CyberSec.Cafe

Brewing Cybersecurity Insights

Tag: #Cybersecurity

The Digital Shadow

October 2, 2024 / / 0 Comments
Shadow and Ghost Data in cloud computing.

It is a pleasure to present an article in collaboration with Fabrizio Saviano.

Fabrizio is a dynamic cybersecurity leader with extensive experience as a Chief Information Security Officer (CISO) for top companies. He also served as an Intrusion Squad Officer at Polizia Postale, bringing a wealth of knowledge in cyber defense and security strategy. Fabrizio is the author of three influential books, including Cybercognitivismo and Come non essere spiati su internet, which explore the nuances of digital privacy and cybersecurity. His work combines practical expertise with a passion for educating others on navigating the digital world safely.

So without further ado…

Shadow Data and Ghost Data in the Era of Cloud Computing

In the era of cloud computing, data security has become a major concern for both individuals and organizations. Beyond the well-known concept of Shadow IT, two lesser-known but equally dangerous phenomena are emerging: Shadow Data and Ghost Data. These represent a new frontier in cybersecurity, bringing unique challenges and significant risks that need to be addressed with care and awareness.

Shadow IT: The Hidden Precursor

Before delving into Shadow Data and Ghost Data, it is important to understand the context in which they emerge. Shadow IT refers to the unauthorized use of cloud services such as WhatsApp, Gmail, WeTransfer, or Dropbox within an organization. These tools can be useful but create security, compliance, and cost control issues when used without IT department supervision.

Shadow Data: The Hidden Threat in the Cloud

Shadow Data is an extension of the concept of Shadow IT. It involves content that is improperly uploaded, saved, and shared on cloud storage platforms like Microsoft OneDrive, Google Drive, or Amazon Web Services. Their elusive nature makes it difficult for corporate IT security teams to monitor and protect this data. Risks associated with Shadow Data include insecure sharing, indexing of sharing URLs by search engines, and exposure of sensitive data.

One of the most evident dangers is vulnerability to online searches. Often, URLs used to share data can be discovered through hacking techniques like Google Dorks, making information potentially accessible to anyone. Additionally, incidents like those involving Amazon’s S3 storage have shown that even the most reliable cloud services can be vulnerable.

Ghost Data: The Phantom of Digital Past

Ghost Data represents an even more insidious risk. These are data that users believe they have deleted from cloud services but actually persist in providers’ storage systems. This phenomenon underscores a fundamental truth: data deletion in the cloud is not always permanent. The origins of Ghost Data can vary from incomplete file deletion to device disposal without proper data erasure, to loss or theft of inadequately protected devices.

The Extent of the Problem: Alarming Data

Recent research has revealed worrying data about the impact of Shadow Data and Ghost Data. It is estimated that 60% of security problems in cloud accounts stem from unprotected sensitive data. Furthermore, about 30% of analyzed cloud data stores contain Ghost Data, with 58% of this data including sensitive or highly sensitive information. These numbers highlight the urgency of addressing the issue of Shadow and Ghost Data seriously and proactively.To mitigate the risks associated with Shadow Data and Ghost Data, a multi-layered approach is essential.

First and foremost, user education and awareness are crucial. Users must be trained on the risks of improper data sharing and correct privacy practices in cloud services. It is also important to promote the use of strong passwords and develop a culture of cybersecurity within the organization.

Monitoring and Control are equally crucial. Companies should implement software for identifying and analyzing Shadow and Ghost Data, establish clear policies for their management, and conduct periodic reviews of data present in cloud systems and company devices.

Proactive protection includes using encryption tools for sensitive data and implementing secure backup systems. Additionally, solutions for secure and permanent data deletion are essential to ensure that deleted data cannot be recovered in the future.

Shadow Data and Ghost Data represent a growing challenge in the cybersecurity landscape. With the continuous evolution of cloud technologies and increasing reliance on these services, it is crucial that individuals and organizations remain vigilant and proactive in managing their digital data. The cybersecurity of the future will not only be a matter of advanced technology but also awareness and responsible behavior. Only through continuous and conscious commitment can we hope to navigate safely through the increasingly deep and complex waters of the digital world.

23andMe, and Us?
23andMe, and Us?

23andMe, and Us?

February 21, 2024 / / 1 Comment

It is a pleasure to present a collaboration article with Fabrizio Cilli.

As a dedicated cybersecurity enthusiast and pioneer, Fabrizio’s journey has been marked by global experiences, from Rome to the most advanced innovation hubs of North America and Asia, and through historical transformative projects in the Middle East. At Telecom Italia, he played a key role in the early days of Security Operations Centers (SOC), setting the stage for leadership positions that influenced cybersecurity advancements across sectors.

Leading as the Chief Information Security Officer (CISO) at Open Fiber, Fabrizio was pivotal in building a robust cybersecurity framework from scratch, marking achievements like the formation of XIRT (Any Incident Response Team) and striving for ISO 27001 certification. His work extended globally with renowned firms such as Datamat, Accenture, RESI/IPS, and EMC, where he focused on integrating cloud security, managing mergers and acquisitions, conducting due diligence, and safeguarding critical infrastructure.

A passionate advocate for the integration of artificial intelligence in cybersecurity, Fabrizio collaborated with the Italian Digitalization Team (Team Digitale) and co-founded the collective CISOs4AI (together with yours truly) and other great minds, underlining his commitment to harnessing AI for overcoming security challenges. His career is a testament to overcoming challenges, pushing boundaries, and fostering innovation, with a clear mission to cultivate a security-first mindset, drive technological empowerment, and ensure cybersecurity serves as a foundation of trust and resilience in our digital age.

So without further ado…

23andMe, and Us?

It all started from a response letter by 23andMe legal department, after CISO and some other directors had sold their stock options before the incident disclosure.

Facing an onslaught of lawsuits, 23andMe is denying liability for millions of users’ genetic records leaked last fall.In a letter sent to a group of users suing the company obtained by TechCrunch, lawyers representing the biotech company laid out a case that users were to blame for any data that may have been exposed.

It would be fantastic to have oversight and complexity requirements in place. Requiring multiple authentication factors has always been a key tool to prevent breaches from occurring. Companies like Microsoft, Google, Amazon, telecoms, banks, insurers, and healthcare providers all carefully control account access. They do this not just for prevention, but also to demonstrate maximum diligence. This is in a context where co-responsibility between companies and users is inevitable.

And if the responsibility of the external user is passed on as a “charter of rights and duties” (perhaps in terms and conditions between company and user), should we then consider that in a company, if it is discovered that a breach originated from a weak password (one of those in the annual most common lists) of an employee user, the latter falls into a scope of “bad faith” such as to stimulate an investigation for administrative liability? 

I mean, how much can responsibility be shifted to the user, given current standards for verifying the suitability of access control and administration measures (even more so for administrative accesses)?

Let’s talk about it, but if I think about Uber and SolarWinds, and then focus on 23andMe, and all the hospital ransomwares lately…I get a headache.

So if at the italian occurrence of attack to ASL1 L’Aquila, we understand that “it all started from a user with a weak password” or in the attack to MediBank Australia, a “user” propagated the attack, do we charge the 5 billion AUS Dollars to them and just move on? 👀😅

Such cases and similar situations, which we all know too well (and some scenarios we have experienced together, with some fellow CISO), where a user just leaves the doors open, what happens to these? Do we chase/investigate our own users? Could they be held responsible for the resulting damage? And on what rule and norm?

I want to clarify: full and robust user responsibility would be a breath of fresh air for most colleagues with millions users, but does this possibility even exist in current practice, that you are aware of? 👀

It is clear that the user who allows an attacker to use a “native” function is not ideal, but every low and slow attack and every APT we fight stems from the fact that we consider the user (I’m getting close to zero “user” trust theory) as potentially malicious or compromised.

So if a Sino-Russian-North Korean or Italo American criminal, with fake documents enters, and with that function manages to view data from thousands of other people, would we not notice? Is the system designed to prevent repeated abuse? Would GDPR minimization, applied to this processing, have required that it not be possible for example to “accumulate” sensitive data like this, but maybe only view genetic closeness, and then request direct contact? How did they design the registry at 23andMe?

When I say data is the lifeblood of a company I mean it seriously. If the lifeblood becomes poisoned, or too much comes out, the plant dies. 🌵🏜️

And then the dilemma: if one of “our” internal users blatantly violates a policy, procedure, and playbook, and leaves admin admin, while doing the ceremonial of an HSM, and we basically lose all our secrets?

Are we (the company) or is the user (colleague) administratively responsible? (And here the insurance systems on AdS come into play…)

It is certainly a good debate.

But in the end I believe there are various safe passes, both for users and colleagues, when it comes to access and management of technologies and privileges imposed on them.

The “good family man” remains the company, the multitude of individuals who manage the systems are its own, with its procedures and internal and external regulations. It is not a 1-to-1 relationship with the user, it is a many-to-1 or many-to-many relationship.

The Regulations we advertise, and for which we request flags, signatures etc., exist precisely to ensure they are not violated, due to boredom and lack of reading or reconciliation.

The Countermeasures we implement guarantee controls, and verify that the healthy behaviors we ask to assume are assumed, by those who use our systems and services, preventing them from circumventing them to facilitate the user experience.

Of course it is true that if we do not solve the problem of “passwords”, it is like having a low cipher forced by incompatibility, and not being able to apply a patch for life…

Perhaps this is what Sam Altman is aiming for with his WorldCoin startup: the full and unequivocal recognizability of the user… Will he make it?

And how will 23andMe end up?

There is very much at stake and an ongoing court case, that didn’t really start on the best terms.

Now, I don’t mean to make light of this situation, but the reality is that: Cybersecurity maturity needs to be embedded in a company’s very DNA. It requires integration, communication, and transparency primarily between the business itself and its clients.

Or it won’t work. In a fully digital world, you need fully digital cyber protection. Your business doesn’t sleep, crooks do not sleep, your clients are cycling around the world and guess what? They are not sleeping at the moment.

If it was enough to have “security” across the company, and “secure by design” software, today it’s about having a “secure by design company” and “software security” in place.

Word games? No, it’s the real deal.

You can get wiped out from the market.

And now the bombshell that will make you think: in such a scenario, even your competition can harm your core business by means of criminal hackers.

Resilience, and security by design with zero-trust: it’s worth it.

Exciting Collaborations on the Horizon: Gear Up for Cyber Insights!

Exciting Collaborations on the Horizon: Gear Up for Cyber Insights!

February 19, 2024 / / 2 Comments

Greetings, fellow cyber enthusiast! I’m back!

For those who missed me the reason is to be ascribed to my recent job change.

I’m thrilled to announce that in the next months I will be speaker to a couple of interesting events in Milan. The next one is the 12th of March and of course I’ll talk about AI Cybersecurity.

Back to the main news: in just a few days, I’ll be embarking on a series of captivating collaborations with some esteemed minds in the cybersecurity field in Cybersec.cafe and I’ll be guest of another blog that will be revealed in due time.

Buckle up, because we’re diving deep into valuable insights you won’t want to miss. While I can’t reveal all the surprises just yet, let me assure you that these partnerships will bring together diverse perspectives and a wealth of experience. We’ll be tackling some pressing issues in the world of cyber.

The next guest will be Fabrizio Cilli and he will discuss the 23andMe breach and its implications in terms of shared responsibility in cybersecurity – sorry I won’t disclose more as spoiler is a capital crime nowadays but trust me, you won’t want to miss this!

Stay tuned for further details future announcements.

See you soon!

P.S. Want to be the first to know when the collaborations kick off? Follow me on linkedin and keep an eye out for updates!

How to Keep You Safe Online

How to Keep You Safe Online

September 18, 2023 / / 0 Comments

Proactive Measures for Cyber Safety

Over the years, many have approached me with questions about online security, reflecting a growing concern in our digital age. The importance of safeguarding one’s personal identity online truly cannot be overstated. Not only does good cyber hygiene benefit individuals, but it also extends to the organizations where they work. When people grasp the basics of cybersecurity, they’re better equipped to apply these principles in their professional environments, fortifying the digital defenses of their companies. With cyber threats becoming more frequent and increasingly sophisticated, it’s imperative for everyone to adopt proactive measures to protect their digital identities.

Here are some guidelines to ensure your online safety:

  1. Think Before You Click: More than 90% of successful cyber-attacks start with a phishing email. If you encounter a link you don’t recognize, trust your instincts and think before you click.
  2. Use Strong Passwords and change default ones: Until we can move to passwordless avoid common passwords like “password” or “123456”. Ensure your password is long (at least 14 characters especially if MFA is not enabled), unique, and randomly generated. Consider using a password manager to generate and store unique passwords. Many devices, including modems and routers, come with default passwords. Always change these to unique, strong passwords to prevent unauthorized access. This applies also to your mobile device, use a PIN/passcode (not your date of birth or “0000” or “1234”)
  3. Use Multi-Factor Authentication (MFA): MFA provides an additional layer of security by requiring two or more verification methods. We already discussed how to choose one method, for instance here. This applies also to your mobile device, secure it with biometric feature (e.g. fingerprint or face recognition).
  4. Stay Updated: Ensure all your software, including the operating system, is up-to-date. Cybercriminals often exploit vulnerabilities in outdated software. Whenever you receive notifications for software updates, install them promptly. Even better, turn on automatic updates.  
  5. Be Cautious with Software: If you didn’t actively seek out a software, an app or browser add-on, don’t install it. Conversely, uninstall software or applications you no longer use. This approach not only declutters your system but also reduces potential entry points for cyber threats.
  6. Avoid public or untrusted WIFIs: avoid those WIFIs especially when accessing or providing sensitive information, such as bank accounts, online shopping, etc. The same applies also for and unknown or untrusted storage devices, such as USBs, that can be used to transfer malware on to your device. Avoid those as well.
  7. Consider Using a VPN: Virtual Private Networks (VPNs) encrypt data transmitted between your device and the server. This ensures that your online activities remain private and secure, especially if you really need to use public Wi-Fi networks. However, not all VPNs are created equal. It’s essential to choose a trusted provider, as VPNs are entirely based on trust. You must be aware of the data protection laws of the VPN provider’s home country and any potential extra-legal pressures they might face.
  8. Ensure your valuable data is stored in an appropriate location and backed up regularly. Cybercriminals may encrypt your data so they can extort money from you. If you do become a victim of this, it is often impossible to decrypt the data, so you will have to rely on backups. To avoid this ensure valuable data is stored on approved secure storage services (not shared widely and encrypted) and backed up in the event of loss or damage.
  9. Bookmark Important Sites: Instead of clicking on email links that seem to come from trusted organizations, use bookmarks in your web browser to access important sites. This reduces the risk of landing on a phishing site.
  10. Don’t overshare on social media: Scammers often use social media to gather information about people. They may use this information to guess your passwords, use it in a social engineering scam, or impersonate you when applying for credit cards, bank loans, or even commit crimes. Also regularly review your social media access settings to understand who can see information you share and ensure it is restricted appropriately.

What do you think? Are these all the steps we should take to ensure our online safety?

Do you follow all these best practices? Share your thoughts and experiences in the comments below!

Sources:

The secrets to Master Key Management in Cloud Encryption

July 18, 2023 / / 1 Comment

A Comprehensive Guide in Light of Recent Security Breaches

Introduction

In the world of cybersecurity, a recent event serves as a grim reminder of the crucial role that key management plays in cloud encryption. On July 11, 2023, Microsoft reported a severe breach where China-backed hackers gained unauthorized access to several email inboxes, including those of prominent federal government agencies. The attack was facilitated by Microsoft’s loss of control over its own keys, underscoring the dire consequences of inadequate key management. In light of this incident, this article aims to provide a comprehensive understanding of key management in cloud encryption, underscoring the need for robust strategies to mitigate such cybersecurity threats.

In the realm of cloud services, securing sensitive data remains a critical concern for businesses worldwide. At the heart of this security is encryption, which renders data unintelligible without the appropriate decryption key. Consequently, managing these keys appropriately is of paramount importance. In this piece, we’ll delve into the nuanced world of key management, investigate the varying options provided by cloud service providers, and examine performance considerations, particularly for transaction processing.

The Importance of Key Management in Cloud Encryption

Encryption serves as the bedrock of data security within the cloud, translating readable data into a coded form decipherable only with the correct decryption key. Thus, the proper management of these keys becomes critical in maintaining data security.

Poor key management can lead to unauthorized access to encrypted data or, on the flip side, permanent loss of access to data if keys are lost or corrupted. Therefore, key management is not just an optional add-on but an essential part of an organization’s overall data security strategy.

Key Management Options in the Cloud

When it comes to managing encryption keys in the cloud, providers typically four main strategies can be used, each with its unique benefits and considerations:

  1. Cloud Provider Managed Keys: The cloud provider generates and manages the keys, a simple approach that offers the least control over the keys. However, it’s the most cost-effective, as there are no additional charges for key management.
  2. Bring Your Own Key (BYOK)Customer-Managed Keys in Cloud Provider’s Hardware Security Module: Here, the client generate and manage their own own keys but store them in the cloud provider’s Hardware Security Module (HSM). This solution offers more control over the keys and guarantees secure storage and requires the use of the provider’s HSM services.
  3. Customer Supplied and Managed Keys (CYOK) – Customer Managed Keys not exposed in Cloud: In this scenario, the end-user generates their keys, which are never exposed to cloud providers, even if stored and used in the cloud. The end-user controls the full key lifecycle and can instantly revoke keys at any time. These keys can reside in a protected virtual node within the cloud or a hybrid environment in an on-premise data center.
  4. Hold Your Own Key (HYOK)Customer-Managed Keys in Customer’s HSM: the client generate, manage, and store the keys in their own HSM, offering the highest level of control. This option offers the highest level of control but also requires complete responsibility for the security and resilience of the HSM infrastructure. It can be the most costly due to the overhead of maintaining an HSM infrastructure.

Deep Dive into Performance Considerations

When considering HYOK , a significant factor to take into account is the potential impact on performance, particularly when handling numerous transactions. On-premise HSMs can introduce latency due to the need for encryption/decryption requests to travel to and from the HSM.

If the demand for encryption-related operations is high and frequent, the latency could introduce bottlenecks affecting the performance of transaction processing.

However, if an organization prioritizes control and security over cost and/or performance and has the resources to manage and secure the HSM infrastructure properly, this options can be the most appropriate.

Key Considerations

In selecting your key management strategy, consider the following:

  • Cost: Control level usually correlates with cost; HYOK offers maximum control but at higher costs.
  • Performance: Encryption and decryption operations can impact application performance. Depending on the option chosen, you may need to ensure adequate resources to guarantee performance.
  • Confidentiality: With cloud provider-managed keys, the provider potentially can access your keys. For utmost confidentiality, managing keys in your own HSM is advisable.
  • Jurisdiction: For regulations like GDPR, it’s crucial to know where your keys are stored and managed. Using your own HSM provides complete control and transparency over key location.
  • Operational Complexity: Managing your own keys introduces added operational complexity, requiring dedicated expertise in cryptographic key management.

Additionally some cloud providers might not be interested in helping the client keeping encrypted data in their systems

Conclusion

Choosing an appropriate key management strategy involves careful consideration of cost, performance, control, confidentiality, jurisdictional compliance, and operational complexity. Cloud Provider Managed Keys, BYOK, CYOK, and HYOK all offer different degrees of these factors.

The key is finding a balance that meets your organization’s specific needs and resources. With a clear understanding of the available options, you can make an informed decision that not only safeguards your data but also aligns with your operational capabilities and business objectives.

The Human Element in Cybersecurity

June 15, 2023 / / 0 Comments

Moving Beyond Technology

Human Element
Image by Bing Image Creator

The Human Element – Introduction:

When it comes to cybersecurity, most people tend to think it’s all about technology. But guess what? It’s time to break that misconception. In today’s world, cyber threats the weakest link in the security chain is the human element.

You see, we may have fancy technologies, but there’s no magic bullet (despite what many vendors promise). No matter how much we invest in technology, we can still fall prey to cybercriminals who know just how to exploit our human nature.

The Conti ransomware gang hit the nail on the head last year when they said, “we also need to focus on the human part of our attacks. Our targets invest millions of dollars in security technologies, but they often overlook the human element. We will continue to exploit this weakness to our advantage.”” It’s a wake-up call to understand that in the traditional triad of People, Processes, and Technology, People are (and have been in probably the last 10 years) the center stage in cybersecurity.

So, buckle up and keep reading as we dive into the role of the human factor in cyber attacks.

The Exploitation of Human Vulnerabilities:

Cybercriminals are crafty. They know that humans are easier to manipulate than sophisticated security technologies. They also look for a ROI on their investments, so they will use whatever is the cheaper approach to reach their goal. So, they use psychological tricks like phishing and social engineering to exploit our weaknesses and gain unauthorized access to sensitive information. They send convincing email scams, impersonate trusted entities, and even dig up personal details from social media to trick us into revealing confidential data or compromising system security.

Still think that cybersecurity is all about fancy technology?

You took a look at the latest latest ENISA Threat Landscape. You saw that the top threats include ransomware and malware—definitely techie stuff. But guess who unwittingly lets those threats in? Yep, it’s people.

Now let me tell you, the Ponemon Institute’s Cost of Data Breach report is an eye-opener. In their “Initial attack vectors” section, they highlight the prevalence and cost of human-related attack vectors. Stolen or compromised credentials accounted for 19% of breaches, costing an average of $4.50 million. Phishing, at 16% of breaches, topped the list as the costliest initial attack vector, with an average cost of $4.91 million. Business email compromise was another initial vector among cyber attackers.

If you look closely, you’ll notice that every issue, even seemingly technical ones like “Vulnerability in third-party software,” ultimately comes down to human error. After all, who coded the software with the vulnerability or who didn’t define or apply a patching process? That’s right, a human.

Moving Towards a People-Centric Approach:

So, what can we do about it? Well, it’s time for organizations to start adopting a people-centric approach to cybersecurity. My recipe consist in building a “Cyber Culture”! This means understand what are the Cyber behaviors we want to influence, providing comprehensive training programs to raise cybersecurity awareness among employees and promoting a culture of vigilance and responsible behavior. We gotta teach everyday users about common cyber threats, show them how to spot suspicious activities, and encourage good practices like creating strong passwords and keeping software up to date.

But it’s not just about training. Organizations need to share real-world examples of cyber attacks, so people can see the real risks out there. By making everyone feel responsible for cybersecurity, we turn our workforce into a first line of defense against cyber threats.

And here’s a secret: investing in the human factor is not only cheaper, but it’s also way more effective than splurging on fancy technology. I mean, sure, we still need the right tools, but without a strong Cyber Culture, we’re like a castle with a moat but no guards. It just doesn’t work! I will write an article on this topic in the future.

So why isn’t a a People-Centric approach that widespread?

Many people still think that cybersecurity is all about technology. They believe it’s a technical issue that only (nerdy) IT folks (with glasses and a hoodie) can handle. The problem is that cybersecurity specialists often are really technical to start with so they neglect the crucial human elements.

And here’s another kicker: reporting lines within organizations often make things worse. Cybersecurity teams end up aligned with IT departments, who are mainly focused only on technical risks!

I know I’m digressing this is another topic: the need of having an effective, diverse and multidisciplinary Cyber team.

But the truth is, investing in Cyber Culture, in our people, is the key to success. It’s not only more cost-effective, but it’s also more impactful in preventing and mitigating cyber threats. So I think it’s time to break the cycle!

Conclusion:

it’s time we realized that cybersecurity is not just about technology. People play a crucial role, and cybercriminals know it. By adopting a people-centric approach, building a strong Cyber Culture, and empowering employees to be active defenders, organizations can level up their defense against cyber threats.

So, let’s remember that we’re not alone in this fight. It’s not just about fancy tech; it’s about us, the people. Together, we can create a safer digital world. Let’s do this!

OWASP vs. Cybersec.Café's LLM Top Security Risks

OWASP vs. Cybersec.Café’s LLM Top Security Risks

May 31, 2023 / / 0 Comments

A Follow-Up Comparative Analysis

LLM Top Security Risks
Created with Bing Image Creator

Following our previous exploration of Large Language Models’ (LLMs) security risks, I am now presenting a comparative analysis of the risks highlighted by Cybersec.Café and those identified by OWASP (Open Web Application Security Project). OWASP is a renowned authority in web application security and has recently published a preliminary list of LLM security risk.

LLM Top Security Risks Comparative Analysis

1. Jailbreaking

This corresponds to several risks in OWASP’s list: LLM03:2023 – Inadequate Sandboxing, LLM04:2023 – Unauthorized Code Execution, LLM05:2023 – SSRF Vulnerabilities, LLM08:2023 – Insufficient Access Controls, and LLM09:2023 – Improper Error Handling.

In my perspective, Jailbreaking refers to the process of gaining unauthorized access to and control over an LLM’s underlying systems or processes, while OWASP risks might pertain more to the system or application underpinning the LLM rather than the LLM itself. While jailbreaking could serve as an entry point for exploiting these OWASP risks, the mitigation strategies may not be fully effective in all cases.

By articulating these risks separately, OWASP’s approach might help define individual mitigation actions.

2. (Direct) Prompt injection, 3. Second-order injections

These risks directly align with OWASP’s LLM01:2023 – Prompt Injections, although OWASP’s category encompasses all forms of prompt injections.

4. Data Poisoning

This directly aligns with OWASP’s LLM10:2023 – Training Data Poisoning.

5. Misinformation

This risk somewhat corresponds to OWASP’s LLM06:2023 – Overreliance on LLM-generated Content, especially in scenarios where overreliance results in misinformation. However, OWASP’s category includes other potential issues, such as bias, making it more comprehensive.

6. Malicious content generation

This risk intersects with OWASP’s LLM07:2023 – Inadequate AI Alignment. The link might seem tenuous, but the principle remains that an LLM’s use case should not be creating malicious content.

7. Weaponization, 8. LLM-delivered attacks

These risks overlap with OWASP’s LLM04:2023 – Unauthorized Code Execution and LLM07:2023 – Inadequate AI Alignment. These risks underscore the potential for LLMs to be exploited for malicious purposes, be it coding malware or delivering attacks.

9. Abuse of vertical LLM APIs

This risk relates to OWASP’s LLM07:2023 – Inadequate AI Alignment and LLM08:2023 – Insufficient Access Controls. Poor AI alignment could potentially lead to misuse of the LLM, and similarly, poor access control could result in unauthorized actions.

10. Privacy and Data Leakage

This risk directly corresponds to OWASP’s LLM02:2023 – Data Leakage.

Conclusion

In creating this top 10 and comparing it with OWASP’s list, I observed that the key differences lie in the granularity and standardization of terminology.

The field of LLM security is still relatively nascent, and there is a noticeable need for standardization of terms. This comparison has shed light on this fact.

I hope that OWASP’s risk list will bring the critical security considerations for LLMs into sharper focus, laying a solid foundation for further discussions and the development of security measures in this rapidly evolving technology sphere.

© 2024 CyberSec.Cafe