December 06, 2023

00:40:21

Episode 231 Deep Dive: Ashwin Ram | Overcoming Evolving Threats: Expert Advice for Executive Cyber Awareness

Episode 231 Deep Dive: Ashwin Ram | Overcoming Evolving Threats: Expert Advice for Executive Cyber Awareness
KBKAST
Episode 231 Deep Dive: Ashwin Ram | Overcoming Evolving Threats: Expert Advice for Executive Cyber Awareness

Dec 06 2023 | 00:40:21

/

Show Notes

In this episode, we are joined by Ashwin Ram (Office of the Chief Technology Officer – Check Point) as he dives deep into the need for clear communication of cyber risks, addresses the challenges faced by security practitioners, and highlights the importance of credibility in cybersecurity strategies. From leveraging diverse threat intelligence sources to staying updated on emerging threats and attack strategies, this episode provides valuable guidance for executives and board members. Stay ahead of cyber threats, understand the evolving landscape, and ensure comprehensive cybersecurity strategies for your organization’s success. Tune in now to gain valuable, actionable insights.

Ashwin Ram is a seasoned cyber security expert and thought leader with a unique blend of CISO consulting experience and technical know-how. He is widely regarded as a trusted advisor by industry titans, startups, and industry collectives due to his ability to translate technical threats into business contexts to evaluate overall risk to organisations.

With his deep security knowledge, Ashwin can switch effortlessly between “tech talk” and “business talk,” making him a go-to person for organisations looking to bolster their cyber resilience. In his current role at Check Point Software Technologies, Ashwin assists cyber executives understand, prioritise, communicate, and address cyber risks.

View Full Transcript

Episode Transcript

[00:00:00] Speaker A: The easiest way for a security practitioner to lose faith from the board and the executive is to over promise and under deliver. It's really important for executives to understand that your credibility is the new currency. You've got to deliver what you promise on. You've got to win the hearts and the minds of your executives. They've got to believe in you. So that means you're going to communicate clearly, keep things simple, make sure you resonate with them. Make sure you understand what the board and the executives are looking for. [00:00:36] Speaker B: This is kbcat as a primary target for ransomware campaigns, security and testing and performance risk and compliance. [00:00:46] Speaker A: We can actually automate that, take that. [00:00:47] Speaker B: Data and use it. Joining me today is Ashwin Ram office of the CTO from checkpoint. And today we're discussing cybercriminals masters of old and new. So, Ashwin, thanks for joining and welcome. [00:01:00] Speaker A: Thank you. Thanks for having me. [00:01:01] Speaker B: We finally, again got around to it. I think. You mentioned before we started recording, it's been a year, so a year just seems to fly by really quickly. So I'm delighted to have you here. I've been following your journey on LinkedIn. I know you do a lot of presentations, talks, panels, et cetera. So I'm really keen to get into your mind today about your view on the security industry. So maybe let's start with your comment around masters of old and new. So talk to me a little bit more about this. [00:01:32] Speaker A: Okay, so I think what you're referring to here is actually one of our recent media report and one of the findings, one of the comments that we made around what we're seeing in the threat landscape. And it's quite interesting, we're seeing threat actors now use some of the older techniques to deliver malware. Now, you viewers, or sorry, your listeners might be aware that delivery of malware via USB is something that's been used by threat actors for well over a decade now. And a lot of organizations have robust security controls around it. But interestingly, we've started seeing this again, malware being delivered using USB is now something that the FBI, for example, has been warning about. We've seen this USB, those thumb drives, that's a technique that's being used by threat actors to deliver the initial payload, the initial access. And one of the attacks, or one of the malware that we've seen use this method is Raspberry Robin. It's a malware that some threat actors use to deliver their own malware. So this is usually the malware Raspberry Robin, the malware that provides the initial access for threat actors to then deliver their payload, their malicious payload. So we've seen threat actors use this. And it's not just your cybercriminals who are financially motivated. We've actually seen nation state threat actors also use this type of delivery. It's a great way for them to try and bypass gap devices. We've also seen Chinese threat actors or Chinese nation state related threat actors who focus on cyber espionage. For example, Camaro Dragon, they've reportedly utilized the delivery of malware using USB drives as well. [00:03:09] Speaker B: So would you say that the old way, if you want to praise it like that is now making more of a comeback, or do you think it's equally balanced, like 50 50%? [00:03:19] Speaker A: No, I don't think it's 50 50%. I think it's a limited number of thread actors. We're using the old methodology, so it really depends. There are some threat actors who are focused on just the new stuff. There are some who probably the more mature ones who are looking for every possible way to get inside your environment. They are looking to leverage any attack vector that's available to them. So you can't place all threat actors in one bucket here. It just depends on the motive. It depends on the level of sophistication that they have the tools they have in their arsenal and the skill set, of course. [00:03:49] Speaker B: So you said that the new threat actors focused on a new way of doing things. Why do you think that's the case? Is it just the caliber of threat actors or is it just everyone's different strokes are different folks, or what would you boil that down to? [00:04:04] Speaker A: You're absolutely right. It's strokes for different folks. So there are some threat actors who may have particular skill sets that they try to utilize. There are some threat actors, for example, the more established ones who run their campaigns and run their organization just like an enterprise does. And so they'll have threat actors who are bringing lots of different types of skill sets and they'll use those skill sets depending on the target and depending on the level of sophistication required. Some of the newer ones, we are also seeing them start to leverage new techniques, new capabilities, particularly around generative AI that we've seen a lot of threat actors, and particularly the newer ones, using artificial intelligence as part of their tool set. And what we've seen here is that by leveraging these tools, what it's done is actually reduced the entry level required for threat actors because you no longer need to have the skill set to write the malware, to write those malicious codes. You simply get these AI platforms to write that for you. And this is not something that the new threat actors are using. Everyone's trying to use this now. [00:05:12] Speaker B: Yes, I'm aware of that. So then would you conclude your point around the barrier for entry is a lot lower? I think I've discussed this on the show previously back in the day, if you want to call it that. You had to be somewhat intelligent on writing malware is now I'm not saying that people aren't intelligent. It's just more so the barrier for entry is a lot lower. [00:05:31] Speaker A: Absolutely, it's a lot lower. Anybody now can become a threat actor. You no longer need to have the skill set. All you need is the will and the motive to do wrong, to be malicious. So from that point of view, yeah, absolutely. The entry level is low, and it's not just because of these AI platforms. It's also because the threat landscape itself is heavily commoditized. We now see threat actors who specialize in certain areas. For example, there are threat actors who specialize in what we call remote access as a service, where they provide the initial entry point for other threat actors. And from that point of view, as a threat actor, you no longer even need to spend time in gaining access because the remote access as a service groups are providing you with that. All you've got to do is execute your attack. [00:06:21] Speaker B: Yes, I've heard of that as well. Full blown operation. Where does that then leave the industry? So obviously, it was hard enough before, and now it's a magnet of AI. And now you can just be anyone really off the streets that could become a threat actor. To your point. So what happens now? [00:06:37] Speaker A: Yeah, it's interesting times. It's interesting times. I think for the industry, it's important first and foremost to understand and have awareness, understand where the threat landscape is, understand what the emerging threats are, what the current threats are, and make sure you prepare accordingly. Make sure you have the appropriate visibility of all your digital assets. For example, this is your hardware and your software. Understand what may be vulnerable, what the security posture of those devices, those assets are. Make sure that you get the basics right. And of course, that's not enough. You need to have a strategy. And your cyber strategy, your cyber resilience strategy, needs to be uppinned by a strategy that involves comprehensive security, meaning knowing where all your assets are, knowing where you're vulnerable, having the right controls around them, having appropriate controls to be able to mitigate the latest threats, and also having a strategy around consolidation. Because the reality is you can't simply continue to throw Poign products. It's not going to work. It's very difficult if you're throwing point products to have the level of expertise already organized, essentially struggling with having the right amount of skill sets in their teams. So make sure you have a strategy which is around consolidating your security so that your team can focus on maybe one or two or three of the security vendors who become your partners. Really? And make sure that you've got security that allows you to consume perk intelligence. So it's collaborative so that in the event there is an attack or something, that's something new that's happened in one part of the world, within a number of seconds, you're able to use that intelligence and prevent the same attack in your environment. So it's really important that all of those things lined up. [00:08:20] Speaker B: Are you familiar, Ashton, with the arcade game Whack a Mole? [00:08:23] Speaker A: Yes, I am. [00:08:24] Speaker B: Okay, so as you're talking through all these things, that's what's coming up in my mind. So it's like you hit 1 mol and another one comes up. But from your point of view, it seems like there's 50 moles popping up. I see security as the person like whacking the moles. How are we going to sort of get ahead of this? Because now the velocity is there. It's easier to do things as you've clearly articulated already. Where do you see the burden sitting with, yes, security teams. But now it's going to be even harder than it was before and I think those Whack a moles are going to just keep appearing. So what are your thoughts? [00:09:03] Speaker A: You're absolutely right. So first thing, let's just make sure that we understand the threat landscape. And the important thing here is that not all spectre have the same motive. They don't have the same skill set. They don't have the same motive. Not all of them are financially driven. There are threat actors who simply want to hurt you. They don't want to negotiate. They want to bring down your critical infrastructure. They want to make a point. Then there are those who are hell bent on just spying on you. So these are those nation state threat actors who may carry out cyber spa barrage attacks. Then there are those who are focused on cyber warfare. Then of course, you've got the cybercriminals who are financially motivated. There are those who are motivated because of pure ideology or religious beliefs. So there's lots of different threat actors and they come in all different shapes and sizes. And it's important for an organization to understand which ones are going to be targeting there. In some cases, maybe all of them. So having the right type of control, right type of strategy is very important. You're right. By saying that the Sophistication is going to increase, the number of attacks we're going to see is continually going to increase. So how do we address this? It's important for organizations to understand that, first of all, have a prevention mindset. You've got to try to prevent these attacks because detection alone is not going to help you. The attacks are happening far too frequently and far too sophisticated for you to just rely on detection controls. So make sure you're preventing the attacks in real time. Second thing is threat actors are using artificial intelligence and automation and they're launching attacks at scale as well. And as a defender, it's important that you're leveraging these tools as well. At Checkbox, for example, we I think 40, maybe just over 40 of our threat prevention security controls engines are now AI driven. They use artificial intelligence. They use a machine learning capability to be able to identify never before seen threats that are brand new. And so it's important for organizations to be able to leverage these tools to prevent the attacks. Because if you don't like I always like to say, if you're not leveraging automation, if you're not leveraging artificial intelligence in your cyber defense strategy, then you're really taking a knife to a gunfight. [00:11:14] Speaker B: Okay, let's go back on the mindset side of things a little bit more. So you said before that depends on the threat actor. The different buckets that you said were putting them into, whether it was religious, whether it was people want to harm you, financial gain, et cetera. So if you're an executive, because this is an executive podcast, how do you know if it's everyone? If it's two of those people in those buckets, how do you know that and then how do you prevent against it if it's everyone coming at you? [00:11:39] Speaker A: It's important to understand what's going in the threat landscape. That's why it's important for executives to listen to podcasts like yourself, the ones that you're running. It's important for them to go to cybersecurity conferences to engage with cybersecurity vendors, particularly those ones who carry out a lot of research and make sure that you subscribe to their feeds. Cybersecurity is not easy. You've got to continually update yourself on the threat landscape, what's happening, what other security vendors doing to prevent those attacks. And it's important that you're really dialed into what's going on in certain landscape and understand where the new and evolving attacks may be coming from and have a strategy for that. It also means that cyber executives should be leveraging partnership with SPS and all of those third party partners who are actually providing them with advice on what's going on in the threat aspect so that they're clear on what are those risks to their organization so they can take those steps to prevent the attacks. [00:12:38] Speaker B: Okay, so this is important because you are right. Things change minute by minute, day by day. I know because I see the stuff coming through our inboxes every day of what's happening. How does someone handle this, though? Because, okay, if you're forget about a sizeo and friends, let's focus on, I don't know, a CFO or a board member that needs to be across security. How do they stay up to date with this if they don't have the internal capability of a security person? Yes, of course you can lean on partners and friends, but at the end of the day, if you're in a board capacity, there is some responsibility with you. So you need to get across this. But how have you found with your experience and obviously being part of the office of the CTO for checkpoint, for example, how do people handle this? Because a lot of stuff that goes on and I mean, even in my point of view, like, even I feel overwhelmed at times, and I'm doing this day in, day out. So for someone that's not doing this day in, day out, for people like you and me, how do they handle it and keep across it and not feel overwhelmed? [00:13:34] Speaker A: Yeah, it's a challenge. It's difficult. I do get to speak to board members quite regularly. I get to speak to executives. And I think it's important for them to leverage the relationships with the security vendors and get us to come in and have maybe a six monthly or a once a year update on what is going in the threat landscape. It's important that they are across it. And here's the thing, right? Most executives, most of the boards understand that cyber is a real risk and they do see cyber as a business risk. So it's not that they're not aware of it. I think it's important for those who are reporting into the executives and into the board to make sure they're able to articulate the risks in business context. So that's really important. And I think for board members and for executives who want to stay up to date, there are a number of podcasts that they can listen to. There are a number of blogs that they could be. One of the great blogs that I follow, of course, is from Checkpoint, which is Research Checkpoint.com, and they provide incredible information on what's going on in the threat landscape. We also have a website which is dedicated to executives, Cybertalk.org, which is from Checkpoint. Again, that's dedicated purely to executives, so they can understand what the risks are. It's dedicated to the board and executives so they can understand the risks associated with cyber, what's emerging, what are the current risks, where we see gaps, so that they can then ask those questions to their executive team and to the deep saheek, are we doing this? We've read about this, we've heard about this particular attack in this region, in this sector, which is the same sector as our sector. It happened to a peer industry. What are we doing about that? How are we addressing that risk? [00:15:12] Speaker B: So that I do understand. So my next point would be, or my next question to you would be there are 50 organizations that have got the same sort of thing going on. So how do you sort of delineate, like, who you should listen to? Look, I don't think anyone's falsifying what they're saying, but I look at a lot of different vendor research papers and some people say, oh, we're up on ransomware this year, and then the other vendor will say, we're down on ransomware this year. So it's conflicting opinions, which is absolutely fine. So it's like, how does someone then sit there and go, there's all these feeds coming into all this information. How do I know how to distill it down? And it's not about who do I listen to, it's just more so how do you analyze and I guess boil it down to what information you should be focused on versus not because there's so much stuff going on, as you're well aware of. [00:16:01] Speaker A: Yes. So the reason why you're getting all of this conflicting information is because not all security vendors do everything. There are some security vendors are only focused on email, for example, or they may be only focused on cloud security, or they may only be focused on network security. So their visibility of the world is dictated by just what they provide. This is why I think it's really important for if you are looking for credible information, look to the security vendors who provide consolidated security across all of their tech vectors. And I think that's where Checkwind really comes to the fault, right? Because Checkwind does provide security for networks and data centers. They provide security for cloud, they provide comprehensive security for cloud environment, they provide comprehensive security for endpoint security, as well as SASE security, they provide security real emails. There's an incident response team there as well. We provide managed detection and response. And so what that means is that we actually get visibility across the entire threat landscape, across every attack vector you can think of. And so when we're providing our reports, it's not just focus on email, we actually say, hey, okay, we're seeing attacks here, we're seeing attacks on cloud, we're seeing attacks here, and this is our visibility. So I think if you're looking to get that type of holistic understanding of what's going in threat landscape, look for the security vendors that provide security across a broad range of security threat landscape. [00:17:29] Speaker B: So going back before on our conversation, I know we went down a rabbit hole there, which is fantastic. I want to now maybe just turn back for a moment and going back on the old and new approach. So would you say from your point of view that security practitioners are very focused on the new stuff rather than the old? Because again, generative AI that completely for a moment flooded my entire feed. Where does that sort of sit with you? [00:17:57] Speaker A: That question, I think the right way to answer that question is to say, look, you cannot pigeonhole all security practitioners into one basket. There are those who across all of the threat landscape, the more mature ones, and they understand the risks. And so they'll have security controls, they'll have a strategy to mitigate risks from all different attack vectors, from new attacks and existing and old attacks and legacy type attacks. And then there are some practitioners who may be just focused on the new stuff, and in those cases, they're the ones that will struggle when productors are using legacy attack vectors. So yeah, I don't think you can't pigeonhole all your security practitioners into the one basket. From what I can see, there are practitioners who are incredibly mature and have incredible capabilities, and particularly in the financial sector sector, and then there are those who are struggling to address all of the epic vectors and all the risks that we see today. [00:18:51] Speaker B: But if you had to focus then on the, because you've just said there are a group or a bucket of practitioners that are focused on the new way, so why are they so focused on that rather than the old way or the blend between the both. I'm just curious to get into the mindset of how certain people operate, that's all. [00:19:09] Speaker A: Sure. I think that it comes from having different backgrounds. Maybe some strategists will come from the trenches, and they may have seen lots of different types of attacks. Some may have never been in the trenches, and so maybe there's a lack of understanding there. Also, remember, a lot of challenge with cyberstrategy is budget. And so maybe there are budget constraints. Not having the right amount of budget or the appropriate budget, not having your executive teams believe in your cyberstrategy and endorse your cybersecurity. Those are some of the challenges security practitioners face as well. [00:19:42] Speaker B: Okay, you raised a great point there. Executive teams not believing in your cybersecurity strategy. Talk to me more about this. Have you ever been witnessed or witnessed anyone saying, I don't believe in that cybersecurity? Not necessarily to you, but maybe to a client of yours or someone that you know? What does that look like? How does someone say, I don't believe in this? [00:20:00] Speaker A: Of course, I've heard it time and time again that you speak to, particularly CISOs, and they struggle with their cyber strategy. They struggle to get endorsements from the governance committee or from the board or the executive. They struggle to get financial budget for it. So it happens all the time. [00:20:16] Speaker B: Yes, it does happen, but I'm just saying, what's the commentary around the executive or the board member saying, hey, I just don't believe in this at all? Does it come down to perhaps the size zone on explaining things correctly, going too technical, not focusing on the things that a CFO, for example, cares about? What does that look like? [00:20:33] Speaker A: Yeah. Okay. So what we're really talking about here is stakeholder management. It's understanding what your key stakeholders need and what their requirements are and making sure that you take those things into consideration. The easiest way for a security practitioner to lose faith in lose faith from the board and the executive is to over promise and under deliver. And it happens a lot, especially when new or young and up and coming CISOs and executives, they take on a new role and they promise the world. And once they get stuck into it, they realize that maybe they can't deliver all these things. And when you say you can't deliver something and you can't deliver, then your credibility is on the line. So it's really important for executives to understand that your credibility is the new currency. You've got to deliver what you promise on. You've got to win the hearts and the minds of your executives. They've got to believe in you. So that means you're going to communicate clearly, keep things simple, make sure you resonate with them, make sure you understand what the board and the executives are looking for. So it's very important to have one or two mentors in your board or your executive team, if possible, so that you're getting that feedback, making sure when you're presenting your strategy to the board and to the executive that there are no surprises there. They understand exactly what you're going to deliver because you've already had conversations with them prior and made sure that they understand exactly what it is you're going to be asking for. So no surprises. And also, it's important for executives to understand and be able to articulate risk and tell it as part of their story, be able to explain why this is important, how the threat actors are going to or how the risk could materialize and what can be done. And also make sure you're providing your executive team and the board with multiple options, not just one. [00:22:31] Speaker B: Okay, so you raise a great point over promise and under deliver. Why would someone try to over promise? Is it because, to your point, maybe they're new in the role, they're trying to make a good impression, trying to wow their executives, for example. Then they get in there and they're like, oh, actually, I've got five cents to deliver something that's probably about $5 million worth, and therefore they got to backtrack a little bit more. Or where does that stem from? [00:22:55] Speaker A: You've just hit the nail of the head. It's all of the things that you've said. It's also potentially during the interview process, you may have suggested something and your understanding of what the appetite for the organization may be different from what is reality. So once you've taken on the role and you realize all the different challenges, it's very difficult to actually come up with a strategy in the first hundred days, for example, because you simply don't know the business. You don't know what's broken, what's not, what are the challenges that business has. Do you have the right amount of staff? Do you have the relationships with your external partners to be able to deliver those capabilities? So it's not just one thing. It's a lot of different things that you've got to take into account before you could provide your strategy and make sure that you could deliver on it. [00:23:38] Speaker B: So you said 100 days isn't enough time, which absolutely, of course, if you're working a large enterprise, it takes time to get your head around how everything works. So hypothetically, how long do you think in your experience, someone would need to come up with a comprehensive cybersecurity strategy? [00:23:53] Speaker A: I think it's important to have a strategy in that first 90 to 100 days, which is very high level, and be able to communicate so that you've got some strategy. It's also important that when you take on an executive role, that you demonstrate success fairly early on. It's important to be able to identify your quick wins, things that you can achieve with least amount of effort, but provides you with some credibility there. So having a strategy that can provide you, that can allow you to deliver some quick wins is important. And then when you're doing that, set an expectation that over the next six months, next year, you'll have a more robust strategy. Once you've consulted with every key stakeholder in different parts of the business, understand where the business is, to understand what the current state is so that you can come up with a strategy for what your future state needs to look like. [00:24:50] Speaker B: So what's an example of a quick win? [00:24:53] Speaker A: Okay, great. Quick win, in my view, would be something simple like, let's say you've taken on a role and this organization doesn't really have a strong culture of security awareness training. So not all quick weeks need to be technical. You could use something like a security awareness training to say, okay, we're going to deliver security awareness training. And these days it's very easy to be able to do that because there are so many organizations that deliver this as a service. So all you need to do is just sign up and the platform is there. And what you can do then is start to deliver this awareness training. And as you're doing that, you can demonstrate to your executives or to the board or to the C suite the number of people, for example, who are completing or at least engaging in security awareness training. And as those numbers improve, you can demonstrate we're changing the culture of the organization because more and more people, for example, are now doing this security awareness training, which, prior to me, you may be taking on the role. Maybe there wasn't any, or maybe even if there was, nobody was demonstrating any metrics around that. [00:25:58] Speaker B: Okay, so let's turn back now to the old and new for a little bit more. So I'm curious to know, from your point of view, ashwin the cybercriminals that are skiffly blending the new and old techniques. And obviously we've spoken about each of them independently, but using both of them in tandem is powerful. So maybe walk through this a little bit more, like, what does this then look like? And then how do we as an industry combat that in totality? [00:26:28] Speaker A: Okay, so let's look at some of the new techniques. Okay, let's look at some of the new ways that threat actors are creating cyber tools. The obvious word that comes to mind is artificial intelligence. We are seeing loads of third actors now use artificial intelligence to generative AI to create phishing campaigns. In fact, at checkmill. I researched it. We did a POC where we wanted to see if we could use chat GPT to create a phishing campaign. And sure enough, we asked it to write a phishing email, and it did it for us. We then asked it to write a script that would be malicious, and it would allow us to execute an attack called reverse shell. And we would take this script and we would embed it inside an Excel spreadsheet and send it. To our victim. It did that for us too. And so we then asked it to write some additional software that would allow us to evade and bypass security controls. And it wrote that for us too. One of the controls that we wanted to evade was a sandbox. So a sandbox for your listeners, for those who may not be aware, is a type of security control or type of technology that allows mature organizations to be able to identify an unknown malware, unknown threat that potentially embedded in a file. What you do is you intercept that file and you send it to your sandbox. You detonate it or you open it in this controlled environment and you study its behavior and then you make a call on whether it's malicious or benign. Some third actors are trying to find ways to bypass this. For example, Malware will look to see if it's actually being one inside a sandbox, and if it is, then it won't carry out all the malicious activities. So that's one way to try and bypass it. And so Chatchi potentially wrote a script that would allow us to bypass these types of controls. So now we've got these sophisticated tools that we've started to create. Now imagine being able to use those tools and create the weapon and then put that file on a USB drive and send that off to an internet victim via a postal service. And imagine that that person puts the thumb drive in the laptop, double clicks on the file, and boom, as soon as they double click on the file, machine is compromised because the machine will then make a connection to the victim, to the attacker's machine. And that's the entry point. So here's just one example of how easy it would be for a threat actor to now combine new capabilities through artificial intelligence and leverage legacy attack vectors like drum drives and USB sticks. [00:28:54] Speaker B: Okay, so going back on your example before around writing the phishing email, was it effective and how long did that take to everything and end to end, all the things you just listed off, how long that take? Did you do all this inside of less than a minute, but then all the other things that you were doing additional to the phishing email, writing the phishing email. So you would have done all of this inside a couple of hours easily. [00:29:15] Speaker A: We wrote multiple scripts. The scripts take only like 30 seconds to generate these scripts. What we found, however, when we were writing the phishing email is that initially it wasn't very compelling, okay? But the more information we provided it, the more compelling it got. So the more we requested, the more all we needed was the social engineering skills, not the coding skills, not having to write the thing right. All we did was say, hey, okay, make it sound more compelling. Ask for this, ask for that, suggest this, and it would rewrite that it would do it within seconds. [00:29:44] Speaker B: So why wasn't compelling? What about it, from your perspective, wasn't compelling initially? [00:29:49] Speaker A: It wasn't compelling because we just said we gave it a very simple request. So the phishing email itself, whilst it wrote the phishing email, it wasn't as compelling, meaning that we just didn't provide enough information to start with. It was just one sentence. So write a phishing email that appears to come from a fictional web hosting server host for you. That was the actual request. And then as we provided additional information okay, now becoming more and more compelling. And by the way, I don't want to just focus on chat GPT here. That's just one of it. The other generative AI engines are also quite concerning. I spent a little bit of time about I had about 20 minutes up my sleeve maybe a couple of months ago, and I wanted to see how much damage I could do. With Google barred. Within 20 minutes, I was able to get it to suggest to me three of the most effective scams that I could run in Australia. I selected one of them, which is called Grandparents Scam. And then I asked it for additional information around it. I asked it to help me what are the tools that I would require to carry out this? And part of the tools that I needed was voice cloning technology. So it suggested multiple voice cloning tools that I could use to pretend to be a grandchild to scam a grandparent. Not only did it provide me with number of free voice cloning tools, but it also recommended I look at some of the paid ones because they provide better cloning capability. Wow. It also provided me with the actual script of what I would say when I called the school to get additional information about a child that I could then use in my script as I was scamming the grandparent. This took me about 20 minutes. [00:31:30] Speaker B: Yes, that is heavily concerning, as well as deep fakes, whether it's audio or video. Where does that leave the industry? Because I spoke to people at length on this show, and very senior people, they're like, look, we don't have all the answers. We're still trying to assess it. Not everyone has an answer to all of this stuff, and it's just growing at a rate that's hard to keep up with. What are your thoughts? And I don't expect you to have every answer. I mean, this is why I run this show, just so there might be insight that people can take from your experience that they can start to implement or think about. Because, again, even in the last year, the way in which the needle has moved is off the charts. [00:32:06] Speaker A: It's incredible, isn't it? It's very concerning. On the topic of artificial intelligence, it's not just the weaponizing of documents and creating phishing emails and creating fake content to be able to push misinformation and disinformation what concerns me greatly is the ability for those bad actors to actually compromise democracy. That's where we're headed because it's very easy to be able to create fake clean narratives and push that down. So that's a concern. One of the concerns I have is around how we're blindly using artificial intelligence now in so many different technologies without understanding the risk. A great example that I like to use is there was a gentleman in the US. Who had been arrested purely because the police in Detroit relied on a single piece of technology to identify this person as a criminal. And that technology leveraged artificial intelligence and facial recognition technology. It turned out that AI got it wrong and this person was then arrested. And it was only after they realized that made a mistake that they released him. That's just one example. The phishing email is actually an interesting one because when we carried out the POC for the phishing email, I wanted to understand better how chat t would allow us to write a phishing email. And I wanted to see if we could trust this platform. So one of the questions I asked was, have you ever written a phishing email before? And I was incredibly surprised when it denied it. It denied writing any phishing email. And when I quizzed it further because I wanted to understand, the decision making process clearly stopped lying to me. Someone is programmed this platform and so I want to understand what were the platform owners, what were the factors that it had taken into account to answer this question. And it gave me about four or five different factors. None of them had anything to do with historical reasoning behind it. So that's quite concerning. How do we trust these platforms? And the other thing that really concerns me is around privacy. These AI platforms require massive amounts of data. And the concern is that we don't even know when big tech are using our personal data to train these engines. Earlier this year, the World Economic Forum in their risk report actually warned us. They warned us that the proliferation of data collecting devices and data dependent AI technologies could actually open pathways to new forms of control over individual autonomy. They even warned us that individuals are now increasingly exposed to the misuse of personal data by public and private sector. And the risks here, the concern here is that the risk could range from discrimination of vulnerable population and to social control of footage and to bioweaponry. [00:35:00] Speaker B: Wow. Yeah, look, you're not wrong. It is concerning. And like I said, even though last twelve months the velocity of things is increasing. So where do you see moving forward? So if I bring you back on the show in a year, what are we going to be dealing with? And I know you don't have all the answers. I don't expect you to have a crystal ball to know exactly what's going to happen I don't know. It's just curious to sort of get a little bit of insight from you. [00:35:22] Speaker A: So first of all, at the moment, from what I can see, I've done a little bit of research around this AI thing. Policymakers are struggling to come up with policies to safeguard populations around the world. And what concerns me here is that until there's real significant harm done, we may not get our act together and come up with robust policy to actually provide guardrails for AI platform owners so that we can hold them accountable in the event harm is done. So that's one of the concerns. But if we were to have a conversation in a year from now, I think cybersecurity threats will persist as bad actors will continually leverage AI to develop new tools for cyberattacks. This trend will also I think, as I mentioned to you earlier, this is already lowering the barrier for threat actors. You don't need to have the skills anymore. You just need to have the will to do so. We're going to see more threat actors in this space. The other thing we're going to see is a lot more activists activity. We're going to see a lot of threat actors who will also we already seeing that, by the way, allied to government narratives and government agendas. And I see that trend also continuing. If you remember, just March this year, there was sustained campaign against Australian organizations because somebody in our government said something about a particular religion that certain group of people didn't like. Based on that, we had a month long Operation Australia or Op Australia, where threat actors like an OD of A, Sudan, for example, and Tillnet and the likes were targeting not just government agencies, but just enterprises here in Australia 100%. [00:36:56] Speaker B: Okay, I just want to go back on one couple of things. Let's talk about the privacy for a moment. Now that the floodgates are open, how do we claw that back to stop the bleeding? I think that's going to be very hard now because it's very difficult to get that back. [00:37:10] Speaker A: Yes. Here's an interesting story from a privacy standpoint. Earlier this year, it was reported that there was an executive who uploaded their 2023 cyberstrategy to Chat GPT so that it could help rewrite and rephrase the actual strategies in a way so that he could then use that in his presentation to the board and to the executives. And at this point in time, that strategy for this organization, it was a business strategy, was not meant to be publicized. It was not meant to be shared outside of the organization. So what this executive did was actually violate their data sharing policy here. And so the question I then have for organizations and the recommendation I have is, are you doing enough to ensure that your employees are not sharing sensitive data with AI platforms? No. Do you actually have a policy that spells out sharing of sensitive information with AI platforms as well as external parties. So whether they're people or systems and when was the last time that was reviewed? Do users still remember what that policy is? If not, this is the time to revisit that. So it's important that organizations revisit their data usage policy, their sharing of sensitive data policies, and make sure that their users understand. Everyone in the organization understands it's not okay to share sensitive information with people or with systems outside the organization. Again, this really just comes back to that zero trust mindset, right? [00:38:43] Speaker B: Ashwin, is there anything specific you'd like to leave our audience with today in terms of any final thoughts or closing comments? [00:38:48] Speaker A: Yeah, to the executives, I would say make sure you invest the time to understand not just the current threats and risks, but those that are emerging, and then make sure you have a strategy around that. From what I've seen, if you're going to continue to throw point products, then you're going to struggle in the event of if there's a successful attack. So have a strategy that will allow you to consolidate your cybersecurity. Make sure you have comprehensive security so you understand where you're exposed and deal with it. Make sure you're leveraging threat intelligence from a wide range of sources. Make sure you understand where you're exposed, as I say, and deal with it. And finally reach out to myself if you need to have a conversation, and I'll help you with that. I'll help you understand where those risks are and how we can address that. [00:39:38] Speaker B: This is Kbcast, the voice of cyber. Thanks for tuning in. For more industry leading news and thought provoking articles, visit KBI media to get access today. This episode is brought to you by Mercksec, your smarter route to security talent. Mercsec's executive search has helped enterprise organizations find the right people from around the world since 2012. Their on demand talent acquisition team helps startups and midsize businesses scale faster and more efficiently. Find out [email protected] today.

Other Episodes