Tag Archive for: hackers

How Hackers Use A.I. to Make Fools of Us (& Foil Security Awareness Training)

In a bit of cybercrime jujitsu, A.I.-enabled hackers are using our past security awareness training to make us look silly. Remember the good old days when you could easily spot a phishing scam by its laughable grammar, questionable spelling and odd word choice? 

“Kind Sir, we a peel to your better nurture for uhsistance in accepting $1M dollhairs.” 

Or how about fear-based emails with an utter lack of context from a Gmail account linking to suspicious “at-first-glance-it-looks-real” URLs: 

“Your recent paycheck was rejected by your bank! Please click on definitely-not-a-scam.com [disguised as your employer] and give us the entirety of your sensitive financial information”  

Well, those tools no longer work.

Here’s the deal: Hackers use A.I. or more specifically Gen A.I. (Generative Artificial Intelligence) to turn outdated phishing detection tools on their heads by empowering them to tailor perfectly crafted, error free, emotionally convincing emails that appear to come from a trusted source and reference actual events in your life. Giving A.I. to cybercriminals is like handing your five-year-old a smartphone – they’re better at it than you will ever be. 

A.I. augmented phishing emails are designed to trigger your trust hormone (oxytocin, not to be confused with Oxycontin) by systematically eliminating all of the red flags you learned during your organization’s cybersecurity awareness training. So, when an employee receives a well-crafted, error free email from a friend that references recent personal events, past cybersecurity awareness training actually encourages them to click on it.

To make matters worse, if the hacker happens to have access to breached databases about you, like emails compromised during a Microsoft 365 attack, they become the Frank Abagnale of phishing (the world’s most famous impersonator, if you don’t know who he is). Criminals can easily dump breached data into a Large Language Model (LLM) and then ask A.I. to compose a phishing campaign based on your past five emails

A.I. software allows even novice cybercriminals to scrape your relationships, life events and location from social media, combine it with personally identifying information purchased on the dark web, and serve it up to your email or text as if it originated from someone you trust. It’s like having your own personal stalker, but it’s a cyborg that understands your love of blueberry cruffins and ornamental garden gnomes. (Ok, maybe those are my loves, not yours.).  

The reality is that hackers are no longer crafting the emails one by one; it’s artificially intelligent software doing millions of times per day what nation-state hackers used to spend months doing to prepare spear-phishing campaigns. And it means that phishing and business email compromise campaigns will eventually appear in your inbox as often as spam. And that threatens your bottom line. 

Let’s get serious for a hot minute. For those of you who have attended one of my cybersecurity keynotes, here is a comprehensive and organized approach to the steps your organization should begin taking as outlined by the Blockbuster Cyber Framework:

  1. HEROES (Your people): Immediately retrain your people to properly identify, verify and distinguish harmful phishing and social engineering schemes from legitimate communication. This requires new thinking applied to old reflexes. 
  2. STAKES (What you have to lose): Identify which data is the most sensitive, profitable, and targeted by ENEMIES, and prioritize its defense. You can’t protect everything, so protect the right things first. 
  3. SETTING (Your technology): 1. Implement defensive software tools like A.I.-enhanced spam filtration that helps detect phishing emails. Generative A.I. is brilliant at detecting patterns, and that will make identifying even the most well-crafted phishing campaigns somewhat easier. 2. Properly segment and segregate your network so that access to one area of your data doesn’t expose others.
  4. GUIDES (Experts in the field): Hire an external security assessment team (not your I.T. provider) to evaluate your technological and human defenses and known vulnerabilities. Internal teams have less incentive to  discover their own mistakes. 
  5. PLAN (Pre-attack and post-attack next steps): Develop a prevention roadmap before the ATTACK and an Incident Response Plan that lets you know exactly who to call and how to respond when a successful phishing attack occurs (because it will). Preparation is the greatest form of mitigation. 
  6. VICTORY (When you don’t end up on the front page): When nothing bad happens, reward your people. Throw a party for your team, because nothing says “thank you for not clicking on that profit-destroying scam” like a rowdy office shindig. Incentivizing good behavior is just as critical to your culture of security as retraining after someone mistakenly clicks on a phishing email. 

Cybercrime is constantly changing and now A.I. enables every attack type to scale. Make sure your cyber defenses and people don’t end up being the fool. 

John Sileo is a cybersecurity author, expert and keynote speaker fascinated by how A.I. accelerates everything, including crime. His clients range from the Pentagon to Amazon, small businesses to large associations. John has been featured on 60 Minutes, Fox & Friends and even cooking meatballs with Rachel Ray. His latest keynote speech is Savvy Cybersecurity in a World of Weaponized A.I. Contact Us or call for details: 303.777.3221.

Are Hackers Targeting Your Association? Here’s How to Stop Them.

 

Are hackers targeting your association?

The recent revelation that Chinese hackers penetrated the internal computer network of the National Association of Manufacturers (NAM) last summer should be a clarion call to all associations: They are coming for you. 

The suspected Chinese hackers ramped up their efforts to steal information in the days surrounding a meeting between NAM President Jay Timmons and President Trump this past summer. While we don’t know what data was stolen, the incident took place during intense trade negotiations, as US and Chinese government officials began to hash out details of a potential deal.

The primary motivating factor behind the hacking of trade associations is simple: INFLUENCE. The fact that NAM is an influential group that’s helped shape Trump’s trade policy made them an attractive target for the Chinese, who undoubtedly leveraged inside information to gain an upper hand in the talks. 

While the NAM hack is notable for its ties to the executive branch and high-stakes negotiations, the fact is that associations of all sizes and political influence are potential targets of hackers such as nation-states, foreign businesses or individual cybercriminals. In other words, you don’t need to have political or lobbying connections to be an attractive hacking target. Your member list, industry-specific intellectual property, employee data, digital connections to influencers, and banking and financial information are all just as attractive to cybercriminals and cyberextortionists as your political relationships. 

Over the past decade, numerous associations have been hacked: In May, the National Association of Realtors reported on a number of hacks of state associations and advised their members to beef up cybersecurity. Earlier hacks include (ironically) the Intelligence and National Security Alliance, the Fraternal Order of Police and the US Chamber of Commerce.

It’s not a matter of if your association will be hacked, but when

The World Economic Forum’s 2019 Global Risks Report ranked cyberattacks as the number one risk in North America. And with good reason. Data breaches alone are predicted to cost $5 trillion globally by 2024; in just the first nine months of this year, 7.9 billion records were exposed in North America. Associations haven’t traditionally been a large part of those statistics, which is exactly what makes them ripe for future picking. Lack of direct threats tends to breed complacency and lack of proactive protections.

Protecting your association from hackers and cybercriminals

As an industry association, in addition to advocating for your members, you have two vital responsibilities:

  1. Protecting your member data, financial details and intellectual property from cybercrime 
  2. Educating your members about protecting their organizations against those same evil forces

Here are the first steps you can take to fulfill both responsibilities:

  • Commission an External Cyber Penetration Test to expose your specific and known vulnerabilities
  • Educate your internal employees to detect and deter social engineering tactics like phishing, ransomware and deepfake videos
  • Prepare a data breach response plan in case you are successfully attacked. This should include a list of executive responsibilities, a public relations strategy, legal response and methods of communicating with the breach response team (remember, your email and texts and mobile devices can be compromised in a breach)
  • Educate your association members about cybersecurity best practices at your next annual event

Your reputation as an association depends on many factors. One of the most overlooked of those is the reputational damage done by a cyber breach incident, especially if member data is compromised. Take steps to manage your risk and defend your data — before it’s too late. 


About Cybersecurity Keynote Speaker John Sileo

John Sileo is the founder and CEO of The Sileo Group, a privacy and cybersecurity think tank, in Lakewood, Colorado, and an award-winning author, keynote speaker, and expert on technology, cybersecurity and tech/life balance. John specializes in making security engaging for association and corporate audiences. Contact him directly on 303.777.3221. 

 

 

Information Offense – How Google Plays

Google recently offered $20,000 to the first person who could hack their web browser, Chrome. Without question, a hacker will crack it and prove that their browser isn’t as mighty as they might think.

So why waste the money?

In that question, ‘why waste the money?’ lies one of the root causes of all data theft inside of organizations. Google’s $20,000 investment is far from a waste of money. Consider:

  1. The average breach inside of an organization costs $6.75 million in recover costs (Ponemon Study). $20,000 up front to define weak points is a minuscule investment.
  2. Chrome is at the center of Google’s strategic initiatives in search, cloud computing, Google Docs, Gmail, displacing Microsoft IE and mobile OS platforms – in other words, it is a very valuable asset, so Google is putting their money where their money is (protecting their profits).
  3. By offering up $20,000 to have it hacked IN ADVANCE of successful malicious attacks (which are certain to come), Google is spending very little to have the entire hacker community beta test the security of their product.

I would bet that there will be tens or hundreds of successful hacks into their browser, all of which will be fixed by the next time they commission a hack.

Anticipating the inevitable attacks and investing in advance to minimize the chances and resulting costs of a breach is a perfect example of Information Offense. Instead of waiting for your data to be compromised (defense), you take far less costly steps up front to deflate the risk. Only the most enlightened leaders I work with inside of corporations understand the value of spending a little bit on security now to reap huge benefits (in the form of avoided losses) down the road.

Too many leaders are so focused on the revenue side of the model (most of them are from a sales background) that they lack the depth of seeing the entire picture – the long-term health and profitability of the company. You know the saying… an ounce of prevention being worth a pound of cure. Just think of the ounce being loose change and the pound being solid gold.

Marshall Goldsmith, the executive coach, nails the behavior behind this phenomenon in his book, What Got You Here Won’t Get You There,

Avoiding mistakes is one of those unseen, unheralded achievements that are not allowed to take up our time and thought. And yet… many times, avoiding a bad deal can affect the bottom line more significantly than scoring a big sale… That’s the funny thing about stopping some behavior. It gets no attention, but it can be as crucial as everything else we do combined.”

Listen to Google and Mr. Goldsmith, and avoid the mistakes before you make them by asking yourself this simple question: How can I refocus my efforts and resources on playing offense rather than defense?

John Sileo’s motivational keynote speeches train organizations to play aggressive information offense before the attack, whether that is identity theft, data breach, cyber crime, social networking exposure or human fraud. Learn more at www.ThinkLikeASpy.com or call him directly on 800.258.8076.