Cybersecurity and AI: New Risks and Hidden Dangers

In today’s high-tech world, cybersecurity affects organizations of all sizes. From AI-powered attacks to social engineering to supply chain vulnerabilities, challenges continue to emerge. And people are increasingly vulnerable to scams and manipulation. To deal with cybersecurity and AI dangers, people need training, critical thinking, and comprehensive defense strategies. Saying informed and proactive is essential to stay ahead of evolving threats. See Hidden Dangers of AI in Cybersecurity with Aviad Hasnis for a complete transcript of the Easy Prey podcast episode. Aviad Hasnis has been the Chief Technology Officer at Cynet Security for the past five years. Before that, he spent ten years in the Israeli cyber national unit. While he can’t share what he did there, he managed extensive cybersecurity research that helps him now work with companies to provide the best security possible. He has always been fascinated with computers and technology. When the Stuxnet worm disabled Iranian centrifuges in 2010 and it was in the news, he became fascinated with cybersecurity specifically. He realized that’s what he wanted to do with the rest of his life. As part of his work with Cynet, Aviad helps provide incident response and has been exposed to many stories. But on a personal level, his closest friend’s mother was a victim. It was impactful in the sense that this kind of thing can happen to anyone. Anyone can be a victim. It’s important to make sure that everyone is well-educated, because everyone can be a victim. His friend’s mother got a call. The caller claimed to be a police officer who wanted her help with an investigation. Throughout the call, they got her to install programs on her laptop that turned out to be malware . At one point, they asked her to do a financial transaction. She was entirely convinced she was helping the police and happily transferred the scammer $5,000. She didn’t realize she had been scammed until she called her son to tell him how proud she was of helping the police. Luckily, she was able to get the money back. But there’s a lesson there – and that is that it can happen to anyone. In the threat landscape, there are a ton of ways to get that initial access to a company or system. One of the most common ones is social engineering . Especially if you’re talking about a less-powerful nation-state, that’s one of the best ways to get in. Email is the most common, but threat actors also use Microsoft Teams, Zoom , and phone calls. Getting access to a cybersecurity company, managed services provider (MSP), or IT company that provides services to another company is a great way in. Getting into multiple companies by compromising just one is the holy grail for threat actors. They can monetize that easily. If they compromise a security company, they assume it’s easier to gain more access to companies after that. So cybersecurity companies are targeted for that reason. Many older developers are more skeptical of AI . Younger people tend to embrace the technology more enthusiastically. Aviad thinks everyone should harness and use the power of generative AI . He jokes that he consults ChatGPT or another tool before event texting his wife. But using AI without thinking through the cybersecurity implications can be disastrous. It’s important to consider guardrails in how you use AI. Junior developers can easily enter a prompt, get code, and get a program running. Looking forward, this will only increase. We’re going to start seeing even more programs that inject code directly into whatever you’re working on. But most people don’t realize that AI right now can’t understand context. It’s easy to copy code that has a vulnerability that then makes your program vulnerable. If you’re just copying and pasting code without considering context, you could potentially create security issues. The problem that I think most people don’t understand is that, at least at the moment, AI is not really aware when it’s making decisions. The first step to reduce this issue is education. People need to be aware of the risk. They need to understand that adding code without understanding the context is dangerous. On top of that, you need to have automations, vulnerability scans, and different solutions in a continuous validation process to check for problems. You could even implement a manual code review by senior developers. There has to be different levels of security testing, whether manual or automatic. There conversations happening in boardrooms about implementing AI – and some about using AI to reduce workforces. People are talking more and more about professions that will be replaced by AI. But AI can’t come at the expense of having someone more knowledgeable harnessing it. It’s not about replacing people, it’s about harnessing it to expand what people can do. You can’t just copy and paste from AI without some level of critical thinking. AI has cybersecurity impact, so you need to understand what the code does, the context, and its downsides. This applies even if you’re not talking about developers, too. Even if you’re using AI to send better email responses to customers or prepare paperwork, it’s still important to understand the context, check the AI’s work, and give feedback. Aviad has no doubt that AI is going to change the world. There’s a lot of good coming out of it, but there’s also going to be a lot of evil. It’s important that whatever it’s used for, it has to be people with critical thinking working with AI, not AI replacing people. We’re never going to be able to replace trained, intelligent people with someone who just knows how to write ChatGPT prompts. AI is definitely helping cybersecurity in some ways. The primary way is that if you run an organization, it does not have to be a security organization. You can consult AI to understand your gaps, what you need to be aware of, and what should be your biggest concern. It can also help you prioritize alerts and issues. There’s a lot of good coming from AI in terms of security. But there are also risks. If you’re a developer trying to insert a simple bit of code, you can easily introduce a vulnerability if you copy and paste without understanding the context. And AI isn’t just for the good guys. Threat actors can easily use it to create more sophisticated phishing attacks and generate malicious code. It can be used for both good and evil. AI is not saved only for the good guys. It can also be used or abused by evil guys. We are seeing the rise of AI phishing these days. Phishing emails even in different languages look legitimate and correct. It helps threat actors evade detection, too. We often don’t realize it was phishing after the fact because AI phishing is just much better quality. And it’s not just the text of the email itself, either – the metadata and targeting is much better, too. AI upgrades the quality of the scam. This AI power is better at getting through spam filters, too. It looks legitimate even to very good providers like Microsoft and Google. Sometimes the only way to detect it is by also using AI. It’s not perfect, but we’re getting there. It will always be a cat and mouse game with cybersecurity and AI. Cybersecurity for companies consists of two parts. The first is the internal environment, like offices and other on-premise assets. Much of that has to do with VPNs and credentials. The other part has to do with software as a service (SaaS) and the cloud . Both of these are tightly linked with exposed credentials. Aviad has seen many instances where someone is using a home computer connected to a company’s VPN, their kids download a computer game that included Trojan malware, and that malware exfiltrates their credentials. Astonishingly, many companies haven’t implemented multi-factor authentication with their VPNs. Another common vector is phishing emails. One thing Aviad has seen with AI and cybersecurity is malicious forwarding rules. An AI-generated phishing email compromises someone’s email account, and the threat actor sets up a forwarding rule so they get a copy of every email the victim gets. They can get a lot of messages in a sneaky way. In many cases, access can evolve into ransomware . We’ve also seen a shift in ransomware. Just a few years ago, it took a more active role. It was human-operated, going through a network and getting as much access as possible before encrypting data and files and demanding money to unlock them. Now we’re seeing encryption being secondary. They exfiltrate the files and then blackmail the company, saying that they’ll sell or publish the data if they don’t pay. Big organizations can afford to buy the best solutions for every threat vector. They also have the personnel to manage and integrate them. But smaller orgs don’t have those resources. Their best option is to find a company that does an all-in-one solution to protect email, endpoints, mobile devices, network, cloud apps, and whatever else they have. On the tech side, technology keeps evolving. There will always be more stuff we need to protect. The other aspect is having the right personnel. A company that does this as a service can also have a 24/7 team to take proactive action. Even now, these companies still require some resources from the organization. Hackers love to attack on Saturday nights, holidays, and long weekends. There may be as little as five minutes between detection and game over. If you still need your employees to take action, it may be too late. You might have five or ten minutes once you’ve seen something suspicious until it’s game over. You need to be really fast. A lot of these service companies are moving towards being more proactive. Organizations can define what needs to happen in case of an emergency and the service company will handle that. It will be an awful Monday, but you can still enjoy your weekend with the confidence that someone is watching and you’re still protected. AI is just going to become a bigger thing in cybersecurity. Threat actors will use it more and more and we’ve barely scratched the surface. It’s very lucrative for threat actors to compromise MSPs, security companies, and IT providers. If they get in, they get a lot of access to other companies. There’s some evidence that we’re going to see an increase in those types of attempts. With the CrowdStrike issue, we immediately started seeing other security vendors saying that they can replace the CrowdStrike agents that were having issues and protect you better. New companies have come to market with that claim, too. It’s unclear whether we’re going to see companies claiming that they can protect you from other security companies that got hacked. But there is a lot more media coverage and awareness of supply chain attacks because of their impact. It’s also profitable for threat actors, so we’re going to need to protect against them in the future. Learn more about Cynet on their website, cynet.com . There, you can see a demo, connect with people, and more. You can also reach out to Aviad Hasnis directly on LinkedIn .