CVSS 4.0 || ChatGPT credentials for sale
CyberInsights #99 - Improve the quality of your vulnerability scoring || The traditional vulnerability in an AI ecosystem
This post is delayed by a day. Those of you who waiting with bated breath for the weekly CyberInsights mail (ok, maybe this is a bit of an exaggeration…) would be pleased to know that we are merely delayed - not skipped. The reason for the delay is an impromptu plan to dash off to a beach destination this week. With the sun, sand, surf and beer, a day here and there does not seem to matter too much. :)
Meanwhile, much has happened in the world of cybersecurity, as it usually does.
CVSS version 4.0 - draft for comments
A trusted scoring system is about to get better. You should contribute.
If you’ve been in Infosec long enough, you have had to get into a rather convoluted discussion with ‘asset owners’ about why the vulnerability that your red team has identified is a ‘High’ risk vulnerability.
And you’ve probably used CVSS version 3 to good effect in the discussion.
The next version of CVSS - CVSS version 4 is now out for public comments.
We’ve used CVSS extensively to rate the severity of a vulnerability in the context of an organisation. However, some Infosec teams have also used it as a way to compute risk - not the purpose of the CVSS. Also, with the growth of IoT and OT systems, CVSS was a little behind its times and considered only IT systems.
CVSS 4.0 is trying to address all this.
Take Action:
Download the PDF of this presentation. It explains the changes and the reasons. The next time you do a VA, take the time out to fill both CVSS 3.1 and CVSS 4. Compare the results and provide your feedback.
100,000 stolen ChatGPT credentials for sale on the dark web
The risks of using AI systems; there are new risks and then there are the traditional ones
When ChatGPT credentials are stolen, the risk is more than privacy loss. It could be company secrets.
ChatGPT, by default, stores user prompts as well as responses given by ChatGPT by default. What happens when stolen credentials are sold? The buyers would hope to find company secrets and intellectual property.
100,000 ChatGPT credentials were being sold on the dark web. Only time will tell the kind of data that gets compromised.
Take Action:
If you haven’t done it yet - define a ChatGPT usage policy for your organisation. Some organisations have banned the use of ChatGPT completely. Check with your business teams if you want to implement severe restrictions.
And run awareness campaigns on the risks of using ChatGPT or any public generative AI.