A humble “Top 10” list enumerating the biggest GenAI security risks has now turned into a major project.

What began in May 2023 as the “OWASP Top 10 for LLM and Generative AI List”—a countdown of AI-related threats, like data poisoning and sensitive information leakage—has become a collection of strategy recommendations, supported by an org of over 600 contributing experts from more than 18 countries.

The newly named “OWASP GenAI Security Project” supplies guidance and checklists for IT pros deploying GenAI and the large language models that power the technology.

Recent announcements included tips on exploits, red-teaming, and deploying agents.

A Deloitte study of 2,773 global respondents in the C-suite or at director level between July and September 2024 found a declining but steady curiosity in generative tools among business leaders. Forty-six percent of board members and 59% of C-suite pros reported high or very high interest in GenAI in Q4, down from 62% and 74% in Q1.

“We began to expand very rapidly, to go beyond just the Top 10 list, and to start to create working groups and initiatives that addressed a broad set of issues around AI security,” Scott Clinton, co-chair of the project, told IT Brew.

Clinton spoke with us about top threats and how quickly the group must react to address them.

Read the rest here.—BH

When it comes to security, you can take it to the bank—just don’t talk about it too much via email.

That’s a lesson that federal regulators from the Office of the Comptroller of the Currency (OCC) learned the hard way. A little over 100 bank regulators had their email accounts hacked and accessed for a year, the OCC told Congress on Apr. 8.

The attack, which OCC Chief Information Officer Kristen Baldwin wrote in a letter viewed by Bloomberg involved “unauthorized access to a limited number of its executives’ and employees’ emails that contain highly sensitive information relating to the financial condition of federally regulated financial institutions used in its examinations and supervisory oversight processes,” lasted a year, during which hackers had access to over 150,000 emails.

Once you’re in. Erich Kron, security awareness advocate at KnowBe4, told IT Brew that while it wasn’t clear how threat actors got into the system, once they infiltrated the accounts they were potentially able to go through a number of records.

“I don’t know exactly what they did in this case to take over those accounts, but I will say, it’s quite scary that they were there for the length of time,” Kron said.

Read more here.—EH

A bill that intends to decrease cyber threats against the country’s critical infrastructure is getting a second chance.

On April 8, House Homeland Security Committee Republicans announced that Rep. Andy Ogles and chair Mark E. Green reintroduced the Strengthening Cyber Resilience Against State-Sponsored Threats Act. If passed, the bill will establish a joint task force, led by the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI, which will provide briefings that include analysis of current tactics used by state-sponsored threat actors and resources that can potentially combat these threats to Congress each year for five years.

The bill, originally introduced by Congresswoman Laurel Lee and co-sponsored by Green and Select Committee on the Chinese Communist Party chair John Moolenaar in September 2024, was unanimously passed by the House of Representatives in December 2024 shortly before the new congress convened in January. Lee and Moolenaar have joined Ogles and Green as co-sponsors on the reintroduced bill.

Typhoon wave. The bill comes after a year of big headlines involving state-sponsored hacking groups from China. In September 2024, Salt Typhoon executed what has been described as the “worst telecom hack” in the country’s history. The threat group was able to infiltrate nine telecommunications providers, including Verizon and AT&T, and allegedly targeted the data of phones used by President Trump and Vice President JD Vance.

Keep reading here.—BM