Technology

Artificial intelligence has rapidly become a cornerstone of modern business, driving innovation and efficiency across industries. Yet, as companies increasingly rely on AI tools to handle sensitive tasks, they are also opening themselves up to new security vulnerabilities.

Businesses integrating AI into their operations means AI entities are becoming more autonomous and gaining access to more sensitive data and systems. As a result, CISOs are facing new cybersecurity challenges. Traditional security practices, designed for human users and conventional machines, fall short when applied to AI. So, it’s vital for companies to address emerging vulnerabilities if they are to prevent security issues from unchecked AI integration and secure their most valuable data assets.

AI: more than just machines

Every single type of identity has a different role and capability. Humans usually know how to best protect their passwords. For example, it seems quite obvious to every individual that they should avoid reusing the same password multiple times or choosing one that’s very easy to guess. Machines, including servers and computers, often hold or manage passwords, but they are vulnerable to breaches and don’t have the capability to prevent unauthorized access.

AI entities, including chatbots, are difficult to classify with regard to cybersecurity. These nonhuman identities manage critical enterprise passwords yet differ significantly from traditional machine identities like software, devices, virtual machines, APIs, and bots. So, AI is neither a human identity nor a machine identity; it sits in a unique position. It combines human-guided learning with machine autonomy and needs access to other systems to work. However, it lacks the judgment to set limits and prevent sharing confidential information.

Rising investments, lagging security

Businesses are investing heavily in AI, with 432,000 UK organizations – accounting for 16% – reporting they have embraced at least one AI technology. AI adoption is no longer a trend; it’s a necessity, so spending on emerging technologies is only expected to keep rising in the coming years. The UK AI market is currently worth over £16.8 billion, and is anticipated to grow to £801.6 billion by 2035.

However, the rapid investment in AI often outpaces identity management security measures. Companies don’t always understand the risks posed by AI. As such, following best practices for security or investing enough time in securing AI systems is not always top of the priority list, leaving these systems vulnerable to potential cyberattacks. What’s more, traditional security practices such as access controls and least privilege rules are not easily applicable to AI systems. Another issue is that, with everything they already have going on, security practitioners are struggling to find enough time to secure AI workloads.

CyberArk’s 2024 Identity Security Threat Landscape Report reveals that while 68% of UK organizations report that up to half of their machine identities access sensitive data, only 35% include these identities in their definition of privileged users and take the necessary identity security measures. This oversight is risky, as AI systems, loaded with up-to-date training data, become high-value targets for attackers. Compromises in AI could lead to the exposure of intellectual property, financial information, and other sensitive data.

The threat of cloud attacks on AI systems 

The security threats to AI systems aren’t unique, but their scope and scale could be. Constantly updated with new training data from within a company, LLMs quickly become prime targets for attackers once deployed. Since they must use real data and not test data for training, this up-to-date information can reveal valuable sensitive corporate secrets, financial data, and other confidential assets. AI systems inherently trust the data they receive, making them particularly susceptible to being deceived into divulging protected information.

In particular, cloud attacks on AI systems enable lateral movement and jailbreaking, allowing attackers to exploit a system’s vulnerabilities and trick it into disseminating misinformation to the public. Identity and account compromises in the cloud are common, with many high-profile breaches resulting from stolen credentials and causing significant damage to major brands across the tech, banking and consumer sectors.

AI can also be used to perform more complex cyberattacks. For example, it enables malicious actors to analyze every single permission that’s linked to a particular role within a company and assess whether they can use this permission to easily access and move through the organization.

So, what’s the sensible next step? Companies are still at the beginning of the integration of AI and LLMs, so establishing robust identity security practices will take time. However, CISOs can’t afford to sit back and wait; they must proactively develop strategies to protect AI identities before a cyberattack happens, or a new regulation comes into place and forces them to do so.

The key steps for strengthening AI security

While there is no silver bullet security solution for AI, businesses can put certain measures in place to mitigate the risks. More specifically, there are some key actions that CISOs can take to enhance their AI identity security posture as the industry continues to evolve.

Identifying overlaps: CISOs should make it a priority to identify areas where existing identity security measures can be applied to AI. For example, leveraging existing controls such as access management and least privilege principles where possible can help improve security.

Safeguarding the environment: It’s crucial that CISOs understand the environment where AI operates to protect it as efficiently as possible. While purchasing an AI security platform isn’t a necessity, securing the environment where the AI activity is happening is vital.

Building an AI security culture: It’s hard to encourage all employees to adopt best identity security practices without a strong AI security mindset. Involving security experts in AI projects means they can share their knowledge and expertise with all employees and ensure everyone is well aware of the risks of using AI. It’s also important to consider how data is processed and how the LLM is being trained to encourage employees to think of what using emerging technologies entails and be even more careful.

The use of AI in business presents both great opportunities and unprecedented security challenges. As we navigate this new landscape, it becomes clear that traditional security measures are insufficient for the unique risks posed by AI systems. The role of CISOs is no longer simply about managing conventional cybersecurity threats; it now involves recognising the distinct nature of AI identities and securing them accordingly. So, businesses must make sure they invest time and resources in finding the right balance between innovation and security to keep up with the latest trends while protecting their most valuable assets.

We've listed the best Objectives and Key Results (OKR) software.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro

There’s an epidemic of loneliness, driven by all of our online-focused lives—but people are discovering that disconnecting is the key to real connection.

At a time when the risks of AI-powered and advanced email-borne cybersecurity threats dominate the news agenda, it might be easy to overlook the dangers of some of the age-old attack vectors that continue to be exploited by cybercriminals.

For industries that rely on removable media – such as USB drives – there is a continued need for vigilance as these devices have the potential to trigger damaging and highly costly cyberattacks.

The resurgence of USB-based attacks

USB devices are commonly used in a number of core Critical National Infrastructure (CNI) sectors such as manufacturing, utilities and healthcare. These sectors rely on USB drives to transfer data in environments with limited or no internet access, such as air-gapped systems that isolate critical assets and data from external networks for security purposes.

In operational technology (OT) environments USB drives are often the only practical way to transfer data between systems that are deliberately kept offline, making them a common tool for software updates or data migration.

This widespread use makes USB drives a prime target for cyberattacks. One prominent example is the Sogu malware, deployed by the hacker group UNC53, which used infected USB drives to infiltrate multiple organizations last year. This campaign targeted industries in countries like Egypt and Zimbabwe, where USB drives are integral in day-to-day business operations.

Recent USB-based attack techniques have grown in sophistication, often bypassing advanced security layers by exploiting the inherent trust between the USB device and the host.

Longstanding techniques like “Rubber Ducky” keystroke attacks, which silently copy user activity and send information back to the attacker’s host system, are being deployed in new ways. For example, some human interface devices (HIDs) like mice and keyboards can have their firmware modified to inject the keystrokes to install covert malware.

A favorite for penetration testers and social engineers alike looking to entice unwary employees or visiting partners to pick up and insert a compromised USB device.

Why securing removable media presents a unique challenge

Managing removable media presents several challenges, particularly in OT-heavy environments.

USB-based attacks bypass traditional network security, allowing attackers to exfiltrate sensitive data or gain long-term access to systems. These attacks are especially dangerous in isolated systems, where the lack of network connectivity can delay detection and prolong attackers' dwell time.

This makes them a perfect vector for malware infections, data breaches, and unauthorized access. Infected USB drives can easily introduce malicious software into systems that aren’t regularly monitored, leading to potential data loss or operational disruptions. Without strict device and data controls, USB drives can introduce malware or allow unauthorized access to sensitive systems.

One of the key challenges that organizations have in addressing these security risks is that they often lack visibility into what people and what devices they connect to their systems or how data is transferred, making policy enforcement more challenging.

It’s not only the security risks of malware that present a problem; the theft or loss of unencrypted data on removable media, poses a significant risk, particularly in highly secure environments.

How to keep malicious data from USB drives out of the system

Mitigating these risks requires a multi-layered approach to security that combines both technical and policy-based solutions. Real-time monitoring of devices is essential; any USB connected to a system should be scanned for malware and suspicious activity, enabling threats to be detected before they compromise the network.

Data sanitization plays a key role in this process. By cleaning files transferred via USB, organizations can remove any hidden malware or malicious content, ensuring that only safe data enters their network.

For organizations in the CNI sector, a more robust solution might include air-gapped systems combined with a cybersecurity kiosk that scans and sanitizes all incoming and outgoing media. Cleaning all files of malicious content using Content Disarm and Reconstruction (CDR) techniques and placed in secure isolated data vaults. Only sanitized and validated data from these vaults being allowed access into the operational technology networks. These systems ensure that any device entering a secure environment is first cleared of potential threats, adding an extra layer of protection.

Controller access and policies are key

In addition to these technical controls, policy measures governing the use of removable media are a vital component of a strong defense.

Organisations should implement strict controls over which USB devices can access critical systems and regulate the types of files that can be transferred onto any removable media. By limiting access to authorised personnel and approved data, companies can minimise the risk of devices compromising their network. Policies and procedures should mandate that any USB drive should be scanned and its contents sanitised before its data is allowed into the organisations. This can be achieved at scale using a dedicated scanning kiosk application.

Employee and supply chain partner education is also crucial. The root cause of USB-based attacks can often be traced back to human error - such as using unsecured or unauthorized devices - and comprehensive training can help mitigate these risks. Users should be taught about encryption, the dangers of using unknown USB devices, and best practices for safely ejecting devices to prevent data corruption or malware. In high-risk sectors, regular audits of how USB drives are being used and how security protocols are being followed can further strengthen an organization's defenses.

Keeping USB drives on the cybersecurity agenda

USB devices remain a significant security threat, especially in sectors where they are essential for data transfer. Even organizations that don’t routinely use removable media in their workflows should be aware of the threat they pose.

A comprehensive approach that combines real-time monitoring, device control, and data sanitization, along with strict access policies and user education, will cover all the bases and minimize the chances of falling victim to USB-borne threats.

We've rated the best identity management software.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro

Sleep experts at CNET have pushed the Helix Dusk Luxe to its limits. Read this review to see if it’s the right fit for you.

For a limited time, save 75% on a Peacock Premium subscription when you enter our promo code at checkout.

From fiber to cable, Waterbury residents have a robust selection of internet services. Here are our top recommendations.

Here are the answers for The New York Times Mini Crossword for Nov. 28.

Here are some hints — and the answers — for the Nov. 28 Strands puzzle, No. 270.

Here are some hints — and the answers — for Connections No. 536 for Thanksgiving, Nov. 28.

Here are some hints and the answer for Wordle No. 1,258 for Thanksgiving, Nov. 28.

Here are some hints — and the answers — for Connections: Sports Edition No. 66 for Thursday, Nov. 28.

Save money with this Black Friday deal on the Denvix PowerX power bank, which can recharge five iPhones or a MacBook up to full, and it fits into (somewhat large) pockets.

Safely quench your thirst anywhere with this compact LifeStraw Water Filter for only $10.

This Black Friday deal drops Anker's 140-watt power bank to its lowest price yet.

Running can get expensive. Here are some Cyber Week deals that will help you save some cash.

We’re heading right into the Black Friday sales season, with major online retailer Amazon already kicking off seasonal deals, but with such a savings blitz on the horizon, be wary of malicious websites and services online that could mislead you and put your personal data in danger. We keep a vigilant eye on the current threat of scams every month, but we’re lending a spotlight to coupon scams that could promise a good deal and result in nothing of the sort.

Before we get too into the weeds, you can trust TechRadar when it comes to the best coupons on tech products. We’re always updating our articles on HP discount codes, Dyson coupons, Samsung promo codes and more, with our discount codes sourced from brands and retailers directly. We don’t deal in dodgy discounts, and if it’s listed on one of our coupon pages, it’s a tested and verified coupon (though obviously keep in mind that such codes expire and will not last forever).

However there are plenty of sources for coupons out there that can pose a risk to you. The physical act of entering a dud code into a box at the checkout likely won’t result in any backlash, but the act of obtaining said coupon is another story.

We’re drilling our advice on staying coupon scam safe down into three easy to understand points. Read on to learn the best practices when it comes to fake discount code scams online.

1. Trust only legitimate websites, emails and social media posts

Call me biased, but TechRadar is a very good website, and as already mentioned, you can trust the coupon codes and deals that we mention in our articles. When it comes to lesser known websites that may offer ‘too good to be true’ deals, display a frenzy of ads or demand sign-ups or payments before displaying codes, things get murky.

A quick tell of a website’s legitimacy is its URL. If a fake coupon website were attempting to impersonate TechRadar, for example, the URL may be spelled differently or have a different address to .com (such as .xyz, .gg, or .tv). However, some scam websites won’t go down the impersonation route and will instead skip fake legitimacy entirely. This makes things difficult, so a good rule of thumb is that if you don’t know it, don’t click it.

If the website in question has received positive reviews or has been linked to by other trustworthy websites, then that’s a different story altogether and you could lend the website some trust based on these points, but it’d be a mistake to trust a website entirely, only to have your email inbox filled with spam after entering your personal information, or your money drawn out of your account for making a payment to sign up.

This tip goes for emails and social media posts too. Say for example Dell is running a Black Friday sale and you’re a regular customer; you’d probably see emails in your inbox from Dell advertising the sale, along with posts on social media to the same effect. A bad actor might impersonate Dell’s email addresses or social media accounts to advertise fake discount codes. Check the validity of these things against what Dell has on its websites and official ‘verified’ social media accounts.

2. Don’t sign up for discount codes, and especially don’t give up your credit card information

This is an easy tip to recommend because it’ll stop cybercriminals in their tracks; do not give up your credit card information, and unless the website is one that’s trusted, don’t even create an account with them.

When it comes to coupon codes, A dodgy website might have it set up so that discounts are partially visible, but will only be revealed when you create an account with credit card information revealed. Don’t do this, there’s no reason why a coupon code aggregator would need your card information, and unless you trust the website, do not sign up for an account, otherwise you could curse your email inbox and phone number to be constant spam targets.

3. Coupon extensions are great, but know the risks

A popular shopping tool that has really started to gain traction in the past five years is discount coupon browser extensions, such as Honey and Cently. Such browser extensions can be very useful, but because of their deep embedded nature into your browser of choice, such as Google Chrome or Mozilla Firefox, they can pose a risk to your personal and financial security.

ExpressVPN, the creators of TechRadar’s recommended best VPN for beginners, has done an excellent job assessing the legitimacy of discount coupon browser extensions. Here’s a quick explainer on ExpressVPN’s assessment for a handful of browser extensions:

• Honey: Data on purchases is collected and shared with parent company PayPal. It’s overall a safe extension to use, but you might want to skip it if you’re concerned about data harvesting.
• Cently: Data on purchases and shopping habits is shared with partners mostly for marketing purposes. It’s still a relatively safe extension to use, but your data isn’t private.
• Coupert: Again, personal shopping behavior is tracked across the web and shared with partners. It’s still a safe extension to use, and it encrypts the data that it shares, but be aware that they are being shared in the first place.

These are legitimate coupon extensions that could score you some genuine savings at the checkout, but before signing up to all of them at once, keep an eye out for the less-than-legitimate ones. Extensions listed on the Chrome Web Store, for example, may say they track coupons across the internet, but in reality they just flood your browser with spam. Only install legitimate extensions with a verifiably proven track record, and if you’re unsure, check extension reviews on their listing page.

Remember in this Black Friday period: if a deal appears too good to be true, then it probably is. Stay safe online and happy bargain shopping.

• Find more discounts in our live coverage of the best Black Friday deals as well as the best Amazon Black Friday deals

Score this Black Friday deal and save 42% on a smart home security camera that will help keep your home and packages safe.

Stock up on ZeroWater filters this Black Friday before prices jump back up or you'll end up paying way more later.

This follow-up to Klipsch's highly popular ProMedia computer speakers from 2004 just took a Black Friday price dive.

Good morning! Let's play Connections, the NYT's clever word game that challenges you to group answers in various categories. It can be tough, so read on if you need clues.

What should you do once you've finished? Why, play some more word games of course. I've also got daily Wordle hints and answers, Strands hints and answers and Quordle hints and answers articles if you need help for those too.

SPOILER WARNING: Information about NYT Connections today is below, so don't read on if you don't want to know the answers.

NYT Connections today (game #536) - today's words

(Image credit: New York Times)

Today's NYT Connections words are…

• QUACK
• GOBBLE
• THANKS
• GIVING
• FAT
• TACO
• BOLT
• PRAISE
• SUPER
• CREDIT
• CON
• DOWN
• CHEAT
• SCARF
• FAKE
• RECOGNITION

NYT Connections today (game #536) - hint #1 - group hints

What are some clues for today's NYT Connections groups?

• Yellow: Well done!
• Green: Not what they seem
• Blue: Devour
• Purple: Black [weekday]

Need more clues?

We're firmly in spoiler territory now, but read on if you want to know what the four theme answers are for today's NYT Connections puzzles…

NYT Connections today (game #536) - hint #2 - group answers

What are the answers for today's NYT Connections groups?

• YELLOW: APPRECIATION
• GREEN: FRAUDSTER
• BLUE: EAT VORACIOUSLY
• PURPLE: ___ TUESDAY

Right, the answers are below, so DO NOT SCROLL ANY FURTHER IF YOU DON'T WANT TO SEE THEM.

NYT Connections today (game #536) - the answers

(Image credit: New York Times)

The answers to today's Connections, game #536, are…

• YELLOW: APPRECIATION CREDIT, PRAISE, RECOGNITION, THANKS
• GREEN: FRAUDSTER CHEAT, CON, FAKE, QUACK
• BLUE: EAT VORACIOUSLY BOLT, DOWN, GOBBLE, SCARF
• PURPLE: ___ TUESDAY FAT, GIVING, SUPER, TACO

• My rating: Easy
• My score: Perfect

Happy Thanksgiving to those of you in the US! And er, happy Black Friday Eve to everyone else. Inevitably, the NYT threw in some misdirection on the grid today, placing QUACK, GOBBLE, THANKS and GIVING as the first four words on the top row.

But of course this was a red herring. QUACK went with CHEAT, CON and FAKE for the green group (FRAUDSTER), while GOBBLE was grouped with BOLT, DOWN and SCARF for the timely EAT VORACIOUSLY (blue).

Yellow, as is usually the case, was simpler still – APPRECIATION was simply a bunch of synonyms including the aforementioned THANKS, which meant I didn't need to solve the hardest purple group. This included GIVING, which formed a group of the blank kind with FAT, SUPER and TACO. The connection was apparently ___ TUESDAY, but given that SUPER TUESDAY was the only one of the four I've heard of, there was no way I was ever going to get that.

How did you do today? Send me an email and let me know.

Yesterday's NYT Connections answers (Wednesday, 27 November, game #535)

• YELLOW: NOT WORKING RELIABLY BUGGY, ERRATIC, GLITCHY, SPOTTY
• GREEN: CAR PARTS BUMPER, GRILLE, MIRROR, RIM
• BLUE: WHAT A SITTER MIGHT SIT BABY, HOUSE, PET, PLANT
• PURPLE: ___ BAND BOY, RUBBER, TRIBUTE, WEDDING

What is NYT Connections?

NYT Connections is one of several increasingly popular word games made by the New York Times. It challenges you to find groups of four items that share something in common, and each group has a different difficulty level: green is easy, yellow a little harder, blue often quite tough and purple usually very difficult.

On the plus side, you don't technically need to solve the final one, as you'll be able to answer that one by a process of elimination. What's more, you can make up to four mistakes, which gives you a little bit of breathing room.

It's a little more involved than something like Wordle, however, and there are plenty of opportunities for the game to trip you up with tricks. For instance, watch out for homophones and other word games that could disguise the answers.

It's playable for free via the NYT Games site on desktop or mobile.