AI risks – can you spot the errors?, A present from Five Eyes, No More Secrets!
By John Bruggeman, virtual Chief Information Security Officer
AI risks – can you spot the errors?
I took some time over the holiday to play with Google's AI-powered image creator tool, ImageFX, and the results were in line with other tools. Compared to the description provided, ImageFX was, by my calculations, about 93% correct.
The prompt I used was, "Photograph of a sports car on Venice, CA Beach, with person leaning on the car."
Can you find the flaws in the generated image? ImageFX generated four images, and each had similar flaws.
Once you spot the flaws in the image, imagine you are a new programmer and you ask ImageFX to generate code for something you don't know how to do.
Could you, as a new programmer, figure out what's wrong with the code?
If you are a CIO or CTO looking to leverage AI, we can help you review the code it generates to make sure there are not subtle or glaring flaws.
Remember folks: LLM tools are not deterministic, by DESIGN.
These tools use math to predict what word will likely come next. They are not "smart" or "intelligent" the way we think.
Give it the same prompt twice and you will get two different answers.
Will you know which answer is correct or even close to being correct?
What can you do?
Are you planning to deploy AI in your environment? If so, what is your plan?
Do you need help with your plan?
If you have any questions about AI, reach out and we can join a call with you to answer those questions.
A Christmas present from Five Eyes
The Five Eyes group (U.S., UK, Canada, Australia, and New Zealand) along with South Korea, have released guidance on how to choose secure and verifiable technologies.
Every company, every year, must buy new software and hardware, but how do they know if the product is secure? Does a vendor use open-source software (OSS) in the product? If so, how do you know?
How can you determine if the vendor has taken appropriate measures to secure the code they use in the product you want to buy?
The graphic below gives a simple example of the five main points where OSS can be compromised. I think this graphic is helpful for people outside of cybersecurity to understand what areas need to be reviewed to ensure greater confidence when buying more secure products.
This article from the Australian Signals Directorate—who worked with Cybersecurity and Infrastructure Security Agency, Canadian Centre for Cyber Security, United Kingdom National Cyber Security Centre, New Zealand National Cyber Security Centre, and the Republic of Korea's National Intelligence Service—provides an easy-to-read guide for developing an internal process for reviewing and purchasing secure products.
From the introductory paragraph:
"With an ever-growing number of cyber threats endangering users’ privacy and data, organizations must ensure they are consistently choosing secure and verifiable technologies. Customers are responsible for evaluating the suitability, security and risks associated with acquiring and operating a digital product or service.
“However, it is important that customers increasingly demand manufacturers embrace and provide products and services that are secure-by-design and secure-by-default. In this way, consumers can increase their resilience, reduce their risks and lower the costs associated with patching and incident response."
What can you do?
How do you verify their software supply chain?
Do you need help with that process? If so, we can help!
Let us help you start the process of securing your software supply chain. You can use this link to schedule a meeting.
No More Secrets Podcast has new episodes!
In case you haven’t heard, the “No More Secrets” podcast has new episodes available for download, and the content is fun and easy to follow.
About the author
John Bruggeman is a veteran technologist, CTO, and CISO with nearly 30 years of experience building and running enterprise IT and shepherding information security programs toward maturity. He helps companies, boards, and C-level committees improve and develop their cybersecurity programs, create risk registers, and implement compliance controls using industry-standard frameworks like CIS, NIST, and ISO