second, we're going to see a supply chain disruption of the Israeli IT and cyber industry that I don't think we've thought through what's going to happen. As you mobilize 300,000 reservists, some of which are in that industry, some of these industry providers are going to have a slowdown or a disruption. So, we have to think through that.

Israel is a leading innovator in some of these things; I think that there's going to be a supply chain disruption coming because they are a leader in IT.

Third, I just worry about the overall stability of the region; we've got a lot of geopolitical instability \[and\] too much around the world right now.

DR: Obviously, there are a lot of Israeli cybersecurity companies or even companies like Microsoft, Check Point, Google, and many others.

Hathaway: Well, you have the tech innovation center at Beersheba, but then you have a very large IT tech cyber industry in Israel that serves and works and partners with all Silicon Valley, and Seattle, Boston, and such. So, I think that there's going to be a disruption that we need to anticipate because this war is not going to be done anytime soon.

**About the Author(s)**

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

Ex-Cybersecurity Adviser to Bush, Obama Weighs in On Current Admin

PRESS RELEASE

TEL AVIV, Israel, Nov. 29, 2023 (GLOBE NEWSWIRE) -- Piiano, the leading data protection company, today announced Piiano Flows, the industry’s first privacy-centric static code analyzer. The company will offer free scans until the end of 2023.

High-profile data leaks, including Duolingo’s PII leak in late August, underscore the critical importance of data protection for businesses on a global scale. Flows automatically and continuously analyzes source code throughout development processes and tracks when, where and how sensitive data are being used and stored. This enables security teams to shift data security left with a more proactive approach. Piiano’s tool finds potential data leaks inside source code and ensures that sensitive information, such as Personally Identifiable Information (PII), credentials and financial information, are protected before faulty code reaches production.

“Security leaders want to focus more on data security during development, but don’t have the right tools to do so at scale and see what’s happening with data in their code. Data vulnerabilities are even harder to hunt down after faulty code reaches production, which is why our tool nips the problem at the source,” says Gil Dabah, co-founder and CEO of Piiano.

Image shows sensitive data statistics gathered by analyzing a code repository.

Developers are expected to work at a rapid pace and under a great deal of stress. Compounded by a lack of security expertise and orientation, they are prone to making errors through little fault of their own that can expose data at the code level–such as forgetting to remove debugging logs or inadvertently exposing sensitive data through public or third-party APIs.

According to Justinian Fortenberry, CISO at Etsy and a board advisor to Piiano, “Piiano Flows is a very powerful and straightforward solution that, for the first time, enables enterprises to save time identifying potential data leaks during and after the application development process.”

Dabah likens Flows to a “SAST-type tool for proactive DPSM.” The company’s proprietary NLP ML model and taint analysis algorithms – a more accurate approach than more commonly used Large Language Models (LLMs) – maps and highlights any code that touches sensitive data, including incoming, outgoing and stored data, to help find data privacy and security issues and blind spots that can happen in runtime.

Flows, available for free, is designed for quick and easy use with an intuitive interface for security teams. To eliminate third-party risk, it only requires access to code itself without ever accessing production environments or production data stores containing sensitive customer data.

About Piiano

Piiano provides a data protection platform for app-sec and engineering teams to secure sensitive customer data and ensure their privacy – even in the event of a breach. Enterprises can scan their source code to find data leaks and similar data exposure issues and remediate them by securing the sensitive data by using its data protection APIs. With Piiano’s building blocks, engineers and security leaders can save significant time, effort and resources while achieving true security without slowing down.

Code Scanner by Piiano Helps Enterprises Prevent Data Leaks Proactively

PRESS RELEASE

HERZLIYA, Israel, Nov. 29, 2023 /PRNewswire/ -- XM Cyber, the leader in hybrid cloud exposure management, today announced new capabilities that provide complete and continuous visibility into risks and vulnerabilities in Kubernetes environments. Kubernetes Exposure Management helps security teams protect critical assets running in Kubernetes clusters across public cloud, private cloud, and on-premises infrastructure.

The new solution delivers continuous visibility into vulnerabilities, risky permissions, and misconfigurations that could allow attackers to breach Kubernetes environments and access valuable data and applications. By extending XM Cyber's industry-leading XM Attack Graph Analysis™ to Kubernetes, organizations can now see integrated risks across hybrid environments and intelligently prioritize remediation based on potential impact to critical assets.

"We are early adopters of XM Cyber's new Kubernetes features in order to achieve full transparency into our customer environments", said Moritz Tuerk, Chief Product Owner Security for SAP Product Engineering. "With the comprehensive attack path view, we can enhance the security of the SAP cloud even further than what is currently possible."

Key benefits of XM Cyber's Kubernetes Exposure Management include:

*   360-Degree Visibility: Gain a comprehensive view of risks and excessive permissions across all Kubernetes assets.
    
*   Protection for Sensitive Resources: Ensure the security of vital Kubernetes resources like ConfigMaps and Secrets.
    
*   Cross-Environment Analysis that reduces remediation efforts: Perform multi-step attack modeling, risk assessment, and prioritization that considers the needs of multiple domains.
    
*   Rapid Time-to-Value: Initial deployment can be completed in hours to unlock actionable exposure insights from day one.
    

Security issues have caused 67% of companies to delay or slow down Kubernetes deployment. XM Cyber's Kubernetes Exposure Management capabilities are aimed at helping security teams tackle this emerging risk vector head-on.

"Kubernetes adoption is accelerating, but securing these highly complex environments remains a huge challenge," said Boaz Gorodissky, CTO at XM Cyber. "Our new Kubernetes Exposure Management equips security teams with the comprehensive visibility and automated control they urgently need to reduce attack surfaces and proactively protect critical container workloads."

To learn more about XM Cyber, please visit: https://xmcyber.com/solution-briefs/kubernetes-continuous-exposure-management/.

About XM Cyber

XM Cyber is a leading hybrid cloud exposure management company that's changing the way organizations approach cyber risk. XM Cyber transforms exposure management by demonstrating how attackers leverage and combine misconfigurations, vulnerabilities, identity exposures, and more, across AWS, Azure, GCP, and on-prem environments to compromise critical assets. With XM Cyber, you can see all the ways attackers might advance, and all the best ways to stop them, pinpointing where to remediate exposures with a fraction of the effort. Founded by top executives from the Israeli cyber intelligence community, XM Cyber has offices in North America, Europe, Asia Pacific and Israel.

You May Also Like

XM Cyber Launches Kubernetes Exposure Management to Intelligently Protect Critical Container Environments

PRESS RELEASE

EAST BRUNSWICK, N.J., Nov. 29, 2023 -- 1Kosmos, the company that unifies identity proofing and passwordless authentication, today announced the 1Kosmos BlockID platform now enables organizations to seamlessly extend web-based identity proofing sessions to a user's mobile device for scanning government issued documents. 

This new capability does not require a mobile application, and creates a frictionless web user journey by eliminating the need for a separate application to capture identity documents and meet identity assurance level (IAL) requirements. Unique to 1Kosmos is the use of a privacy by design architecture where personal information is accessible only upon user consent.

To enable fast and easy identity proofing from the web, without downloading a mobile application, 1Kosmos BlockID connects a browser to a session accessing the camera on a user's mobile device for document verification. It also validates the authenticity of government identity documents with issuing authorities and triangulates personal data from driver’s licenses, passports, national IDs, and more. In addition, 1Kosmos BlockID challenges the user to take a live selfie to ensure they are a real person and matches their selfie with the images scanned from the documents. 

“Traditional identity verification journeys performed on the web require users to install a mobile app for scanning government issued documents,” said Huzefa Olia, Co-Founder and COO for 1Kosmos. “For organizations that prefer an app-less experience, 1Kosmos BlockID eliminates the need for a dedicated app, while providing the flexibility to embed and customize document-based identity proofing across different platforms and end user journeys to suit their identity assurance and security requirements.” 

Cross Platform Identity Proofing

Like the 1Kosmos mobile app, the new app-less web based identity verification capabilities enable users to capture high quality images of government issued documents through mobile devices. 1Kosmos BlockID provides the following capabilities and benefits for implementing identity verification journeys across platforms:

*   Creates separate “verification sessions” for identity proofing with any type of document including driver’s license, passport, National ID and more
    
*   Provides a standalone web client that can extract identity data and validate the authenticity of the document template 
    
*   Offers an interface to define risk thresholds for decisioning on liveness, selfie match, etc. 
    
*   Supports integration with third party providers to validate authenticity of documents and data 
    
*   Enables administrators to review the result from the extraction of documents and data along with a recommendation from 1Kosmos on the status of verification (i.e., Pass or Fail) 
    
*   Enables organizations to build custom user verification journeys via the 1Kosmos control plane
    
*   Provides pre-deployment testing via proofing URLs
    
*   Includes built-in support for internationalization 
    
*   Meets W3C Web Content Accessibility Guidelines
    

Availability

The unified web and mobile identity verification capabilities are available immediately in the 1Kosmos BlockID platform.  

About 1Kosmos BlockID

The 1Kosmos BlockID platform verifies user identity for straight-through onboarding of customers, workers and citizens. It creates a reusable digital wallet for high assurance authentication into digital services and instant validation of end-user qualifications, competencies, authority, and more. A unique privacy-by-design architecture centered around a private and permissioned blockchain eliminates centralized honeypots of end user personal identifiable information (PII), simplifying compliance to privacy mandates such as GDPR and providing organizations tamper evident verification to always know the identity behind devices accessing applications, data and services. BlockID has attained certification to NIST 800-63-3 and UKDAIF via Kantara, FIDO2 and iBeta’s PAD Level 2 guidelines. It is delivered as a stand alone or embedded cloud service or via a managed service as a Credential Service Provider for residents.

About 1Kosmos

1Kosmos enables remote identity verification and passwordless multi-factor authentication for workers, customers and residents to securely transact with digital services. By unifying identity proofing, credential verification and strong authentication, the BlockID platform prevents identity impersonation, account takeover and fraud while delivering frictionless user experiences and preserving the privacy of users’ personal information. BlockID performs millions of authentications daily for government agencies and some of the largest banks, telecommunications, higher education and healthcare organizations in the world. The company is funded by Forgepoint Capital and Gula Tech Adventures with headquarters in East Brunswick, New Jersey. For more information, visit www.1kosmos.com and follow us  on X and LinkedIn.

1Kosmos Unifies Identity Verification User Journeys Across Web and Mobile Platforms

Black Hat speaker and 13-year-old ethical hacker Marco Liberale talks about his interest in cybersecurity, and what opportunities he has in Saudi Arabia.

Marco Liberale on stage at Black Hat Middle East and Africa.Source: Luke Hallewell from Informa at Black Hat Middle East and Africa

Younger speakers and researchers often garner plenty of interest at cybersecurity conferences, and these teenage stars often gain a following after it is over. Marco Liberale, a 13-year-old from Saudi Arabia who recently presented at the Black Hat Middle East and Africa on the subject of navigating ransomware, is likely no exception having taught himself lockpicking at 3; Python coding at 5; and malware writing shortly after that.

Liberale received praise for his presentation, in particular by researcher and Boom Supersonic CISO Chris Roberts, who said Liberale showed "how to write it, build it, design it, deploy it, and remediate systems against being taken over by it" — it being ransomware.

Dark Reading met with Liberale and his mother, Caterina Carna, to understand more about how this industry snagged his interest, and what's in store for the phenom going forward.

Marco Liberale on stage at Black Hat Middle East and Africa

How did you get interested in cybersecurity?

Marco: When I was three I was already interested in physical security, like locks and lock picking, then I learned Python when I was five and I kind of moved from there to cybersecurity. I made my first malware at the time; it was not very good though.

Was he lock picking from his crib?

Caterina: He was obsessed with chains and locks. He didn't want toys, he just wanted to go to hardware stores and buy locks and chains. My house was totally inaccessible to me because he was locking every room and I needed to ask him for permission to open it, but he was obsessed with this. But I always let him do it because I understood that there was something big inside him.

I just felt that I needed to support him as much as I could, and I let him know whatever he wanted to do to express himself in any possible way, but he was always attracted to security somehow.

How did you learn about cybersecurity, did you see it on TV and think that's something you want to do?

Marco: I mostly saw it on the news and stuff. I've always been interested in the security field and how people get in and how to stop people from getting in.

What about certifications, what are you doing now?

Marco: I study at Kings Interhigh online school, but I am way too young for most of the certifications. I'm still going to get Comptia Security+, I'm studying for that.

Are you finding a lot of opportunity to learn skills at events here?

Marco: I do have a lot of opportunities to do so. I've met a lot of people even like at KAUST \[the King Abdullah University for Science and Technology\]. There's a big IT field there as it is mostly focused on science and IT.

Do you have friends who are also doing this?

Marco: No, most kids my age are just playing soccer. That's what I've seen personally.

Do you have ambitions of where you want to do next, like study abroad, or work at certain companies?

Marco: I'm probably going to make a startup. I'm mostly self-taught in general, but I work with Chris \[Roberts\] a lot.

Caterina: We were here last year at the Black Hat conference and we met Chris, they got connected on LinkedIn and started to talk and during this conference this year, they did a talk together on the main stage. They had a lot of fun here and Chris is one of the most generous people I've ever met.

Do you look at people in the industry who inspire you?

Marco: Not that much. I don't have many inspirations, I mostly just work on my stuff. I don't really like getting inspired by other people.

How did you get to be involved in this conference?

Caterina: Marco met with Ed Sleiman, who is the head of cybersecurity at KAUST, and Ed recognized his talent. So Ed brought him to the Black Hat conference last year, connected us with the organizers and they were pretty excited about having a young speaker like that. He did a talk on OSINT, and this year they invited him to present again.

Do you have any plans for the future?

Marco: Now, I don't have any plans, I want to see what I can learn.

**About the Author(s)**

With more than 20 years experience of B2B journalism, including 12 years covering cybersecurity, Dan Raywood brings a wealth of experience and information security knowledge to the table. He has covered everything from the rise of APTs, nation-state hackers, and hacktivists, to data breaches and the increase in government regulation to better protect citizens and hold businesses to account. Dan is based in the U.K., and when not working, he spends his time stopping his cats from walking over his keyboard and worrying about the (Tottenham) Spurs’ next match.

How a Teenage Saudi Hacker Went From Lockpicking to Ransomware

PRESS RELEASE

SANTA CLARA, Calif., Nov. 27, 2023 — Fortanix® Inc., a leader in data security and pioneer of Confidential Computing, today announced Key Insight, a new industry-first capability in the Fortanix Data Security Manager TM (DSM) platform designed to help enterprises discover, assess, and remediate risk and compliance gaps across hybrid multicloud environments. At AWS re:Invent 2023, Fortanix will showcase the capabilities of Key Insight at booth #118.  
Data breaches lead to massive monetary losses, hefty penalties and severe brand damage. While traditional firewall and cloud security defenses shield the perimeter, the data itself remains vulnerable. Encryption is the final line of defense, but enterprises lack robust control over encryption keys, leading to significant risk. Enterprises need to fortify security beyond just its perimeter layers and are driving the paradigm shift towards a rigorous, data-centric security model with complete visibility and control over its encryption assets.  
According to a Gartner® report, “It is critical to understand if access to data and encryption keys by the CSP, by internal staff, or if the data residency locations across CSP platforms will create business impacts due to security or compliance risks.”  
Fortanix Key Insight is the first and only solution to provide consolidated insights and control of all cryptographic keys to protect critical data services. Security, cloud and developer teams can collaborate to assess risk posture and remediate compliance gaps consistent with policies, regulatory mandates, or industry standards (e.g., NIST, GDPR, PCI, etc.). Key Insight expands the power of Fortanix DSM, a unified data security platform for enterprise key management, data tokenization, secrets management, and more.   
“Key Insight provides a unique combination of discovery, assessment and remediation of encryption keys and cloud data services in one Enterprise Key Posture Management (EKPM) solution, helping enterprises prevent data breaches and failed regulatory audits,” said Anand Kashyap, co-founder and CEO at Fortanix. “Key Insight is aligned with our value statement – ‘Look. Know. Further.,’ by allowing companies to look across siloed encryption environments, know their data security risk posture, and go further with complete control of their data, including remediation.”   
Fortanix Key Insight offers several innovations to enhance data security:

*   Discover all encryption assets and provide a detailed mapping between encryption keys and data services in an intuitive and easy-to-understand dashboard  
    
*   Assess data security risk posture through visual heatmaps that quickly pinpoint risks, gaps and priorities against established policies, regulations and industry standards
    
*   Remediate gaps in policy and compliance to eliminate risk to achieve crypto agility at scale, with robust reporting to demonstrate continuous improvements over time  
    

“As the global leader in AI-based advanced imaging for healthcare applications, Rapid AI is fully committed to security, compliance, processes and technologies to protect its platform and sensitive patient data, especially in the cloud,” said Amit Phadnis, CTO of Rapid AI. “In this endeavor, awareness and proper management and remediation, where necessary, of encryption keys is of prime importance. Any tool that helps ease our encryption keys posture management would be desirable for our security and compliance teams.”    
“Organizations can ill afford data breaches and non compliance of globally proliferating privacy regulations," said Craig Gledhill, CEO of ACA Pacific. "Data encryption is crucial for protecting data, but equally crucial is the ability to pinpoint blind spots and remediate risks and compliance gaps. It is in this regard that the introduction of Fortanix Key Insight can be of great help to our customers in their quest for multicloud data security and compliance."  
This latest addition to Fortanix DSM adds another industry first to the platform’s robust list of capabilities, which include enterprise key management, data masking/tokenization, secrets management, code signing, and confidential AI and confidential data search.

Source

DARKReading