August 24, 2023
For years, consumers and businesses alike have been given the same cybersecurity advice: use strong passwords, back up your data on a regular basis and use multi-factor authentication where you can.
These three pillars are the foundation of what is referred to as cyber hygiene, and they help people keep their personal information secure. But now, we’re entering a new cybersecurity paradigm, one in which generative AI can be used to exploit human and technical vulnerabilities.
This raises the question: are these fundamental cyber hygiene practices enough to safeguard against new emerging AI-related cyber threats?
IEEE Senior Member Kayne McGladrey says that there are three threats commonly associated with the rise of generative AI – business email compromise, deepfakes and the generation of attack code.
“These threats are not merely theoretical, although at the moment, they are still relatively limited in their application,” McGladrey said. “It is reasonable to expect that threat actors will continue to find innovative new uses of generative AI, extending beyond business email compromise, deepfakes and the generation of attack code.”
So, let’s explore what these cyber attacks are:
Business Email Compromise (BEC): BEC attacks involve threat actors compromising executive email accounts to manipulate individuals into performing unauthorized transactions. Traditionally, these attacks heavily relied on mimicking the writing styles of executives. However, generative AI can now emulate not just writing style, but also an executive’s writing tone, amplifying the scalability and effectiveness of BEC attacks. Multifactor authentication is seen as the best defense against email compromise.
Deepfakes: Deepfakes use AI technology to produce convincing and deceptive audio and video content. Threat actors can use deepfakes to target and impersonate individuals, potentially leading to misinformation, reputational damage and even market manipulation.
“Consumers should exercise caution and skepticism when encountering suspicious or outrageous media content. Basic cyber hygiene alone cannot adequately defend against the consumption of deepfakes,” McGladrey said.
AI-Generated Attack Code: Most malicious actors don’t have the technical skills to create new exploits or write code. Rather, they rely on previously-identified playbooks for their attacks, pulling code from the dark web. Generative AI enables threat actors to create malicious code specifically designed to exploit vulnerabilities in other systems.
Moving Beyond Basic Cyber Hygiene
Experts note that even small improvements in cyber hygiene can yield results because malicious actors tend to follow the path of least resistance.
So how can individuals and organizations supplement their basic cyber hygiene practices and enhance their security? While strong passwords, regular backups and multi-factor authentication remain essential, here are some additional recommended steps:
Use a security key: Security keys are small physical devices which usually connect to hardware via USB. They essentially act as a second form of authentication, denying access to services even when someone knows the password to an account. They cannot easily be spoofed and are not prone to phishing scams the way that other forms of multi-factor authentication are. They’re becoming increasingly common in corporate settings, and are also used by high net worth individuals and celebrities to protect access to accounts.
Regular Software Updates: Keeping operating systems and software applications up to date is crucial. This helps to patch vulnerabilities that could be exploited by malicious actors.
Benchmark Against Well-Regarded Frameworks. Organizations should follow a reputable, trustworthy source to keep updated, such as the NIST Cybersecurity Framework (CSF), or the Center for Internet Security’s Critical Security Controls (CIS-CSC), and periodically benchmark their progress against the framework.
Educating and Training: Promote cybersecurity awareness among employees, customers and individuals. This includes training on how to recognize phishing emails, the importance of not sharing passwords, and understanding the risks of public Wi-Fi.
Using a VPN: Using a Virtual Private Network (VPN) especially when connected to public Wi-Fi can help encrypt internet traffic and protect data from being intercepted.
Access Controls and Principle of Least Privilege: Organizations should limit access rights to those who need them and regularly review those rights. Implement the “principle of least privilege”, where users have the minimum levels of access to critical network operations required to perform their roles.
“In a nutshell, while the fundamentals are crucial, comprehensive cyber hygiene requires a multi-layered approach to security,” said IEEE Member Sukanya Mandal. “This involves not only technical measures but also education, policies, and practices that together build a culture of security.”
Learn more: In this issue of IEEE Privacy and Security Magazine from the IEEE Computer Society, a researcher explores the use of a generative AI tool in phishing scams, and comes to the conclusion that threat actors will use these tools for a wide range of malicious activities.