Phin Security

How Will AI Affect Cybersecurity | EP 35

The episode discusses how AI, often overhyped as a marketing buzzword, currently aids cybersecurity mainly by automating tasks like support ticket triage and recommendations, but its impact on social engineering is nuanced—while AI may not greatly enhance highly targeted attacks due to attackers' existing research skills, it could influence scattershot phishing campaigns by streamlining message generation.

Welcome to Gone Phishing, a show diving into the cybersecurity threats that surround our highly connected lives. Every human is different. Every person has unique vulnerabilities that expose them to potentially successful social engineering. On this show, we'll discuss human vulnerability and how it relates to unique individuals.

How Will Artificial Intelligence Play Into Cybersecurity?

Artificial intelligence (AI) is a large topic with many facets. While I am not an expert in AI, I've had many conversations with friends, security experts, practitioners, and developers who work on AI and related systems. My opinions are influenced by those discussions.

AI as a Marketing Buzzword

Currently, AI is often used as a marketing buzzword by many companies. The term appears in numerous tools, sometimes without clear justification. While there are useful applications, such as triaging support tickets and providing recommendations based on context, much of the current use of AI is more about marketing than substance.

AI's Impact on Social Engineering

There are two main types of social engineering:

  1. 1.

    Targeted Social Engineering:

    • Malicious actors select a company based on public information (e.g., LinkedIn), create organizational charts, and gather contact information to target specific employees.
    • There is a vast amount of information about most companies available online, often for free or at low cost.
  2. 2.

    Scattershot Social Engineering:

    • Attackers send generic phishing messages to hundreds of thousands of email addresses, hoping to catch a few victims.

Will AI Affect Targeted Attacks?

I'm not convinced that AI will significantly impact highly targeted attacks. Humans are already adept at researching and crafting personalized attacks. AI's main value is in overcoming the "blank page" problem, but by the time an attacker is targeting a specific company, they've already moved past that stage.

Will AI Affect Scattershot Attacks?

AI may have a small impact here. Many phishing emails are easy to spot due to poor spelling and grammar. AI tools like ChatGPT can help attackers write more convincing messages in better English (or other languages), reducing obvious errors and making scattershot phishing attempts more believable.

Data Privacy Concerns with AI Tools

A significant concern with tools like ChatGPT is data privacy. Early on, anything you input into these tools was not owned by you and could be accessed by the company. This is especially problematic if sensitive or client information is used. Always be cautious about what data you share with AI tools.

The Risk of Fabricated Information

There have been cases where AI tools generated completely fake but plausible-sounding information. For example, a lawyer used ChatGPT to generate case law, which turned out to be fabricated. Even intelligent professionals can be fooled by AI-generated content, raising concerns about the spread of misinformation.

Adapting to AI in Education and Work

Some educators believe that since AI tools are here to stay, we should teach people how to use them productively and ethically, rather than banning them outright. The focus should be on responsible use, not avoidance.

Acronym Bloat and Marketing Hype

There's a trend of adding "AI" to product names and acronyms where it doesn't belong, creating confusion rather than clarity. Marketing should focus on the actual outcomes and value provided, not just buzzwords. If a tool claims to use AI, it should be able to demonstrate how that actually benefits the user or improves security.

Final Thoughts

Be wary of marketing buzzwords and always ask whether the use of AI in a tool or service actually provides meaningful value or improved outcomes. Focus on substance over hype.

If you have questions or want to discuss these topics further, feel free to reach out on LinkedIn or connect with Phin Security.