ChatGPT 1/3: Revolution in AI technology? - Asking a chat AI questions about cybersecurity
7174
post-template-default,single,single-post,postid-7174,single-format-standard,bridge-core-3.1.4,,qode-title-hidden,qode-child-theme-ver-1.0.0,qode-theme-ver-30.3,qode-theme-bridge,disabled_footer_top,qode_header_in_grid,qode-wpml-enabled,wpb-js-composer js-comp-ver-7.5,vc_responsive

ChatGPT 1/3: Revolution in AI technology? – Asking a chat AI questions about cybersecurity

Episode I: Our series on AI and language model ChatGPT

Artificial Intelligence (AI) is a fascinating and much discussed topic in today’s technology and information society. Whether in science, industry, or everyday life, the possibilities of AI are limitless, at least in theory. Over the past few years, there have been many articles and interviews with experts and insiders on the topic of AI, presenting different perspectives and gathering the opinions of experts.

In this three-part series, we want to take a look at AI from our perspective and throw our own security angle into the ring. To kick things off, we interviewed one of the most popular AI chat platforms out there to find out what it can do and what benefits we can expect from it in the future.

Currently, there is a lot of testing and research going on with ChatGPT, a language model developed by OpenAI (major backers of the organization are entrepreneur Elon Musk and Microsoft). ChatGPT is characterized by its ability to have human-like conversations or chats and answer questions on many different topics. The language model clearly represents a strong development in artificial intelligence. There are already several articles that explore the potential of ChatGPT and exhaust the possibilities that the tool has to offer. These include studies on its performance compared to other language models, or on its application in different industries and domains.

 

We hope our readers will find this series interesting and informative, and that it will help deepen their understanding of AI. So let’s get started.

Our security interview with ChatGPT

Q: Hello, we are Teal Technology Consulting GmbH and today we would like to conduct an interview with you on the topic of IT security!  

A: Hello Teal Technology Consulting GmbH! I look forward to assisting you with your IT Security interview. Please ask me your questions and I will do my best to provide you with helpful and insightful answers.

Q: The topic of ransomware is on everyone’s lips right now. How can I protect myself as a company against ransomware?  

A: One way to protect against ransomware is to take steps to prevent malware from entering your network. This may include:

      1. Using firewalls and anti-virus software: these tools can identify and block suspicious activity, reducing the risk of ransomware attacks.
      2. Educating employees: make your employees aware of the dangers of ransomware and teach them how to protect themselves, such as avoiding suspicious links or attachments in emails.
      3. Back up data regularly: ensure that backups of important data are made regularly so that in the event of a ransomware attack, the data can be restored without having to make payments.
      4. Updating software: Ensure that all software programs in use are up to date, as attackers often exploit vulnerabilities in outdated software.
      5. Use of Virtual Private Networks (VPNs): VPNs can help encrypt traffic to increase security.

There are many more steps companies can take to protect themselves from ransomware. It is advisable to consult an IT security expert to develop and implement a comprehensive security strategy.

Q: We believe that Active Directory Security and Hardening are important building blocks and are missing from this list. Where do you stand on this?  

A: You are absolutely right that Active Directory Security and Hardening are important aspects of IT security. Active Directory is a directory service from Microsoft that is used in many organizations to manage users, devices and resources on the network. Configuring Active Directory securely can help minimize the risk of security threats. Hardening refers to the process of configuring and securing a system so that it is protected against potential attacks. This can be accomplished by disabling unnecessary services and features, setting strong passwords, and updating security patches.

I recommend that you ensure that Active Directory is securely configured and regularly patched, and that the system is protected through hardening measures. An IT security professional can help you develop and implement a comprehensive security strategy based on your specific needs.

Q: What security benchmarks would you base hardening on?  

A: There are many different security benchmarks that can be considered when hardening. Some examples are:

      1. CIS Security Benchmarks: The Center for Internet Security (CIS) provides a set of security guidelines and recommendations for various operating systems and applications. These can be helpful in configuring and securing systems.
      2. NIST Cybersecurity Framework: The National Institute of Standards and Technology (NIST) has developed the Cybersecurity Framework to help organizations develop and implement their cybersecurity strategy.
      3. PCI DSS: The Payment Card Industry Data Security Standard (PCI DSS) is a security standard for businesses that accept credit cards. It specifies how credit card data must be protected.
      4. ISO 27001: ISO 27001 is an international standard for information security that establishes policies and procedures for securing information.

It is recommended to consider several of these benchmarks and ensure that the system is configured accordingly. It is also important to perform regular checks to ensure that the system remains secure. An IT security expert can help you select and implement the security benchmarks that are right for your business.

Q: And the BSI? 

A: The Bundesamt für Sicherheit in der Informationstechnik (BSI) (Federal Office for Information Security) is Germany’s national cybersecurity authority. It provides support and advice to companies and organizations on improving their cybersecurity measures.

The BSI has also published various security standards and guidelines that can help companies improve their IT security. These include, for example:

    • BSI Standard 100-2 “IT-Grundschutz.”
    • BSI Standard 200-1 “IT Security Act”
    • BSI Standard 200-2 “IT Security Catalog”

I recommend that you familiarize yourself with the BSI security standards and guidelines and incorporate them into your security strategy. An IT security expert can help you select and implement the standards and guidelines that are right for your company.

Q: We think that Active Directory is the core identity management solution. What do you suggest in terms of securing it?  

A: Secure Active Directory configuration is important to minimize the risk of security threats. Here are some recommendations on how to secure Active Directory:

      1. Use strong passwords: Ensure that all users use strong passwords that are changed regularly.
      2. Using MFA: Enable multi-factor authentication (MFA) to increase the security of user accounts.
      3. Use of user roles: Use user roles to ensure that users have access only to the resources they need to do their jobs.
      4. Disabling unnecessary services: Disable unnecessary services to prevent attacks on those services.
      5. Use security groups: Use security groups to assign specific permissions to users and restrict access to resources.
      6. Updating security patches: Ensure that all Active Directory security patches are installed to address vulnerabilities.

There are many more steps that can be taken to secure Active Directory. It is recommended to consult an IT security expert to develop and implement a comprehensive security strategy.

Excursus: Here you will find links to blog articles in which we go into more detail on topics addressed in this interview:

    • Use of user roles: LINK
    • Secure passwords: LINK
    • Use of security groups: LINK
    • Updating security patches: LINK

Excursus: Here you will find links to blog articles in which we go into more detail on topics addressed in this interview:

    • Use of user roles: LINK
    • Secure passwords: LINK
    • Use of security groups: LINK
    • Updating security patches: LINK

 

Q: You keep recommending that people consult an IT security expert. What distinguishes a good IT security expert compared to you? 

A: An IT security expert is a person who specializes in IT security and has extensive knowledge in this field. A good IT security expert is characterized by the following qualities:

      1. Broad knowledge: A good IT security expert has extensive knowledge in various areas of IT security, e.g., network, operating system, and application security
      2. Ability to analyze: A good IT security expert is able to analyze complex security problems and develop solutions.
      3. Ability to communicate: A good IT security expert is able to explain complex issues in an understandable way and to identify and address the security needs of an organization.
      4. Hands-on experience: A good IT security expert has practical experience in using various security tools and technologies.

I am a computer program and have no hands-on experience in IT security. However, I am able to provide you with basic information on various security topics and help you answer questions. An IT security expert, on the other hand, can help you develop and implement comprehensive security strategies for your company and solve specific problems related to IT security.

Q: As a consulting company, we have a constant need for IT security experts. Do you have any suggestions on how to recruit qualified experts?  

A: There are a few ways you can attract qualified IT security professionals:

      1. Job advertisements: Post job ads in trade journals or on job portals and specify candidate requirements.
      2. Contact professional associations: Contact professional associations such as the Gesellschaft für Informatik (GI) or the Verband der Informationssicherheit (VDI) and ask if they can help you find qualified candidates.
      3. Headhunting: Engage a headhunting agency that specializes in finding qualified candidates.
      4. Employee retention: Encourage continuing education and career development for your employees and offer them attractive incentives to retain them.

It is also advisable to build and maintain the company’s image as an attractive employer. In this way, you can attract qualified candidates and increase your employee retention.

Q: What do you think makes an attractive employer?  

A: An attractive employer is characterized by a variety of factors that can be important to employees. Here are some examples:

      1. Good pay and benefits: An attractive employer offers its employees good pay and additional benefits such as health insurance or company pension plans.
      2. Training opportunities: An attractive employer encourages further training and career development for its employees and offers them the opportunity to expand their skills and knowledge.
      3. Good working conditions: An attractive employer provides pleasant working conditions, for example through ergonomic equipment of the workplaces…

Q: please go on… 😄

A: Sorry, I interrupted myself. Here are other factors that can distinguish an attractive employer:

      1. Good working atmosphere: An attractive employer cultivates a good working atmosphere and promotes cooperation and exchange between employees.
      2. Flexible working hours: An attractive employer offers its employees flexible working hours and allows them to work on the move, for example.
      3. Work-life balance: An attractive employer pays attention to the work-life balance of its employees and promotes a balanced distribution of work and free time.
      4. Corporate culture: An attractive employer has a positive corporate culture that gives employees a sense of belonging and appreciation.

It is important that a company takes into account the needs and expectations of its employees and offers them an attractive working environment. In this way, it can help employees feel good and remain loyal to the company in the longer term.

Q: Can you go into more detail on the “corporate culture” point?

A: Corporate culture refers to the values, norms and behaviors that prevail in a company. It shapes the way employees interact with each other in the company and how decisions are made. A positive corporate culture can help employees feel comfortable and stay with the company for the longer term.

An attractive employer has a corporate culture that gives employees a sense of belonging and appreciation. This includes, for example:

      1. Open communication: An attractive employer promotes open communication and allows employees to voice their ideas and concerns.
      2. Appreciation: An attractive employer shows its employees appreciation and recognition for their achievements.
      3. Work-life balance: An attractive employer pays attention to the work-life balance of its employees and promotes a balanced distribution of work and free time.
      4. Employee involvement: An attractive employer involves employees in decision-making processes and makes them feel that their opinions matter.
      5. Diversity and inclusion: An attractive employer promotes diversity and inclusion and creates an inclusive work environment in which all employees feel welcome and accepted.

Q: Exactly these points mentioned above are very important to us as a company, which is why we have anchored them in our company values. In addition, we are guided by the Holacracy model of Brian Robertson or Frederic Laloux. What do you think of this?  

A: The Holacracy model is a management model that focuses on decentralizing power and responsibility in an organization. It assumes that employees are better motivated and more productive when they have more responsibility and autonomy. The Holacracy model involves dividing the company into so-called “Circles” that are responsible for specific areas of responsibility. Each Circle has its own structures and processes and makes decisions independently.

Some companies have successfully applied the Holacracy model and report improved employee motivation and productivity. However, the Holacracy model is also controversial and there is criticism that it can take too much time and resources to implement and operate.

It is important that the management model a company chooses fits its size, structure and goals.

Before choosing a particular model, you should carefully consider whether it is suitable for your company and whether it matches your company values. It is also advisable to test the model on a smaller scale first and observe the results before you roll it out across the entire company.

It is important that the management model a company chooses fits its size, structure and goals. If the Holacracy model is right for your company and fits your company values, it can be a good choice.

Q: We think that we agree on many points. Thank you for your assessment and your answers. 

A: I am glad that I was able to help you. I hope that my answers were helpful to you. If you have any further questions, please do not hesitate to contact me. I am at your disposal with pleasure.

Conclusion and personal opinion

Overall, ChatGPT is proving to be high performance and also extremely fast response time. It is clear that it can be an important game changer in the world of artificial intelligence. The numerous tests and investigations (example) currently being conducted with this language model are helping to better understand the potential of ChatGPT and expand its possible applications.

So what do our security consultants have to say about the answers to our questions?

From our subjective point of view, the tool can be a first orientation also for security questions. ChatGPT is basically able to show you the first steps and where to start your research. However, it certainly does not replace us as consultants and our consulting experts who have been trained for years.

We find that repetition is rampant and the answers are very general…along the lines of “Captain Obvious”: “Patch systems and install firewalls! In our opinion, these are basic principles, but they do not prevent sophisticated attacks on enterprise systems. The deeper methodologies and strategies are missing and are not possible in a chat format to the extent we offer.

However, we can also see that the AI itself is well able to assess where its knowledge and support ends, for example in terms of analysis and prior knowledge. This is where the bridge to us as external security experts is built, and where the practical experience and background information that the AI lacks is pointed out.

Nevertheless, the AI serves well as a basis for content for which the user has thought in advance about the direction he wants to go and the answers he expects or hopes for. The wording is also very well chosen in most cases, and it provides a good basis for exploring one’s own topic further and in greater depth – always assuming that one knows what one wants to convey and is familiar with the chosen topic.

How the series continues

These advances in artificial intelligence present both opportunities and risks. On the one hand, they offer the potential to automate processes and tasks, which can save time and resources. On the other hand, there are concerns about security and privacy, especially when it comes to using artificial intelligence in sensitive areas such as medicine or finance. In our next article in March, we will take a closer look at this topic and explain the opportunities and risks of OpenAI & ChatGPT in more detail, as well as form and add our own opinion. Stay tuned and feel free to give us feedback 😎.

 

Sieh dir diesen Beitrag auf Instagram an

 

Ein Beitrag geteilt von TEAL Technology Consulting (@tealconsulting)

 

Sieh dir diesen Beitrag auf Instagram an

 

Ein Beitrag geteilt von TEAL Technology Consulting (@tealconsulting)

LATEST POSTS

  • Together with one of our partners FB Pro, we will be at stand 58 in the Eilenriedehalle in the Hannover Congress Centrum. Our focus will be on a central topic that is of crucial importance in the cyber security world: system hardening...

  • Since 2021, we have been offering our customers not only pure IT security consulting, but also a fully comprehensive managed service for our products. Above all, we have focussed on the topic of system hardening with the Enforce Administrator product...

  • 2023 was a year full of successes and, above all, team spirit for TEAL. As an IT security company, we not only focus on the security of our customers, but also on the well-being of our own team. In this year in review, we would like to look back at some of the events and progress made, ...