Social Engineering in the Era of Artificial Intelligence

[Music] good morning Calgary good morning everyone I'm all the way from Vancouver I'm here to give a presentation on social engineering in the era of artificial intelligence but one of the real human who gave me an opportunity to work in cyber security in Canada somewhere sitting in this room so we can start with the Pres presentation and starting with the uh agenda so slide number two please thank you so social engineering so Black Friday and some of the other events in Canada we often see lots of text messages and one of the surprising text message we see in Canada that CRA giving us $55 please click on this message and you will be the lucky

customer and somehow if I have $3 in my bank account I would be surprised at least someone think about me that someone is thinking about me more than our family members right sending us the money all the way from maybe a AI so next we'll talk about the family it's it's a family tree so everything is connected with each other how we are assuming the information how we perceive the information everything is integrated from all the way the hotel you stay over here the house you live the internet you are connected all the networking devices we are listening to they all are listening what we do intersection of AI and social engineering when we talk about AI

everyone including myself we talk about chat GPT I don't think so the life can run it's it's not Tesla Eevee it's a fuel for Life fuel for AI so we need a chat gbt somehow to construct our ideas and build a theory then after some of the case studies interesting case studies we will look into it the data we have collected from different parts of the world and how social engineering and AI they linked with each other and how human hacking takes place then social engineering Ai and ethics we often talk about best practices and how best practices are important in the industry one of the best practices please remove your shoes before entering the house so

there are best practices to use your phone as well to use your laptop to use some of the websites as well Black Friday is coming November 24th I believe so lots of people are going to do a shopping they don't worry about if it's uh secure hypertex transfer protocol or a hypertex transfer protocol they will just jump in with wherever they can find a better deal they will purchase it this is the time where human hackers they are active they now that extra 5% discount will bring a smile on your face via Versa it can bring a smile on a hacker face as well to get something out from your pocket then after future of social

engineering and AI how can we get R out of chat GPT Google B Bing Ai and build some new tools and and will chat GPT or other AI tools slowly eating our jobs or our career so let's dig deep into it starting with the slide number three social engineering and human hacking we often say that based on your profile on Instagram Facebook LinkedIn there are five more people exist on this planet same information same profile same agenda there are 8 billion we have 8 billion population out of 8 billion let's say 1 billion users they are on internet Canada population 40 million let's say 10% population they use LinkedIn and someone can use your personal

information Black Friday we receive a beautiful gift and immediately we take a picture post it on WhatsApp on LinkedIn thank you so much I have my newborn baby girl so if I'm going to give her uh a gift and posting the same gift on Facebook and Linkedin that would be devastating as well because cyber criminal they don't have any culture the only culture they follow to make sure they get some money out from you the other way around when we look into our mobile phone as well and we connected with the internet and Starbucks is one of the great example over here at Starbucks people don't go to drink a cup of coffee they go to use a free

Wi-Fi it's it's a free parking space which you can use anytime anywhere wherever you have Starbucks so over there when you are connected with the Starbucks Wi-Fi you're sitting next to your friend you ask your friend my internet is not working well are you connected with the same Wi-Fi no I have Starbucks Wi-Fi just for you and I'm connected with that Wi-Fi and that is basically a Rog access point established by some of the Cyber criminals if I'm not from a Cy cber security background or not from IT background it's very hard for me to determine what is real or what is based on AI or what is Creed by the human just to take our information so every time

VPN I think it's a Untold and old story if you use VPN you thought like I'm anonymously accessing the internet and everything is fine that's not correct you have to be aware that's where cyber security awareness plays an important role that's what is social engineering to make people a aware to make sure they aware about the different types of social engineering exist that's what we are going to talk about in the next slide so I have categorized uh on the basis of four different categories we have digital we have human physical and AI physical category is one of the most challenging one and the crucial for any company maybe you have a million dollar software in your company but in return

you are you don't have a smart doorbell you don't have a biometric you don't have anything in the physical protection from the company point of view so people can follow you while you are going inside the company so for example we are here so at the registration point they check our ID they ask us few questions and you can also prioritize the security level at B Val college for the cyber security conference that could be a social engineering attack as well did anyone check my ID did anyone verify that did I buy a tickets so this question we should ask ourself then online impersonation which is in digital based the category number three man in the- Middle attack DNS

spoofing email and fake profiles so never ever share about the secret confirmation uh conversation uh from your company over the Internet because you're basically allowing the Cyber criminals to create a same profile and add that particular information as a social engineering practitioner I would recommend every want to make sure that do not share any information which includes your date of birth your email your phone number publicly over the Internet sometimes we are too excited in our life we just want to share the information with our friends and family members let's take an example I'm your best friend best of the best friend on this planet last year I visited your home I connected with the internet you

shared your Wi-Fi password with me now I turn into a cyber Criminal you have no idea I again visited your house you offer me some of the cakes I eat but at the same time I use your internet connection to do a cyber crime so security first you have to make sure that the only person you can trust in the cyber world is you it's not about a charity it's not about something for nonprofit it's about you and your personal information then we have a AI based the Cyber criminals they are pretty sure like the trigger points as an General human We are following it could be a boxing day it could be a Christmas it could be uh Black Friday so

they now that this user Behavior plays an important role and the websites they are browsing over the Internet often we buy 2,000 3,000 $4,000 laptop but we hardly focus on a $30 antivirus because we don't feel like that that's this is important for my my laptop and we often feel like that antivirus companies are made for money everything is a business we are here it's a part of business we are outside we are deliv the end of this there has to be a report anyways I can go ahead so now manipulating visuals now we have chat GP and over chat GP we can easily find any information and those information we can use to manipulate the other user

profiles as well one example I would like to give over here which could be a AI based attack as well on our phone we have 250 300 connections contacts list in our phone and if you can take a look the calls which you have made last month not more than six connections so the other 244 left this country they have already turned down their phone and someone else is using that particular number to manipulate that particular identity to get some information from your s Christmas came we just build Merry Christmas we sent that message to almost 200 contacts on WhatsApp do we know if those contacts really exist or someone else is using that number in Canada if that's the case

and your friend told me told you that can you please transfer $50 so I can buy some good t-shirts for myself on this Christmas and you said Okay I want really want to help here is the $50 because empathy compassion somewhere in our heart but these cyber criminals they want to take a benefit next slide slide number fifth intersection of AI and social engineering now social engineering we have different types of fishing attacks we have email fishing we have spear fishing we have Walling we have uh all the way wishing and smishing so smishing as I have mentioned before Canadian Revenue Agency sending you $55 we are excited that we want to get that money

as soon as possible but now they use chat GP or some other AI applications to make sure the message looks genuine so you can take an action it's all about action it's not about the messages we are receiving so once we receive the that particular message we have to verify I think less than 10% of the time we read the sender email address as a receiver we need to start reading that who is that person who is sending us the email are we expecting that email did we now that email is coming on that particular day if that email surprisingly uh you have received in your inbox you have to make sure that uh this email is

okay you can verify that email do your research over the Internet before clicking on any Link in that particular email next after we have a case study first case study we have a interrelation between Autism and fishing attacks so autism I would not say it's a disability I would say it's a it's a gift and people are those who have autism I have my best friend he is in some areas 10 times smarter than what I think so over here a study of fishing a prominent social engineering attack against people suffering from autism spectrum disorder a unique development disorder characterized by hampered social skills and communication so for that particular study they designed that study starting with 15 participants one

diagnosed with autism and the other without autism so they just want to know that if a person with autism receive a fake email or a spam email how they react is there are they thinking in the same way the people with Autism or not so some of the findings in that study the participants with autism noticed the missing security certificates logos and obstructive URLs in the fake websites presented to them so people with Autism they were more smarter they looked into the data and they find out that there are some gray areas where which they can point out and often when we say that it's a part of a bug boundy there is a security group as well I don't have the

URL as of now that security group is just for the cyber security professional those who have autism they can come forward they can show their expertise as well then targeted spear fishing attacks against internet users with autism may not be more successful compared to the generalized attacks so attacks are basically the same as I have mentioned that hackers doesn't have a particular culture they are not they are not discriminating based on who you are where you are and in general it's a good thing but at the same time they are targeting people from every part of the world every single City where they can find some information the next case study the case study number two over here unveiling the

Dark Side of chat GPT exploring cyber attacks and enhancing user awareness now the so level one job or security Analyst job chat GPD can do it 80% documentation chat GPD can build it now the question is are we going to build a doc Commendation just from the scratch and spending 7 days to prepare for something which chat GPD can do chat GPD can do a technical writing for sure now the data verification as a cyber security professional you can make modifications now this paper examines the tactics that adversaries use to leverage chat GPT in a variety of cyber attacks also present illustrative examples of cyber attacks that are possible with chat gbt so for This

research design they have authors they have collected the survey of 253 participants and their response for measured a threo liquor scale now one of the finding over here over 80% of the participants agreed that cyber criminals us chat use chat gbt for malicious purposes so for example creating an email campaign sending on Black Friday that similar looks like a Old Navy best by Real Canadian superstall Walmart so you click on that particular email campaign it says extra 50% discount the moment you click it if on the same browser you have your banking open you have your Healthcare account open all the credentials will goes to that particular AI or a fictional person behind the screen and that person will

try to retrieve all the information which you have on your browser then after we have some ethical considerations and their solution so unauthorized access to sensitive information in cyber security we often call it principle of Leist privilege but implementation is little bit critical as well you have to categorize the People based on their designation based on their uh defense in depth how much how many layers of security you have put it people often call it that if we have multiactor authentication we are more secure if in the multiactor authentication you have password admin at 1 to3 you are not scure even though you have multiactor authentication so so I have built some solutions over here one of the ethical

solution employee training we often call it cyber security awareness training so what is awareness so awareness is endless and Limitless you need to be aware the system you are working on in the company whether it is a bring your own device choose your own device corporate own personal enabled device or the device which is business purpose only you have to make sure that you know the legal consequences as well to use that device and employ a software which is prohibited by the company so employe awareness training starting with emerging threats fishing so they they get to know that so basically the cyber security awareness training for non it employees they get benefit more than anyone else one of the platform I have

seen most of the Canadian companies they use no4 so they use that particular platform to leverage their customers on cyber security awareness training or you can build your own platform as well and provide some of the instructional videos to them where they can get the knowledge the second uh solution over here the data security now we have three types of data the First Data we have saved on our device the second data we have on the physical storage outside external drives maybe a solid state drive or a hard disk drive the third data we have a cloud storage now cloud storage is one of the toughest uh platform to skew the thing which I don't own and someone is asking

me to skew that particular platform so I'm using those services from AWS I'm using those services from Microsoft and Google Now if Amazon web services goes down what will happen my services goes down even though they have Edge locations they can transfer my data from one location to another location as well but I'm dependent on the third party so cloud computing is just renting the same machine same deployment infrastructure from a third party companies so basically you're not using your computer you're using somebody else's computer to do the same thing then after we have legal compliance in Canada we have consumer privacy protection act we have some International regulations as well gdpr sban Oxley act fed ramp and all these

different legal compliance and the Frameworks we use to enforce some of the security measures in the compan is very critical a company might use a risk assessment report to use nist as well cyber security framework they can use kit as well or some other Frameworks but make sure that the report which you are generating as a newbie cyber security engineer uh it has to be technical it has to be Technical and easy to understand by the people those who are not technical as well because you cannot ask your manager that do you have a cyber security degree or do you have experience in cyber security so I have seen many profiles where people are working as a Chief Information Security

officer but they have a leadership degrees they don't have a degree in cyber security so degree is not making your cyber security professional The Experience makes the cyber security professional over here then after the future of social engineering and AI so we have ai driven Technologies as well so some of the fishing uh Camp uh campaign as well we can use Go Fish as well that's I think one of the basic email campaign which as a company you should use and design a campaign and send all of your all of your staff members without their prior consent so you need to check how many employees after you give them cyber security awareness training now this is

the time to test out what did they learn if I got a new cyber security job and I got an orientation in that orientation they said okay please complete cyber security awareness training I will ask my roommate or someone else please do it because maybe I don't have time and many people do that so in that particular case you need to test out where your employees stand then you can better provide the cyber security awareness training to them then use of AI to analyze and exploit human behavior so there are some AI tools where you can generate hundreds of fake Facebook profiles with the same data with the same information remember one thing if you

know how to progam do programming you can build anything that's it C language C++ python go programming is same for everyone whether you are a human or AI so they will use the same way to build up a technology then after if there is any questions for me please let me know I would try my best to answer thank you so much

everyone oh by the way I have ad uh Calgary as well yes

please how accessible so that's a great question we have a warm GPT as well we have many different uh variations so it depends whom you are targeting who is your target user your target user is a novice is a beginner level intermediate intermediate level or advanced level what sort of infrastructure they have so if you are targeting a user first of all you will do your research where the user is what's the infrastructure there is a possibility the user doesn't have even encryption enable abled for the network anyone can come and join the network so that's the case who's your target user that is very important yes

please uh I think uh I I don't know the exact answer what type of autism they have mentioned but I have uh I think if bides Calgary team will share this presentation I have uh mentioned the reference as well in the slide thank you anyone else please yes

please

so ethical uh Solutions you can put it under your policies as well and that should be a part of the onboarding process when a user join the company right user awareness will come into picture once the person is a part of your company so ethical solution you should have ethical policies designed for your company as well where how to store the data for how long you can store the data best practices to use slack best practices to use uh Microsoft 365 Google workspace and all and this you have to design and make sure uh anyone who has already designed or planning to design they can get a legal consent as well from your employee that

okay they agree with that particular statement

question

so one so first of all uh it's it's very hard to put a ethical controls on a generalized audience hacker Tech technical okay so technical controls the first technical control I would say uh antivirus that's uh one of the technical control as well the second control is patch management as well so make sure that you can aware your uh employee as well that if they can put the patch Management on the real time as well and the third technical control over here uh Next Generation firewall they can put it as well to filter the data to filter the traffic no problem one respect

all that's a yes so that's a great question so I can go from the scratch to answer this question so every company does have a business plan right A business plan has two components financial plan and marketing plan so under financial plan we have a Information Technology budget under Information Technology budget we have a cyber security budget so under cyber security budget we can prepare some budget for the ethical consideration and the tools as well so in technical controls as I have mentioned before as well antivirus and Next Generation you are right in the signature based we can go go ahead with the single sign on as well we can go ahead with the other like a let's say a

password manager as well so to make sure that a user are aware one more thing every single software every single solution you are implementing in the company you have to train your user you cannot say tomorrow morning that you know we have a new technology comes into place and many people they they don't like change management and change management will take some time it will take maybe a year maybe a 6 months for example if I join a company yesterday I haven't even completed my probation period and a company is saying after 1 month that we have changed our systems now you have to learn new new things so we can also follow the iso 2701 as well

so over there we have a technical physical and managerial controls and once we are designing all these three controls in the managerial control where I have mentioned the policies procedure guidelines as well and the protocols we have to be very careful that our user is mature enough I cannot go to the local restaurant and tell them that I can Implement these controls over there so they said I we have to make money rather than to implement these controls so small businesses in Canada they do not take cyber security seriously because budget issue and the priority issue as well so even the midsize company as well if you will send an email to your manager or a hiring person for the cyber

security it may take 2 to 3 months for them just to reply initial response then it comes to the budget as well after the budgetary approval they will see okay if we have an opportunity yes

please uh sadly I was checking canada.ca yesterday and I was looking some of the AI ethics and the AI laws there is one in case of law is J judicial law that we have the AI laws as well but for the general audience we don't have a law I haven't read so far so I was trying to find and include that part in my presentation and but I did not find it and moreover Now consumer privacy protection act almost take over pipa in Canada so we have a privacy act and one more thing Canada has 10 provinces and three territories every Province and territory we have a law so for example I'm from British Colombia I'm from

Vancouver so we don't have a healthcare law local Healthcare law so we rely on federal law although it it's interl but we don't have that law for our Province Nova Scotia does have it Ontario does have it but BC doesn't have it and Alberta and British Columbia for the general audience they share their Privacy Law with each other it's the common one any other questions please oh yes please what can we

defensive as infed how that's a great question so first of all if I'm receiving a Cyber attack I need to First find the root cause I mean for me as a human I I'm not sure if it's a AI attack or not so again I can go back so in in in any company people are the weakest link not the password so I again emphasize the same on cyber security awareness to make sure that you aware your audience as well so now most of the cyber security companies in Canada they depend on vendor so cyber security manager cyber security analyst Junior security analyst they all are on phone with the vendor all day and their job is to make sure

the documentation is clear for the management so now that AI specific uh attacks and how to be defensive on that side and that's from the vendor perspective the vendor you are choosing and like I'm not sure his name but he asked me a question like if there is any AI law in in in Canada this question I think it's a great question to ask to Amazon from the artificial intelligence point of view do you have any strict policies or the laws that my customers and my internal users or external users they are protected so this is very important that uh we the vendor we are going to select any anyone else yes

please I think honey is a great way so we deploy that and as I have mentioned before this is a great way so many companies they hire uh red team experts sitting outside the company they tell them to deploy some of the uh attacks in that case they are not following any ethics so they they have option not to aware their internal employees as well about the attacks coming I think this my personal perspective this is the great uh advice for the companies to deploy the internal attacks as well before informing your employees to see what will happen I'm an accountant I joined the company yesterday in the payroll department now I got an email that I'm

the CEO of this company I'm at Starbucks I don't have a credit card would you please send me $10 so I can pay or I'm a manager so this is my first day at work I have to do my best I have to make sure like everyone is happy in the company but I'm not sure that I'm going to make a Guin world record to hire and fire at the same day if I will do that so that's the I think uh your question is valid so we can deploy that internally as well yes

please so I think the new bill it will definitely strengthen the AI side of the policies as well but as a general audience I don't know what is Bill that right and I don't have any resource where I can read it or government send it to my home right how many people like our neighbors they they know there there's a new bill and that it comes out because we are in a country where 60 to 70% people are immigrants including myself if I'm pretty new in this country do I know Canadian policies did anyone teach me did anyone told me that I have to clear the Canadian policies exam before to migrate this country there's nowhere that

information and I think uh it will strengthen the AI but not for the general audience because General audience is so far with the fact that that they don't know the policies thank you much no problem thank you so much take care [Applause] everyone thank [Music] you