��ū�컨��

I'm joined by Bill Anker, executive director of strategic programs at the University of Alaska system Office for information technology.

00:13

We're discussing social engineering using AI.
 
In recent headlines Forbes declared that AI is revolutionizing social engineering and likened generative AI to "social engineering on steroids." AI's use of automation and stealthy techniques dramatically raises the stakes of cyber security.

00:34

What used to amount to a peppering of emails with some clumsy grammar and misspelled words, now is really sophisticated.

It feels like we're entering into an alternative reality where you just don't know what's fake and what's real.

00:47

It’s a real problem. We're now living in the intersection of AI and social engineering and that's dangerous territory.

For example, threat actors can now create flawless, convincing messages in perfect English using tools like chat GPT that makes detecting fraudulent messages really challenging.

01:04

There are also voice mimicking and phone-based attacks. As many of you know, AI tools can generate lifelike spoken words that mimic specific individuals. This capability opens the door to phone calls that can convincingly imitate anyone, such as the head of finance, a chancellor or the university president. Threat actors generally use a two-pronged approach. They start with credible emails and follow that by voice calls, adding a layer of deception to social engineering attacks.

01:30

That's troubling. I know that in addition to email and voice attacks, picture and video can also be AI generated. Are these so-called deep fakes a concern for the university?

01:41

Absolutely. You may have seen deep fakes in the news recently. For example, as recently as this past February, a finance worker paid out more than $25 million in response to fake video requests from someone impersonating the Chief Financial Officer of the company.

Concern about election year deep fakes is in the news quite a bit and is leading to the introduction of AI related legislation to combat attempts to mislead voters during the 2024 election.

AI can be used to create deep fakes using pictures, video, and audio footage found in the public space. And with that they can pretty easily make completely realistic fake videos and fake virtual identities.

02:18

What are the big risks related to social engineering using AI for the University?

With AI's hyper-speed ability to analyze an employee's digital behavior, scams can take on an unsettling personalization, increasing the likelihood of successfully tricking our employees into providing access or sharing private information.

02:36

Beyond social engineering AI also accelerates the detection of vulnerabilities in systems, potentially leading to rapid breaches even before staff recognize a threat.

AI tools can autonomously probe defenses,learn from mistakes, distribute malware and extract sensitive data often bypassing traditional security alarms. Adaptive AI-powered malware can dynamically create real-time countermeasures against the university's defenses resulting in more prolonged and disruptive attacks.

03:03

What are some countermeasures that we can take against AI fueled attacks?

This can be broken down into three main strategies. First, training our users to detect social engineering. Second, implementing improved authentication. And third, deploying AI based security controls.

Employee awareness and vigilance is by far the most powerful tool in our arsenal. The use of multi-factor authentication can reduce account compromises by up to 99%.

And finally, AI-based defenses can react and adapt to attacks in real time dramatically speeding up our response times. ��ū�컨�� is already implementing the first two and is currently investigating the third.

03:38

Remember there is always time to verify the authenticity of a request. If you have any doubts, aren't expecting this type of communication, or aren't sure if you should proceed, reach out to the requester directly, using an alternate communication method.

For urgent matters contact your local service desk and if you need further assistance including individualized help do not hesitate to contact OIT security operations at ua-oit-security@alaska.edu or visit OIT's website.

04:07

Thanks Bill. I'm impressed with the work that you and the entire OIT team are doing on behalf of the university to protect our online security.

Everyone thanks for joining this compliance chat. If you have any further questions, please feel free to contact OIT security operations.