Sorry, Terminator fans, ChatGPT is not going to become Skynet

Is Cinderella a social engineer? That terrifying monster trying to break into the office, or did he just forget his badge again? Find out with Work Bytes, a new security awareness training series from InfoSec. The series features a colorful array of fantastical characters, including vampires, pirates, aliens, and zombies as they interact in the workplace and encounter today's most common cyber security threats.

InfoSec created Work Bytes to help organizations empower employees by delivering short, entertaining, and impactful training to teach them how to recognize and keep the company secure from cyber threats. Compelling stories and likable characters mean that the lessons will stick. Go to infosecinstitute.com/free to learn more about the series and explore a number of other free cybersecurity training resources we assembled for Cyber Work listeners just like you. Again, go to infosecinstitute.com/free and grab all of your free cybersecurity training and resources today.

Today on Cyber Work, my guest, Jack Nichelson wants you to know something. AI is coming, but it's not Skynet and it's not the rise of the machines. Whatever unnerving story you've read in the past few weeks about ChatGPT and what it will or won't do to humanity, I'd really like you to join us here and get a much fuller picture of AI as a tool and our role in shaping and building it. This is a great episode. You're not going to want to miss it. That's all today on Cyber Work.

Welcome to this week's episode of the Cyber Work with InfoSec Podcast. Each week, we talk with a different industry thought leader about the latest cybersecurity trends, the way those trends affect the work of infosec professionals, while offering tips for breaking in, or moving up the ladder in the cyber security industry. Today's guest, Jack Nichelson is a Chief Information Security Officer for Inversion6, and a Technology Executive with 25 years of experience in the government, financial and manufacturing sectors.

The roles have included leading transformation and management of information security and IT infrastructure, data management and more for organizations in numerous industries. Jack earned recognition as one of the people who made a difference in security by the SANS Institute and received the CSO50 award for connecting security initiatives to business value. Jack holds an executive MBA from Baldwin Wallace University, where he is an advisor for its collegiate cyber defense competition, or CCDC. He is certified in the following, CISSP, GCIH, GSLC, CRISK, CCNP, CCDA, CCNA and VCP. That is a lot of alphabet soup right there. Jack, thanks very much for joining me today. Welcome to Cyber Work.

Thank you so much for having me on today.

My pleasure. We've got a lot to talk about today. But first, I want to get a little background on you and talk about your origin story. How did you first get interested in computers and tech and security? What was the initial draw?

I'm so fortunate that I was able to turn a hobby into a career and it really all started with games. I had an old computer. In order to be able to play the games, I needed to be able to edit the auto exec bat and config sys files to be able to run the games. I wanted to be able to cheat at the game, so I had to learn how to use hex editing. Then I found bulletin board systems The bulletin boards really just opened up the whole world for me, and that's really when I started to get more engaged in the whole cyberpunk thing and freaking. It just opened everything up for me. It all really started with games. I'm so fortunate that I was able to turn a hobby into a career.

What was your preferred game? I want to see if we’re roughly the same age here.

Well, I mean, I started out with the original Kings Quest games. Baldur's Gate. All the original kind. I really like a lot of the adventure games.

Me too. Yeah, point and clickers. Yeah, good stuff. Yeah, that's great. I love that you – I think the reason why I'm here in the host who doesn't know things chair and you're in the guest who knows things chair is that you were the one who learned to hack, so that you could cheat the game. Whereas, I just got angrier and angrier as I tried to get Jumpman to get through level 35, or whatever.

I went and looked at the saved files and I was like, “Huh. This saved file, I could edit this.”

Okay. Yeah, see. Lessons learned 35 years too late here. Another thing I like to do to get to know our guests and break this a little bit is I looked at your LinkedIn profile a little bit, because it helps me understand the type of work you've taken on over the years. For our listeners who are trying to get their first foothold in the industry, I like to tell them about the types of roles you've climbed through to get to where you are now. Your employment and promotion timeline has a pretty strong root at the center of it. It seems to be largely based around IT security. That's clearly a passion of yours. Can you tell me what has kept you in this area of good old essential IT security in guiding your career journey?

Honestly, I'm so fortunate of the mentors that I've had. Early on in my career, a gentleman who was the chief security officer for a large bank, I asked him how he got to where he was. He started switching tapes at the night shift and now run IT for the whole bank. He really imparted on me the idea of, don't strive to try to be a success. Instead, be of value. That's really at the heart of what I try to do and what has kept my career there and why I'm so focused on the fundamentals and the basics.

Might not be as sexy as running around and doing threat hunting, but the getting good at the fundamentals, providing real value that's measurable and providing those results is what really matters. In my career, I've had some amazing opportunities. I worked for a large bank. I was there for seven years. In that time, I had five different roles. I got to work under some amazing people that really helped me grow my career and encouraged me to take on new opportunities that took me out of my comfort zone. That's also another thing that's really helped guide my career is sometimes it's okay to move into an area that you're not a 100% comfortable with, because that's the best way to grow.

Oh, yeah. Yeah, yeah. You absolutely have to make yourself uncomfortable. Then at the end of it, say, “Oh, that was awesome.” Now, I want to poke into an aspect of that a little bit. You talked about one of your former bosses who started, as you say, switching tapes overnight on the – I'm assuming on the backup systems and so forth. You're talking about starting at a very mechanical and rudimentary level in terms of providing your value to the company.

Now, I want to see if I can square that with what we hear a lot now with AI. We're going to be talking about AI today. I just spoiled that, but a lot of the selling points of AI is that a lot of the menial grunt stuff doesn't have to be done by people anymore. It can be automated and so forth. Is there still a path, the way that you and your former mentor had, wherein you can do these really brute force, low-level things and make yourself valuable as you gather your toolbox?

I'm not going to pretend that I know where the future is going to go. I do think that those opportunities are absolutely still there. They may have changed, right? That particular boss, he started changing reel to reel tapes, and worked on punch card systems. I started on the help desk, right?

Yes. Right.

Kind of same type of job, but a little bit different. We weren't batch processing anymore. We were processing in real time, but there were still a entry level jobs that the organization was able to give those opportunities to and through the good mentoring, you're able to then grow up the chain.

Now, with the advent of technology, some of those entry level jobs may change of what they physically are doing, but I still think there's always going to be a need for entry level. Every organization always needs those jobs to be able to grow, to have their succession planning, and to be able to have a feeder pool to be able to grow from. What the role is may change, but I think there will always be entry level jobs in all industries.

I really don't see AI replacing all jobs. When computers first came about, oh, we won't need accountants anymore. Everything will be automated by computers. I would argue, computers created more jobs than they replaced. I'm hopeful that AI will do the same thing. How it unfolds? We don't know. The job I'm in today, it didn't exist 30 years ago. Even when I first started in computers, there wasn't a dedicated security department, right? Security was just something the system admin did as part of their job. Now, it's its own career. We don't always know the path things will take, but I'm very hopeful that it will open up more opportunities for folks.

Yeah. I absolutely agree with you. I hear that fear now and again, and I like to address it head on. Just as a quick tangent, there's a great movie from the 1950s called Desk Set. It's all about a set of three research librarians for a TV station, who are constantly getting information for all the different programs. They're about to be replaced by a supercomputer with punch cards, with reel-to-reel tapes. It's amazing how relevant it is now, because you can plug all that information into the computer and it doesn't know how to actually do the processing of it, other than in just the most linear way possible. I've seen it several times and I love it. It's also a Christmas movie. It's got a great Christmas party scene in it.

It is very interesting that people have been worried about this thing since at least as long as there were computers, that they were going to take our jobs and so forth. That's literally the last lines of the movie is with this new computer here, we're going to have to hire even more people, because we're going to be working with the West Division. Sorry, a little tangent, but I love that movie. I never waste an opportunity to tell people about it.

I want to talk about your current job, which obviously is a lot more complicated than your first job in the health desk. Can you talk about your average workday, or work week as the CISO of Inversion6? What are some of your primary responsibilities and some tasks you can count on to take over your day and stuff like that?

First, I was a longtime customer of Inversion6. I was a customer. Then some of my best friends started working there. Now, I had an opportunity to join the company. Now I get to work with my friends every day. That's so rewarding. In IT and especially in cybersecurity, the bad guys have first move, or advantage, which really keeps us on our toes, right? It also continues learning. We're always learning something new; adapting to what we're coming – what’s coming at us, which really makes our day pretty adventurous.

I had to learn early in my career, in order to be successful and to be able to show that value, I needed to make sure I wasn't chasing stuff, right? That comes back to where I was finding the most effective people. When I would go and talk to my CEO, or CFO, they weren't running around with their hair on fire. They were very calm and collected. Here I am in a much lower position and I'm running around with my hair on fire. I had to look at like, “Well, what's different?” It’s just be the job.

I started to realize that to be effective, I needed to stay out of quadrant one and quadrant three, right? Which is the Stephen Covey Seven Habits of Highly Effective People. I needed to stay focused on quadrant two. The things that aren't urgent, but are important. Those are the things that sets you up for future success, that really makes sure that you're prepared, so that way your day doesn't run you and you're running your day.

I give a talk. I've been given this talk for a couple of years now at different conferences on creating a results-oriented culture, by really measuring what matters, being a real metric, a driven leader. It really all starts with measuring yourself first, right? Be holding yourself accountable, right? Setting your own goals, turning off your email and your phone, having dedicated work time. It's okay to say no. It's okay to send other people to meetings and stay focused on the longer-term things. That way, they don't become the next problem. If you're just running from problem to problem, your day does run away from you very easily as a CISO, because this is a very challenging field. I found that the more prepared you are, the better it is. From the Jocko Willink’s quote, discipline equals freedom. If you stay disciplined day-to-day, it will free you up. When things are out of control, you are not.

Yeah. No, that's amazing advice. I mean, I know there's no day is similar to the next day, but on an ideal day, how much of your day, if you've got everything spinning properly, no immediate fires in the barn or whatever, are you spending thinking about long-term issues, long-term solutions? Is that occupying half your day, all of your day?

There's a great book, Death by Meetings. Really what it is, is I do a lot of long-term planning. I block out parts of my calendar. I make sure that those things that are blocked out are focused, right? What is the intention during that time? Some of those blocks are for short-term things. Some are for midterm things. Some are for long-term things. Some are for connecting with other people. Some are for doing research. I'm trying to stay focused on those times, so that way throughout the day, when I bring up my calendar that day, if it's a good day, I'm just running on those blocks that have been pre-programmed for me, so that way I'm staying on the rails.

Wow. That's a mind-blower. I'm literally going to work with that right after I end this recording, I think. Yeah. 2023, man. It's all about getting the schedule under control here. Yeah, today's topic for discussion, initially I thought it would be the recent breathless news stories about AI, and specifically about ChatGPT, which we’ve all heart about, maybe we played with. Reportedly creating a strain of polymorphic malware following text-based interactions with cybersecurity researchers at CyberArk. Because I'm personally not that completely immersed in the complexities of this technology, I read something like that and think, “Uh-oh. That's bad.” Probably is.

However, I get a lot more nuance from reading your recent posts on the subject and comments from like-minded writers. I mean, it sounds like a missing factor in these breathless reports is the human element, both in guiding AI, utilizing AI as a tool, and then responding to it when it's used in threatening ways. Let's start with the story. For our listeners who haven't read about this ChatGPT story, can you just give us the overview of what actually happened and contrast that with how it's commonly being reported right now?

Great question. Where it started was a couple of researchers that have very deep background in developing malware, they went on a ChatGPT and they asked it to create some malware. It gave them a very generic answer of like, “I don't do this.” They hit the protection wall. They found though that by rephrasing their question and putting it in different context, they were able to bypass the safety wall. That was the first aha moment that you can trick the AI and answer you a question it's not supposed to answer.

Then they started to put the breadcrumbs out there. Okay, how would you inject a DLL? Okay. How would you inject a DLL into explore.exe? It started to give very functional Python code, which is important. What's interesting though, is on the screenshots and the way the researchers did this, it's like, “Oh, I browse up. This is, oh, my God. It's outputting all the code on how to inject a DLL into explore.exe.” Then you take a step back and you start to look at it and this is where I think there's been some really good comments, like you said, by other researchers, who took did the same thing. they're like, “Yup, absolutely. All of those points are true. This did show a problem. Now, let's look at it. The people who were asking the questions, they were very much asking the right questions. They were very intelligent. They were very smart about how they were – they knew what to ask.

They knew the ins and outs of the technology as well, I imagine. They know how to –

A novice wouldn't know what to ask, right? Now, could it help them get there? Absolutely. These were experts that were guiding it along. Also, what's important is it was outputting in Python. If you were to take the same questions, but put them into form of Google searches, and Google was searching, let's say, stack overflow, where most of that code came from, which is Python samples that were from different hacking tools, that's where that code came out of.

Now, could it now convert it to execute in a Windows environment? Also, when you look at the code, it's missing certain things, like elevating permissions. There was a lot of things in there where on the surface, it looks really bad. If you'd actually just paste that code in, it wouldn't have executed. Or it was missing some key functionality.

It was at the heart of that article, where they did a show that they can bypass some of the protections. They can ask it the questions to get the answers. I would also say that a lot of the answers they got could have also just been found on stack overflow, because they're all code snippets. It's a script kitty idea. Google enabled those people to be able to take other people's code, manipulate it a little bit to have a functional piece of malware, but that they really fully understand it. What we found was most of that malware blew up and didn't really work. People were going to find the same thing here as well. It still takes an underlying knowledge to be able to create a functional program with ChatGPT.

Okay. Now, before I go to my next question here, that triggers a follow up for me, if you talk to – I don't know what to call them, AI utopianists, or whatever, but people who are really convinced this is going to change. It's either going to be Skynet, or it's going to be the new golden age, or whatever. The standard concealed answer from them is, well, the technology is not there yet, but it'll be there soon. Can you speak to the idea that, okay, well, it was hard for them to do it with the AI we have now, and it's operating at a very rudimentary level and it's all these other things. I mean, is this always going to be the work around? Is this lack of ability to see when it's being given the okey-doke by its programmers?

I think we're in an arms race. This stuff is going to continually evolve. It's going to continually get better. When I first got on the Internet, there were no search engines. You had to know where to go. I mean, you had to no IP addresses.

The good news is there were probably a hundred websites.

Exactly. You could do some things on the Internet. You could tell them around to some different free nets and things like that. Then Netscape browser came out and that changed a lot. That was like, “Wow, that opened that up. That was a generational change.” Then the Altavista browser came out. It was like, “Oh, my goodness. I could type in the word weather and I could go to a weather site and I was blown away.” Then Google came out, right? Google was a seismic change in the search capability. I could find so much more stuff much more faster and I was more effective on what I could do. I see this as the next seismic jump.

A lot of the output that ChatGPT is doing, it's not that ChatGPT knows this stuff. It’s just referencing what it found on the Internet and digesting it and bringing it back to me. It's the same as a Google search result. Instead of me going to three different pages and extrapolating that information, ChatGPT went to three pages and extrapolated the information and gave me an output. At first glance, you're blown away by it. When you start to look at it, you start to see some of the flaws, you start to see maybe where it pulled its reference material from, you start to see how it strung those things together. It is going to get better. It is going to evolve, right? Where it will go? I'm not sure. But I see it as just the next generational evolution of what we're doing.

I mean, Microsoft CEO has done an amazing job of evangelizing the technology. It keeps cleaning the phrase ‘co-pilot,’ where it is assisting you in your search. It's assisting you in digesting large documents. It's assisting you in mathematics. It's assisting you in security. It's assisting you in developing code. One example I'd like to give is all the articles keep talking about how ChatGPT is helping people write malware. We're not talking about, on the same hand, it could also help somebody write PowerShell scripts to harden their server, right? And disable SMBV1, and disable net BIOS.

The tool is there in either person's hands. For the good, or the bad in that use case of what they do for. In my opinion, it's going to be an amplifier. Just like the Internet became an amplifier, or let's say, even the computer became an amplifier, then the Internet is the next step. Google has been the leader for the last 10 years, and has amplified how everyone works. You can clearly see, two employees and one is very effective at finding their own answers, extrapolating information on Google to do their job. They usually go up faster than the person who doesn't Google and doesn't use their search tools. You can't digest information quickly. I see this as just, again, as an amplifier of people's natural abilities.

Yes. Yeah. I think we've already covered my next question, but I want to rephrase it and see if there's anything more to be found in there, because you put it perfectly in that AI is a tool whose primary limitations at the moment is that it's not intrinsically intelligent without human intervention. All futures are possible theoretically, since they haven't happened yet, but can you talk about what you think the actual applications of AI will be? I mean, you mentioned that if it can create malware, it can also create anti-malware and some of the major pitfalls that we need to avoid to prevent a lazy abdication of responsibility for governance of this type of technology, be it in a code writing capacity, an encryption juggernaut, or any other forthcoming applications.

Wow. I'm not sure, honestly. I am very excited to see where the technology is going to go. I'm very excited to see what happens with it, right? It's going to be one of those things where I don't think we really fully envisioned how much the Internet would have become part of our daily lives, how much putting the Internet in a smartphone in your pocket with applications have changed our lives.

Folks of our age, I think there was still a time I remember when it seemed like not everyone was ever going to get on the Internet. That just seems unimaginable.

I agree. I think that's where this comes from. I do think that it is important to think about the governance. I think everyone would agree, we were probably a little late on governing some of the controls around the Internet. I think AI has another opportunity for us to do that. I think there's an opportunity here for both governments, businesses and individuals to understand how to best utilize it, make sure that it's equitable, right? That it's not just for the haves, it's for everyone. I think it's very important that we start to teach on it, right? How to utilize it. Where there's a lot of fear about, “Oh, people are going to cheat on essays.” We were terrified about the calculator. “Oh, we'll never have math again.”

Yes, right.

I have a calculator. My first TI-82, I was amazed at what I could do. Then I realized its limitations were me, right? I was only so good at math. I didn't know all the –

You got to know what to put in to get the output.

- to even know what to put in. I think, we need to start to think about how we train the new workforce, how we train governments, and also litigation, how to think about this technology, businesses. Some businesses have taken a hard stance. “Oh, we're going to ban it.” Other businesses are like, “Oh, we're going to be able to cut our development team in half, and they're going to use this.” I'd be a little worried about too much of a reaction either way. I think, we still need to see how it unfolds. It still needs to be developed and incorporated. I'm very excited and hopeful for what Microsoft is doing. They want to incorporate it into the Edge browser. There's hope that it's going to be incorporated into more Microsoft applications.

Myself, I'm not a strong writer. It's difficult for me. Spell checker is the best thing ever. Computers have really allowed me to be more effective at writing than if I had to do it the old-fashioned way. I can't wait for ChatGPT to be incorporated into Microsoft Word and email. Not to do my job for me. Not to have thoughts and ideas for me, but to maybe help me better convey my thoughts and ideas to others, being more efficient on how I do that. Almost like a super awesome spell checker.

Now, there are some social ramifications, right? What are those outputs, right? What are the governance around it? These are some of the things that they've talked about on how do we control the technology? Then also, generationally, if we've generated this much material in 200 years, how much more material could we generate when we have a generator? Then the first iterations of these AIs have learned everything that humans wrote. What happens when they start learning and digesting things that themselves have wrote?

They're starting to now garbage in, garbage out. If I go on to ChatGPT and I generate 400 blog posts on something that is wrong, and it digests that, but it's now the largest volume of source material, could that become manipulative? We've seen that same – I mean, this has played out before with Wikipedia, right? What we've seen, though, there is self-governing. People would go on and they change things, it get changed back, or people would realize it. I think that also comes into that training again of how to use it, be scrutinizing of it.

We had to learn the same thing with Google, right? You type in a Google search, you get a result. Anyone who trusts the first page who comes up is going to be misled, right? We all know, look, I'm going to read three pages, and if they all have the same theme, okay, that's probably where we go. We're going to need to be able to have a way to validate the output we get from ChatGPT. That all still ultimately may be operator, right?

Yeah, absolutely. Well, so let's flip this abstract considerations into a more practical job focus for people who are getting started in the industry. You've already talked very well about this, about the fact that AI doesn't intrinsically take away entrance-level jobs. It might change them. It might refine them, or whatever, but there’s still the work to be done in a cognition way. I'm wondering, Jack, in a concrete way, if you can talk about some tips, whether areas of study, or hands-on experience that students and aspirates entering the cybersecurity force now should be staying on top to – on top of from an AI standpoint. How do you interface with this while you're still a student in a way that's going to be useful to you in a couple of years’ time?

Excellent question. I think really for me, all right, I've been playing with this tool now for about a month. I have really found prompt engineering is that the heart of this. This goes back to Google, right? When we first got Google, we realized, oh, if you put quotes, if you put plus signs, if you do – how do you generate your search query? What phrases you use? How you generate the phrasing inside that Google search made you much more effective. You could get to the answer faster than someone else.

I have not seen any difference with AI. It is more intuitive, right? There's a little bit more nuance to it. I very much found that when I'm playing with ChatGPT, asking it, providing it the right parameters, giving it the right prompting, it really changes the output dramatically. Then also the output itself, reading it critically, questioning it, back checking it, validating it. Then also, you still need to edit it and you still, also, what I found was, you still need to add your own creativity. You need to add your own points of view. At the end of the day, it's still, in my opinion, it's still a search output, right? I wouldn't cut and paste exactly something I got from Google. I wouldn't cut and paste exactly something you get from ChatGPT.

Yep. Oh, that's fantastic. Yeah. I mean, do you have any tips for people who are already in the industry, who aren't using it to more rotate better into using it? It's easy to get stuck in ruts and doing your processes, your certain way, especially if you're nearing the end of your career and you're like, “Oh, not another new thing I got to learn.” What are some of the ins with ChatGPT and things like this for people who have been doing this work for a long time?

What I would say is, if you find yourself at a search engine prompt, and you're doing some research to pull together something, try ChatGPT, or another A – because this is not going to be the only one. Google's is going to have theirs out soon. There's going to be a lot of different competitions here. I see this as a hot arms race. I think what's important is you need to be thinking, “Do I have all the tools in my tool bag? Am I keeping them sharp? Should I always keep reaching for the same one?” The other day, I needed to put together a comparison between two products. Normally, I'd go to Google, I'd do a couple of things, write something up, I start it with ChatGPT.

It did a pretty good job. It missed a couple of key points. If you give it two large articles and ask it to extrapolate them and create summaries, it does an amazing job. It's something you could do yourself. It's not hard work. But boy, I saved myself a lot of time. That's where I would say for somebody more experienced is really, when you start to see yourself doing that research work, or you start to try to put together those summaries, perhaps try this new tool. Start playing with the prompts, right? The first result you get probably isn't going to be satisfactory. Start massaging that prompt. Start learning how to use that tool a little bit better.

Yeah, that's awesome. Awesome advice. I appreciate that. We bounced off of this and I want to get back to it. We pushed against the idea of AI automating jobs out of existence. You said, and I went out of tangent, but you said, if anything, this might cause more employment opportunities. Can you speculate on some of the areas of the security market that might require more human minds and skilled workers based on the upcoming intake, uptake of AI tools?

I'm not sure on that. I'll be honest. I don't know quite how that's going to change. What I find though, is don't chase the technology. In my career, I have seen the tech change quite a bit. In our industry, things change very fast. I think, if you stay focused on the epicenter, the things that don't change, that's still going to be consistent. Also, from an attack surface standpoint, yes, AI might speed up the attack iterations. It may speed up what we're seeing. In my history, I have seen that the targets really have been changed. People are still the main target.

I remember a few years ago, I was at a conference and Jack Daniels got up on stage, and he read a document from the Department of Navy about their security and their biggest risk. Then he asked the audience, what year was it written? It was written in the 60s. The attack, I mean, the way he – I mean, it was like, to us, we're all thinking SQL injection. We're thinking all of these things. It was written 30 years ago before SQL was even a thing. But the attack vector, the way it was going after the data was the same, right? We see that with attacks as well.

Some of the jobs that could be created out of this, I won't even venture to think about. I'm very positive that there will still be a need for a human element that this is going to be a new iteration that might change some of the ways that things are attacked, but it's going to be the same style of attacks, right? We're going to see the same weaknesses being exploited, but just exploited in new ways. I think the people who stay focused on that epicenter and stay focused on the fundamentals, they'll always have a job.

Great. Very good to hear. We need all hands on deck and we need them all to get to learning here. Going back to your press statement that I read before we started the interview, you said, “It is also important to note that ChatGPT is not the only AI language model with potential to be used for malicious purposes. Other models like GPT3 also have the same potential. Therefore, it is important for organizations to stay informed about the latest advancements in AI and potential risks.”

As we start to wrap up for the day, can you talk about some of these other malicious AI uses in the way that cybersecurity professionals entering the industry now can hone their skills and qualifications to take an active role in either researching, or actively fighting back against future malicious uses of AI technology?

This one's going to be tough, because we're seeing now the primary focus of this interview has been around ChatGPT, which is generative, which is creates text. There's also art, right? We can create images. Now we're starting to see creating videos. We've also seen recently, there was a big concert where the DJ came out and played a sound clip from Eminem. He made money on using Eminem's voice at a concert, right? Now they're emulating voices. Then there's Deep Fake. We've seen deep fake videos for the last few years. Now, it's really consumer grade. Almost anyone can make a deep fake video. All of these are parts of AI. All of them are generated, could be used for deception, or could be used for good.

As a cybersecurity professional, when I go back to that focus on the epicenter, people, right? Most organizations, it's not their firewall that's under attack. It's their employees. When you can impersonate the boss, you can impersonate their voice, their image, their likeness, you can maybe automate, answer response, email, chains, right? Maybe the person is actually talking to a generative AI and answering back and it's answering in that person's format. Think about how many more gift cards might go out and get bought. It's the same scam. It's just now, it's been accelerated, or amplified by using these artificial intelligence tools.

I go back to awareness, right? We look at a lot of different technology solutions to try to solve these problems, but I find the most effective are just good old-fashioned awareness, right? Training your users, have good process in place, have a good way of reporting these things, have ways to be able to spot them and to be able to identify them. Humans are still the best way to identify a fraud versus being perpetrated by a human, or being automated through a machine.

Yeah. No. I was just going to ask you that question, but you teed me off perfectly here. On a more consumer-grade level, I know not everyone's going to be watching this episode. Someday everyone in the entire world will watch Cyber Work. Until then, for things like deep fakes and for things like voice impersonation and so forth like that, do you have any tips for helping to impart some degree of, I want to say media literacy, because this is going to cover stuff way beyond media. When you say being able to check for these things, and fact check these, do you have any particular resources that you use on a regular basis where you're like, “That smells fishy”? I mean, snopes has obviously been around for bajillion years and stuff like that. Is this also, do you think, maybe part of the way forward is people who can create these kinds of –

There is going to be an industry of software and solutions to be able to spot this. We have already seen several solutions in just the last two weeks be published to be able to spot fraudulent essays. How much of the essay was generated by ChatGPT. The creators, OpenAI have already started talking about how they're finger printing the outputs. That way, they're more easily identified, was this generated by a machine? How much of it was generated by a machine? They've also in that a prompt engineering I was mentioning, there's a way you can actually say, reference all sources, right?

As a way to link back to everything it said, where did it really come from, so that way we can fact check it. I think automating those and there's going to be a lot more tools and solutions that are going to help us spot these fakes. I also think that a lot of the companies that are creating these solutions are looking at ways to create these digital watermarks, or fingerprints that can be identified, was this real or not? I think there's a litigation aspect, too, of what is created in these spaces? Is it copyrightable? Who has ownership of it?

Ultimately, these machines are also consuming a lot of creative material. Then they're using it now for their profit, versus the creator. This opens up a lot of interesting questions. I think that there's going to be a whole industry around spotting this stuff. Until that develops, I strongly encourage everyone to just use good common sense and to watch out for the scams. It's going to be the same stuff that we're used to seeing. It's just going to come at you faster.

Faster and slightly more realistic.

Slightly more realistic. If it’s too good to be true, it probably is.

Yeah. We have our own security awareness training. Ultimately, it always comes down to take a deep breath and think, don't get lost in the exciting tumble of like, “Oh, I got to check that out.”

Actually, on that point, I'd like to share a little story. I was doing a security awareness training presentation for an organization. We were talking about business email compromise. How many people fall victim to that and how it's actually more costly than ransomware.

Oh, yeah.

We're doing through this presentation and the CFO gets into the conversation. He just says to all the employees, “We've been in business for over a 100 years. We have a great reputation. We pay our bills on time. If you need to take a few days before we make a payment, don't worry about it. It won't hurt our reputation.” That simple statement, you could just see the change in the room. He gave everyone permission to take a minute and not be flustered. Don't worry about that email. It's telling you, you got to pay right now, or you got to transfer this money right now.

That's awesome.

By giving everyone that permission to slow down, I really feel that that was the best thing that any organization can do to prevent a lot of that business email compromise from happening.

Oh, I love that. What a great story to go it on. Thank you very much for that. We're just about at time here. Before we go, can you tell me more about Inversion6, the company you work for and some of the services and products that you offer your clients, as well as maybe you have any upcoming projects that you're excited about?

Absolutely. Thank you. We offer a full virtual chief security officer. We also offer a lot of virtual chief information officer. We help with security strategy, information, IT strategies. We've got a full 24 by 7 security operations center that offers managed services. I'm very excited about where that's going with more of the MDR managed protection response and XDR capabilities. It's not just, hey, we're grabbing all your logs, but we're actually able to take action, take a machine offline, automatically upload the samples, the virus total, clean the machine. The automation and what's been happening in that whole SOAR and in SOC world is so much more exciting than where we used to be with just Sims.

We offer a whole suite of security solutions. Some of the things that I'm really excited about is really pursuing more on cloud security. A lot of organizations have woken up and realized that the tipping point was behind them and more of their organization is in the cloud than on-prem now through SaaS services, or hosting services. Getting your cloud security under control is really important. Then also more requirements around a regulatory. Getting a SOC 2 certification, CMMC for defense contractors, and then the cyber insurance carriers. They've really upped their game on putting more requirements on customers. They're very good requirements. They directly correlate back to what caused breach. A lot of organizations are struggling to meet all of those. We're here, happy and help them get that job done.

That's awesome. What a good service that is. One last question for all the marbles, if listeners want to learn more about Jack Nichelson, N-I-C-H-E-L-S-O-N, or Inversion6, where should they go online?

LinkedIn. Just go to LinkedIn. You can find me there. Send me a friend request. I'll connect with you and if there’s anything I can do to help, just reach out.

I know from past guests that our listeners are very proactive, so watch your inbox.

Awesome. Thank you. I appreciate you having me on the show today.

Absolutely, Jack. Thanks for joining me today. I really enjoyed this talk. It was a lot of fun.

Thank you.

Thank you to all of you who have been listening to and watching the Cyber Work Podcast on a massive scale. We're so glad to have you along for the ride. Before you go, I would like to invite you to visit infosecinstitute.com/free to get a whole bunch of free stuff for Cyber Work listeners. As of yesterday, our new cyber security awareness training series Work Bytes features a host of fantastical employees, including a zombie, a vampire, a princess and a pirate making security mistakes and hopefully, learning from them. You can check that out there.

Also, visit infosecinstitute.com/free for your free cyber security talent development e-book. It's got in-depth training plans for the 12 most common roles, including SOC analyst, penetration tester, cloud security engineer, information risk analyst, privacy manager, secure coder and more. There's lots to see. There's lots to do. Once you get to infosecinstitute.com/free and yes, the link is in the description below, too. Work Bytes, cyber security talent e-book, it's all there, infosecinstitute.com/free.

Thank you once again to Jack Nichelson and Inversion6. Thank you all so much for watching and listening. Until next week, we'll see you around. Take care. Bye now.

Thank you.