Welcome to Episode 2 of our Cybersecurity Awareness Month 2023 series. Today, Ben Shorehill will tackle the pressing issue of AI-powered social engineering. Stay tuned for insights to safeguard your digital world.
TRANSCRIPT
Hey everybody, welcome to video two in my Cybersecurity Awareness Month 2023 video series. It wouldn’t be 2023 Cybersecurity Awareness Month video series if we didn’t talk a little bit about ChatGPT and generative AI.
Now, Cloud Security Alliance have published a paper entitled Security Implications of ChatGPT which covers the full gamut of security implications that they found. I’m just going to talk about the thing that’s concerning me the most, which is artificial intelligence and social engineering. Little bit about how social engineering works. Basically, the more targeted your social engineering attack, the more effective.
Now the problem that the attackers have always had, to perform a targeted attack it takes time and resources. You need to gather intelligence about your target and then you need to perform the attack. With AI it can do this really quickly. So, it can take information, open-source information about a target from social media and so forth and it can do it really, quickly and at scale.
So, the implication of that for security professionals is that there are soon to be lots of credible looking phishing attacks in inboxes that are going to be difficult for filters to pick up. So that’s quite a concern for me.
The good news is that whether the the fishing attempt is generated by AI or generated by human, there are telltale signs and as a user what you can do when you open your inbox, you open your messages. You can ask yourself for pertinent questions to try and work out if it is legit or if you need to ask further questions.
Those four questions are
- Is it unexpected?
- Is this a new thing? Is this a new request, something that you would not expect from this person or organisation
- Is the request urgent, or does it have some sort of penalty associated with an action?
- Can performing their request harm your interests?
If you answered yes to all the above or most of the above. Suggestion is to confirm the action out of band. So, you can do that either in phone, via phone, or in person with that person. Either way you confirm it out of that message, you don’t just click on the links in that message.
It’s important that when you’re in your inbox or messages that you stay on alert. The way that we do that and Insentra as an organisation is we run security awareness and we run phishing training and we do that through an organisation called KnowBe4. We believe they are the best in the business and so did Gartner and Forrester. We couldn’t recommend KnowBe4 more highly. There are also free resources out there for your personal use. So, one example, I’ll put some links below as well. There is a resource called Be Connected which is by the Australian government’s eSafety Commissioner and they have training resources to help you detect scams.
