Digital Identity is Under Attack: FIDO Paris Seminar.pptx
AI and the Impact on Cybersecurity
1. CYBER ARMS RACE
ARTIFICIAL INTELLIGENCE WORKS BOTH WAYS
“NO COPYRIGHT INFRINGEMENT IS INTENDED” COPYRIGHT GRAHAM MANN ALL RIGHTS RESERVED 2019
2. RUNNING ORDER
AI Defined The world of AI Nefarious adaptations
“NO COPYRIGHT INFRINGEMENT IS INTENDED” COPYRIGHT GRAHAM MANN ALL RIGHTS RESERVED 2019
3. AI DEFINED?
1 : a branch of computer science dealing with the simulation of intelligent behaviour in computers
2 : the capability of a machine to imitate intelligent human behaviour
Merriam-Webster
Artificial intelligence (AI) is the simulation of human intelligence processes by machines, especially
computer systems. These processes include learning (the acquisition of information and rules for using
the information), reasoning (using rules to reach approximate or definite conclusions) and self-correction.
The theory and development of computer systems able to perform tasks normally requiring human
intelligence, such as visual perception, speech recognition, decision-making, and translation between
languages.
“NO COPYRIGHT INFRINGEMENT IS INTENDED” COPYRIGHT GRAHAM MANN ALL RIGHTS RESERVED 2019
4. ACTUALLY, IT’S JUST 1’S AND 0’S
“NO COPYRIGHT INFRINGEMENT IS INTENDED” COPYRIGHT GRAHAM MANN ALL RIGHTS RESERVED 2019
5. BUT REALLY, WHAT IS AI?
It’s just a computer program or an
algorithm;
Once an AI program chooses its solution,
it should then be able to evaluate the
results of that action, and refer back to
that information the next time it has to
make a similar decision. In this way, an AI
system “learns” and “problem-solves”
within the bounds of its programming.
It’s not new, in fact it’s as old as me -
the phrase artificial Intelligence was
coined in1955!
“NO COPYRIGHT INFRINGEMENT IS INTENDED” COPYRIGHT GRAHAM MANN ALL RIGHTS RESERVED 2019
6. BUT MORE THAN THAT
“NO COPYRIGHT INFRINGEMENT IS INTENDED” COPYRIGHT GRAHAM MANN ALL RIGHTS RESERVED 2019
AI can engage in interactions from humans or other machines,
interpreting meaning and formulating an appropriate response.
AI can interpret supplied information and take appropriate action to
achieve its mandated goals.
AI can internalise new information and adjust its behaviours accordingly
to maximise it's effectiveness.
AI can conduct most of its decision-making process without the need
for human input.
7. AI AND ML AND DL
As we have discussed , deep learning (DL) is a subset of machine learning, and machine learning is a
subset of AI, which is an umbrella term for any computer program that does something smart. Think
Russian dolls.
Deep Learning - Neural Networks and Deep Neural Networks, which are modelled on the human brain.
ML has been around a long time, since the ’90’s at least.
AI doesn’t need training or pre-programming
“NO COPYRIGHT INFRINGEMENT IS INTENDED” COPYRIGHT GRAHAM MANN ALL RIGHTS RESERVED 2019
8. WHAT’S DRIVING AI?
Over the last two years alone 90 percent of the data in the world was generated, this resulted in a huge
amount of data, which was previously not available.
Computers are faster
Storage is cheap and plentiful
Technological advances
The consumers thirst for tech
Drive to replace humans undertaking certain tasks
Need for speed
Warfare
….and I could go on.
“NO COPYRIGHT INFRINGEMENT IS INTENDED” COPYRIGHT GRAHAM MANN ALL RIGHTS RESERVED 2019
9. WHY IS AI IMPORTANT?
W/wide spending on cybersecurity was $114 billion last year
The business value of artificial intelligence worldwide will rise 70 per cent this year to $1.2 trillion,
and end 2022 at $3.9 trillion, says Gartner.
Whilst looking further out; PwC predicts that by 2030 AI will add up to $15.7 trillion to the world
economy
Computers are getting faster, data volumes are increasing
It is more accurate than humans, it doesn’t tire and can work at speeds that are simply outside of
human capability.
It enables analysis of vast lakes of unstructured data to create actionable information
It’s unhampered by repetitive actions.
SAS alone are to invest $1 billion over the next three years in AI
“NO COPYRIGHT INFRINGEMENT IS INTENDED” COPYRIGHT GRAHAM MANN ALL RIGHTS RESERVED 2019
10. AI TOUCHES ALL OUR LIVES
Consumer Medical
Dangerous jobs Military/Security
Education Automobiles
Aerospace Industrial
Entertainment Telepresence
Exoskeletons Underwater
Humanoids
“NO COPYRIGHT INFRINGEMENT IS INTENDED” COPYRIGHT GRAHAM MANN ALL RIGHTS RESERVED 2019
11. PREDICTIONS AROUND AI?
“NO COPYRIGHT INFRINGEMENT IS INTENDED” COPYRIGHT GRAHAM MANN ALL RIGHTS RESERVED 2019
12. AI ISN’T AN ISLAND
Biometrics
Networks
Blockchains
IoT/IIoT/ICS
Cloud Computing
“NO COPYRIGHT INFRINGEMENT IS INTENDED” COPYRIGHT GRAHAM MANN ALL RIGHTS RESERVED 2019
13. AI & CLOUD COMPUTING
The development of cloud computing has enabled the very rapid evolution of a huge diversity of new business
capabilities:
The Contemporary Internet
Social Media
Artificial Intelligence/Machine Learning
The Internet of Things (IoT)
Robots/Robotic Process Automation
Big Data / Big Analytics
DevOps Automation/Low Code
Blockchain
Cybersecurity
“NO COPYRIGHT INFRINGEMENT IS INTENDED” COPYRIGHT GRAHAM MANN ALL RIGHTS RESERVED 2019
14. BLOCKCHAIN AND AI – A SECURE COMBINATION
As a centralised system running on a single processor, hackers or malware can infiltrate an AI system and alter
its instructions.
Combine it with blockchain technology, thus before any information is accepted and processed on the
blockchain platform, it must go through several nodes or phases of the network on the system. It therefore
becomes more difficult to hack any blockchain-based technology but not impossible.
Eventually, AI could take over many of the functions associated with blockchain, mining for example.
Because blockchain uses consensus algorithm to verify transactions, it is impossible for a single unit to pose a
threat to the data network. A node (or unit) that begins to act abnormally can easily be identified and
expunged from the network.
Because the network is so distributed, it makes it almost impossible for a single party to generate enough
computational power to alter the validation criteria and allow unwanted data in the system. To alter the
blockchain rules, a majority of nodes must be pooled together to create a consensus. This will not be possible
for a single bad actor to achieve.
“NO COPYRIGHT INFRINGEMENT IS INTENDED” COPYRIGHT GRAHAM MANN ALL RIGHTS RESERVED 2019
15. WHY AI IS IMPORTANT TO FINANCIAL INSTITUTIONS
Blockchain + AI makes for real-time cross border transactions. Several banks and fintech innovators are
now exploring blockchain because it affords fast—actually, real-time—settlement of huge sums
irrespective of geographic barriers. Link this with smart contracts and AI and you have a fast, efficient
full-proof solution, requiring little human intervention.
With blockchain and AI, banks and other organisations can observe changes in data in real time making
it possible to make quick decisions—whether it is to block a suspicious transaction or track abnormal
activities.
Personal information of banking customers – anonymity of people.
Democratisation of finance – AI + Blockchain are making banks less important.
“NO COPYRIGHT INFRINGEMENT IS INTENDED” COPYRIGHT GRAHAM MANN ALL RIGHTS RESERVED 2019
16. “NO COPYRIGHT INFRINGEMENT IS INTENDED” COPYRIGHT GRAHAM MANN ALL RIGHTS RESERVED 2019
AI DRIVING SOCIAL & COLLABORATIVE FINANCE
• Property
• Landbay
• LendInvest
• Personal
Lending
• Kiva
• SocietyOne
• Equity
• CreditEase
• FundingCircl
e
• CrowdFundin
g
• Seedrs
• Investor
• Social
Trading
• eToro
• Zulutrade
17. WHO’S WORKING ON AI?
It’s easier to ask “who isn’t”? There are lots of organisations,
academia, governments, etc. working on AI
Graphcore – a UK based start-up have developed a IPU
(intelligence Processing Unit) designed for machine intelligence
workloads. It’s designed to manipulate graphs.
Alan Turing Institute – safe and ethical AI.
“NO COPYRIGHT INFRINGEMENT IS INTENDED” COPYRIGHT GRAHAM MANN ALL RIGHTS RESERVED 2019
18. EXAMPLES OF AI
Video camera – identifying unusual events - https://icetana.com/icetana-product-overview/
The Security Gets Smart with AI survey indicated that, among 261 corporate and government security
professionals surveyed, the most intended uses of AI are toward cyber defence (75.2%), malware
prevention (70.5%), and advanced threat detection/prevention (68.6%).
PCDLS Net – helps to identify the pancreas to enable cancer treatment to be more targeted.
Vectra Cognito - is a fully automated threat detection platform which uses Artificial Intelligence and
Machine Learning to find attacker behaviours that have already gotten onto your network. It then triages
that data to give a clearer picture to your SOC of what is of most importance for them to focus on.
User Behaviour Analytics or UBA, Identity and Access Management or IAM, Security Information and
Event Management or SIEM, Intrusion Detection System or IDS
“NO COPYRIGHT INFRINGEMENT IS INTENDED” COPYRIGHT GRAHAM MANN ALL RIGHTS RESERVED 2019
19. AI IN FINANCIAL SERVICES
It’s disrupting the entire sector and it’s just the beginning
Challenger banks like Monzo and Revolut are built around AI.
Analysis of the customer experience
Deliverables
Customer interface
FinTech is lowering the barriers to entry, enabling poorer people to
invest their money previously stored in property.
“NO COPYRIGHT INFRINGEMENT IS INTENDED” COPYRIGHT GRAHAM MANN ALL RIGHTS RESERVED 2019
20. HOW CAN AI HELP FINANCIAL SERVICES?
“NO COPYRIGHT INFRINGEMENT IS INTENDED” COPYRIGHT GRAHAM MANN ALL RIGHTS RESERVED 2019
AI could improve the customer experience
Help in entering new markets
Gain revenue more quickly
Reduce operational and business expenses, and
Enhance compliance efforts.
21. WORRYING TRENDS IN AI
Over reliance on machines to think for us.
China is expected to over take the US in AI this year – good or bad?
The use of AI to trick people – phishing on steroids.
Sharing info with virtual assistants – privacy issues.
Assistant provides attachments that could include malware.
Listening to conversations via cameras and microphones – board room secrets
could be exposed
Facial recognition can track people through hacking into public CCTV feeds –
recently banned by San Francisco.
“NO COPYRIGHT INFRINGEMENT IS INTENDED” COPYRIGHT GRAHAM MANN ALL RIGHTS RESERVED 2019
22. AT RISK FROM AI BASED ATTACKS
“NO COPYRIGHT INFRINGEMENT IS INTENDED” COPYRIGHT GRAHAM MANN ALL RIGHTS RESERVED 2019
23. WHAT IS REALITY?
Deepfake (a portmanteau of "deep learning" and "fake"[1]) is a technique for human image synthesis
based on artificial intelligence. It is used to combine and superimpose existing images and videos onto
source images or videos using a machine learning technique called a "generative adversarial network"
(GAN).[2] The combination of the existing and source videos results in a video that can depict a person
or persons saying things or performing actions that never occurred in reality. Such fake videos can be
created to, for example, show a person performing sexual acts they never took part in, or can be used to
alter the words or gestures a politician uses to make it look like that person said something they never
did.
Because of these capabilities, Deepfakes have been used to create fake celebrity pornographic videos or
revenge porn.[3] Deepfakes can also be used to create fake news and malicious hoaxes
In January 2018, a desktop application called FakeApp was launched. The app allows users to easily
create and share videos with faces swapped
“NO COPYRIGHT INFRINGEMENT IS INTENDED” COPYRIGHT GRAHAM MANN ALL RIGHTS RESERVED 2019
24. “NO COPYRIGHT INFRINGEMENT IS INTENDED” COPYRIGHT GRAHAM MANN ALL RIGHTS RESERVED 2019
CYBER ATTACKS 2018
25. “NO COPYRIGHT INFRINGEMENT IS INTENDED” COPYRIGHT GRAHAM MANN ALL RIGHTS RESERVED 2019
CYBER TARGETS 2019
29. AI AND MACHINE LEARNING WEAPONISATION
Profiling potential targets, prior to a phishing attack for example.
Back in 2017 hackers attempted to acquire data from a North American casino by using an Internet-
connected fish tank, according to a report released Thursday by cybersecurity firm Darktrace. The fish
tank had sensors connected to a PC that regulated the temperature, food and cleanliness of the tank.
AI is being used in malware and botnets
AI botnets have been used to make DDoS attacks more effective and avoid being caught.
Password guessing using PassGAN (arxiv.org/abs/1709.00440). When used with other tools it
can guess 50 – 70% of passwords!
Phishing attacks
Cybeready
“NO COPYRIGHT INFRINGEMENT IS INTENDED” COPYRIGHT GRAHAM MANN ALL RIGHTS RESERVED 2019
30. NOTABLE AI ASSISTED CYBER ATTACKS
TaskRabbit – Website attack exposing millions of consumers data, including social security
numbers and bank details
Nokia – according to their Threat Intel Report: (IoT) botnet activity is responsible for 78% of
malware detection in networks.
WordPress – an estimated 20,000 sites have been infected by the Botnet attack.
Marriott scam – affected 500 million customers over four years, including their passport,
credit card data. Believe to be instigated by China.
Instagram – were subjected to two attacks in August and November 2018, exposing user
account information.
“NO COPYRIGHT INFRINGEMENT IS INTENDED” COPYRIGHT GRAHAM MANN ALL RIGHTS RESERVED 2019
31. INDUSTRIAL CONTROL SYSTEMS ATTACKS
ICS Insider – A disgruntled insider with access to ICS equipment uses social engineering to steal
passwords able to trigger a partial plant shutdown.
IT Insider – A disgruntled insider with access to an IT network uses social engineering to steal
passwords able to give them remote control of a copy of the HMI system on an engineering
workstation.
Common Ransomware – Accidentally downloaded to an engineering workstation and spreads to rest
of ICS.
Targeted Ransomware – Spear-phishing seeds a Remote Access Trojan (RAT) on an IT network, which
is used to deliberately spread ransomware through an ICS
Zero-Day Ransomware – Ransomware incorporating a zero-day Windows exploit spreads through
IT/OT firewalls.
Ukraine Attack – The now well-known first generation Ukraine attack using spear phishing and
remote access.
Sophisticated Ukraine Attack – A variation of the well-known Ukraine attack – the variation targets
protective relays and causes physical damage to electric substations and rotating equipment.
“NO COPYRIGHT INFRINGEMENT IS INTENDED” COPYRIGHT GRAHAM MANN ALL RIGHTS RESERVED 2019
HMI
32. INDUSTRIAL CONTROL SYSTEMS ATTACKS - CONT
Market Manipulation – An organized-crime syndicate uses known vulnerabilities in Internet-facing systems to
seed RATs that are ultimately used to simulate random equipment failures, triggering commodities markets
fluctuations.
Sophisticated Market Manipulation – A similar attack targeting an ICS site’s services suppliers as a means of
seeding peer-to-peer RAT malware into an ICS and simulating random failures.
Cell-phone WIFI – A combination of spear-phishing and a Trojan cell phone app provides attackers with access
to ICS WIFI networks.
Hijacked Two-Factor – Sophisticated malware allows attackers to hijack remote desktop / VPN sessions after a
remote user logs in with two-factor authentication.
IIoT Pivot – Hacktivists pivot into an ICS via a poorly-defended cloud vendor.
Malicious Outsourcing – A disgruntled employee of a remote services vendor configures a simple time bomb
on important ICS servers on the employee’s last day on the job.
Compromised Vendor Website – Hacktivists use a compromised vendor’s website to insert malware into a
software update, malware that targets specific industrial sites.
“NO COPYRIGHT INFRINGEMENT IS INTENDED” COPYRIGHT GRAHAM MANN ALL RIGHTS RESERVED 2019
33. INDUSTRIAL CONTROL SYSTEMS ATTACKS - CONT
Compromised Remote Site – A physical breach of remote substation or pumping station hides a laptop at the
remote site with a WIFI connection that is later used to attack the central SCADA site.
Vendor Back Door – Hacktivist-class attackers discover a vendor’s back door that provides the poorly defended
vendor’s website with remote control of ICS components in the name of “remote support.”
Stuxnet – A Stuxnet-class attack targets a heavily defended site by compromising a services vendor for the site
and crafting autonomous, zero-day-exploiting malware.
Hardware Supply Chain – An intelligence-agency grade attack intercepts new computers destined for an ICS site
and inserts wireless, remote-control equipment into the computers.
Nation-State Crypto Compromise – A nation-state grade attack compromises the Public Key Infrastructure by
stealing a certificate authority’s private key, or by breaking a cryptographic algorithm, such as SHA-256, allowing
them to falsify security updates.
Sophisticated, Credentialed ICS Insider – An ICS insider is aligned with the interests of a sophisticated cyber
attack organization, deliberately cooperating with the organization to create sophisticated malware and seed it in
the ICS.
“NO COPYRIGHT INFRINGEMENT IS INTENDED” COPYRIGHT GRAHAM MANN ALL RIGHTS RESERVED 2019
34. MALWARE ON STEROIDS
RATS are usually driven by humans. They blend into their environment to look like business as usual.
What if an AI RAT could do the same without the need for human intervention?
Or if AI could be used to deskill the attack process.
Or if AI could be used to better scale the process.
Or if AI could make the attacks more stealthy.
AI-driven malware will be able to choose whatever method appears most successful for the target
environment and use this to move laterally.
AI can be used to determine, based on context, which payload would yield the highest profit.
Trickbot – information stealing malware, targeted toward stealing banking information. Authors are
continuing to develop it’s capabilities to add locking and better human control capabilities like Empire
Powershell.
“NO COPYRIGHT INFRINGEMENT IS INTENDED” COPYRIGHT GRAHAM MANN ALL RIGHTS RESERVED 2019
35. AI AND THE LAW
• What if doctors or boards ignore AI generated advice?
• Compliance
• Article 22 of the GDPR has additional rules to protect individuals if you are carrying out solely automated
decision-making that has legal or similarly significant effects on them.
• You can only carry out this type of decision-making where the decision is:
• necessary for the entry into or performance of a contract; or
• authorised by Union or Member state law applicable to the controller; or
• based on the individual’s explicit consent.
• You must identify whether any of your processing falls under Article 22 and, if so, make sure that you:
• give individuals information about the processing;
• introduce simple ways for them to request human intervention or challenge a decision;
• carry out regular checks to make sure that your systems are working as intended.
“NO COPYRIGHT INFRINGEMENT IS INTENDED” COPYRIGHT GRAHAM MANN ALL RIGHTS RESERVED 2019
36. TRUST
Can we moderate AI?
Who should moderate AI?
Can we trust AI?
Is it important that we can?
“Trust Leap” paper statements to online
Context i.e. age
What are the checks and balances?
Standardisation
“NO COPYRIGHT INFRINGEMENT IS INTENDED” COPYRIGHT GRAHAM MANN ALL RIGHTS RESERVED 2019
38. SUMMING UP
AI is all pervasive and disruptive
It’s revolutionising the World
It has the capacity for good and evil
“NO COPYRIGHT INFRINGEMENT IS INTENDED” COPYRIGHT GRAHAM MANN ALL RIGHTS RESERVED 2019