AI and Cybersecurity - An Introduction to The Hidden Threats in Our Connected World | Dr. Eric Cole

Host

Have you ever wondered what it really.

Global Agile Summit Announcer

Takes to make Agile work well? At the Global Agile Summit, we're bringing you real life first person stories of Agile succeeding out there in the real world that will inspire you to take action. Whether you're a leader, a product innovator, a developer, you'll hear practical insights from those who've done it. They'll be telling their own stories from the stage. I'll tell you more about this at the end of this episode. So stay back and listen to the full detailed description of what we have in store for you at the Global Agile Summit. But if you can't wait, you can go right now to globalagilesummit.com and check out our full schedule for now onto the episode. But I'll see you at the end of this episode with more details on the Global Agile Summit. Talk to you soon.

Host

Hello everybody. Welcome to a very special bonus episode. We have with us for a special episode on AI and cyber threats. More on that in a second.

Global Agile Summit Announcer

Dr. Eric Kohl.

Host

Hey Eric, welcome to the show.

Dr. Eric Cole

Pleasure to be here, my friend.

Host

So, Dr. Eric Kohl is the author of Cyber Protecting youg Business from Real Threats in the Virtual World. He's a renowned cybersecurity Expert with over 20 years experience in helping organizations identify vulnerabilities, build robust defense solutions against advanced threats. And there are many of those out there, I can tell you that. I've worked in the industry since 1998. He's trained over 65,000 professionals worldwide through his best selling cybersecurity courses and is dedicating to making cyberspace a safe place for all. And it is important that we recognize that we all are these days in cyberspace, for example, we're just recording this in cyberspace, aren't we?

Dr. Eric Cole

Dr. Eric yes, you're exactly right. We tend to forget we live most of our lives on online other than sleeping. We actually spend more time on digital devices and computers than we do talking to actual humans.

Host

Absolutely. And today we're going to explore the impact of AI and what impact it's already having. Sorry. And will have in our personal and also business security. So that's why I'm really happy to have Dr. Cole in the show. And to kick things off, Dr. Cole, let's look at how do you see the rise of AI specifically impacting the cybersecurity landscape, both from a defensive as well as an offensive perspective.

Dr. Eric Cole

Everyone, when they look at AI, they look at all the benefits of being able to sort of have somebody who thinks or acts like you but what we have to do when we really look at the dangers and issues, is remember that what we're doing with AI is creating digital twins. We're actually giving it all of our data, we're giving it all of our information so it can think, behave and act like us. And while on some hands we think that's great, we can get into brainstorming sessions with ourself, we can give that to our clients to answer basic questions and we can get basic information from other people without having to bother them. But we fail to realize is we're giving away our intellectual property, we're giving away our data, and we're giving away our privacy. So I had a friend of mine who calls me up the other day, he's like, eric, you gotta check out this AI digital twin that I created. And I went in and I'm playing around with it. And he's like, so what do you think? And I'm like, I have two comments. One, it really thinks and acts like you. I really felt like I was conversing with you. Like just with its style, its manneristics, the advice it gave. It felt like I was in the room with you, felt very comfortable. And he started smiling. And I said, then the bad news. Yeah, exactly. The bad news is I don't need you anymore. And like, his smile went to a frown very quickly. Because here's the reality. If you create AI engines, then think and act like you, why do we need you? Right? So. So it almost gets to the point where if we're not careful and we over train AI, because AI is not about GPUs, it's not about the cycles to train it. We hear all these different numbers where OpenAI was $100 million to train its model and Deep Seek was able to do it for 5 mil. But the reality is it's the data sets. The data set or the information, which is your knowledge or your information, and if you give it a complete data set, if you give it your complete knowledge so it can think and act like you, then in essence it's making you obsolete or it's making you live forever. It's just how you look at it.

Host

But it's also one aspect, and I really like to hear your perspective on this. Another aspect is that we're giving it information that we potentially don't want to become public, right? But it will become public if we give some sort of, you know, public AI system all of our information. Right? I mean, another thing would be to completely host it in our own you know, laptops or servers or whatever, without giving access to anyone else. But if it's given to an AI, it can be later used to train it. And we're not just giving it away, we're potentially giving away private information that can be used later on, for example, in social engineering. Attack.

Dr. Eric Cole

Exactly. And I just want to change one word because you said it will give away our private information. But what I want to change the word is it is giving away our private information. Because the reality is, any AI tool you're using right now, whether it's OpenAI or Deep Seek or any of the others that are out there, your data is housed on their servers. And if you look at the laws, the contracts, whoever it works, you're giving your data to them. They have permission to use your data and information. Now, yes, they can go in and claim that they're going to follow all these ethics and rules and everything else, but the reality is they're taking your data and they now own it. So you are giving. You're creating a digital twin and you're giving it to somebody else to own, control and manage on your behalf.

Host

Yeah. And that requires a lot of trust, which of course brings a different question, which is what do we already know about the possible attacks that come from the use of AI?

Dr. Eric Cole

So the attacks that come from AI are actually very scary because here's the reality. Attacks today are mainly in the form of social engineering. Social engineering is manipulating or tricking somebody to do something they normally wouldn't do. So if you really want to look at most of the attacks today, most of the attacks are coming from one or two sources, either unpatched software or outdated software, which that one we're quickly fixing. Right. Because it is able to patch and update and lock down our systems. So that is going away very quickly. The second vector is exploiting a human. We've all seen them. We all get emails that look like they came from our boss or look like they came from a shipping company or look like they came from E.

Host

Commerce, especially shipping companies.

Dr. Eric Cole

Wow.

Host

Lots of them every day.

Dr. Eric Cole

Exactly. And the thing is, we're always getting packages. So to get an email from a shipping company that says, hey, there's been a problem with your shipping, just click on this link or open this attachment to handle it. We don't think anything of it yet. The reality is that's so easy for an adversary to target you. Now, for social engineering to be successful, it has to mimic a human. The more it can think and act like you, the more effective it is. We probably remember social engineering attacks from 10 or 15 years ago. They had spelling errors, right? They had, they had a bogus domain. So instead of Google, G O O G L E, it was gooogle G O O O O G L E. They would add a letter or they would add a little nomenclature. So we trained our users, look for anything unusual, look for anything strange. Today. They now look very similar. They look very similar to a real email. But now imagine if I could go in and I can take hundreds or thousands of legitimate emails from a shipping company and I can train my AI model to create one just like that, but it's malicious. Or what if I could find or.

Host

Even just messages, right? Like we could, we could farm messages out there and just take those and create an AI that can generate very realistic sounding like SMSs or WhatsApp texts or whatever, right?

Dr. Eric Cole

AI is all about predictability. The more data it has, the more it can predict, act and behave like you. So now with AI on the scene, it's now getting to the point where we have to recognize that we can't communicate the way we've communicated. The idea that we're going to send embedded links or we're going to send attachments or things like that, we can no longer do that because it can't be trusted. So we basically have to retrain everyone that you can't trust anything. Email has to be static email, there can't be links, there can't be attachments. And we have to be very careful of anything we say, do, listen or hear because we don't know whether it's real or it's not.

Host

And one of the things that is, I guess, perhaps a little bit in the shadows at the moment is that many of our devices are actually listening to us all the time. And those devices, of course, you know, if, if we use an Apple or a legit Android phone, we're probably safe when it comes to how that data is processed, barring some security vulnerability, of course. But if we just use any random off the shelf smartphone, we have no idea how that voice data is being handled. And it is likely to be recording all the time.

Dr. Eric Cole

And the thing we have to be real careful of is it's not the device that's the problem. As you said, if you take an Android or you take an iPhone out of the box, they're very secure, they're very locked down and they're very hard to get into. But here's the problem. What do we then do we do? One of the most Dangerous things you could ever do. And that is download. Free, free, free, free, free apps. Because here's the reality. Free is not free. When was the last time you went in your phone and you went under settings and you looked under location tracking and you looked at what apps are tracking your location? When was the last time you went in your phone and you looked under camera and you said, what apps are accessing your camera, what apps are accessing your microphone? I will almost guarantee that if you do that, you're going to be shocked. Every time I've done this with somebody, they go in and they realize there are apps that have no business tracking their location, accessing their mic or accessing their camera. But that's the cost of free. Free is not free. Do you realize if you go to those apps and you turn off location sharing, you turn off access to the mic or you turn off access to the camera, the app doesn't work. So my recommendation is I don't use free apps. I only have about 10 apps and I use only paid apps because with a paid app, I'm paying for the functionality. So my challenge to you is, why do you have so many free apps on your phone? Do you really need 50 free apps to run your life? I challenge you. What if you ran your life on 10 apps and all 10 of those apps were actually commercial or paid for?

Host

And of course, that's assuming that all of those free apps are even being used. Because of course we know that most of them are not being used, but they're still a threat because they're already on the device. Now we've introduced the threat. And I think it's very important for all of us who work with it to be aware of all of these angles. But we also need to talk about how do we protect? So, Dr. Cole, how can businesses, governments and tech providers, especially those of us who work with technology every single day, really be aware and work together to fight off this. These different threats, privacy, but also this AI driven social engineering threats, the first.

Dr. Eric Cole

Thing to do is recognize that security is not a barrier. Security is not a roadblock, it's not an obstacle. Most people, when they hear cybersecurity, especially developers, I work with a lot of developers. When I walk in the room for the first time, if they don't know me, they cringe because they think, okay, here's the guy who's going to tell me what I can't do. He's going to scold me for doing this and yell at me for doing this and telling me I can't do that and tell me for doing this. And to me, that's the wrong approach. Cybersecurity is not an obstacle if it's done correctly. It's a business enabler. So what I always teach people first and foremost is cybersecurity is not a technical problem. It's a business decision. And it's real simple. I am never going to tell you you can't do something. If you ask me whether you should do something in the name of security, I'm going to ask you a few questions. What is the value and benefit? What is the risk and exposure? And then it's simple. Is the benefit worth the risk? That's what we do in everyday life. And as developers, if we went in and just asked that simple question, is this risk worth it? Is this value or benefit worth this risk or exposure? And we really understood it, we probably wouldn't be using a lot of the things we're using. We probably wouldn't be sharing the information we're sharing. So first, it's a business decision that we all have to get on the same page. Next, we have to simplify. I know we all love our gadgets, we all love our apps, we all have our favorite pieces of software. But the more pieces of software, the more apps you have, the bigger the risk and exposure. We need to consolidate. We need to run our company and run our business on a handful of apps. Any libraries or source codes or modules we use, they need to be verified, valid and trusted. And I always hear back going, eric, you know how quick and easy it is to just go on the web and find some software modules and download it to my system. It's so quick and so easy. And I'm like, you know what? Also so quick and so easy for me to put backdoors in that. You know what's so quick and so easy for me to put malicious code. And then I go, but, Eric, it's so annoying if I actually have to use verified apps, it's going to slow me down, it's going to take me longer, it's going to impact deadlines. And I look at them and say, you know what else is really annoying? Having your entire company held ransom, having your entire company's data stolen, having your identity stolen, having your child cyberbullied or abducted online. That's going to not only ruin your day, ruin your month, it could ruin your year. So it's one of those we have to recognize there's going to be discomfort. We either have a little discomfort by Embracing security, not using free and following the policies, or we have a lot of discomfort by breaking the rules and then we get hacked, exploited or compromised.

Host

So one of the things, like having worked in this industry for a few years, one of the things that I remember us discussing all the time was this exactly that trade off that you mentioned, right? Like the trade off between how convenient something is versus how secure something is. Thanks to legislation like the GDPR in Europe, companies have started to pay a lot more attention to this aspects of privacy, data security. And unfortunately many companies are still not there. Like I remember. Well actually it's still happening. Like there's a huge wave of ransomware or like software that comes in, encrypts all the computers, all the servers, and then the whoever sent the software in will ask for a ransom to get to give you back all the data. Now the data has already been exfiltrated, taken out, taken out to other servers. We never know what will happen to that data. And we were talking about a moment ago how AI enhances these social engineering problems, right? So when you're talking to the, you know, to your clients and when you're advising companies, what are some of the tips that you're sharing regarding this aspect of, you know, being very careful about what data we collect, how do we store it and also how to prepare for this AI driven social engineering threats.

Dr. Eric Cole

The biggest piece of advice I always give is awareness is key. And what I mean by awareness is key is this. What is your critical data? Where is it located and how are you protecting it? And I know those questions sound simple, but most companies and most people have no idea where their data is. They have no idea where it's stored. Now I go into a client and they'll go, Eric, this is our critical data and it's located on that server. And they're right, it's on that server. What they fail to realize is it's also located on all their clients laptops. It's also located on their personal devices, their home computers and everywhere else. So to me, I'm a big fan of centralized data storage and protection. If all your data's in one spot, yes, if it's in one spot, the attacker knows where to attack. But you can protect it and secure it. Just think of, everyone uses this logic of, oh Eric, the more diversified my data is, the more my data is located in all these different spots, the more protected it's going to be. Well, that's as crazy as saying, well, a bank is going to put your money all over town. No. Banks keep all the money in a safe. They protect it, they secure it, they lock it down, because they know that that's much safer than diversifying it. So we have to stop this concept of distributed data, distributed data systems, where our data is anywhere, any, place, anytime. Because guess what? If your data is any place, anywhere, anytime for you, it's any place, anytime, anywhere for the attacker. So this whole distributed model got out of hand. And what we need to do is start getting back to more of a centralized control model where our data is stored and controlled. We're protecting it. And then I'm a huge fan of thin clients. Client devices should not store data. Laptops should not store data. IPhones, Android should not store data. They should only have the app. And all the data should be located on a server, because if all our data is located on a server, we can secure and protect it. If all of our data is located on thousands of client devices, there's no chance we can actually secure and protect it.

Host

So when we think about client devices, the most used one these days is, of course, our smartphone or mobile phone. And that's also a huge attack vector. And I think it's important to have a conversation on this topic for all, for all our listeners, who, of course, carry this kind of device and are probably listening to us right now on a mobile phone, come to think of it. So when you advise people, and I know you've done, I read your book, and you talk about some of the work that you've done in this regard, what kind of threat model do you want people to understand when it comes to securing their lives when using a mobile phone?

Dr. Eric Cole

So we've all talked about tracking chips and embedding chips into humans. We talk about that with our kids, and it freaks everybody out. Everyone's like, you're not putting a chip inside of me. You're not putting a chip inside of my kid. You're not going to be able to track or monitor us. But the reality is, we do. You don't go anywhere without your cell phone. Your cell phone is never more than a foot from you. It's with you wherever you go, any meetings you go into, when you're sleeping, it's on your nightstand. It's always there, always connected, always available. Which means if somebody wants to track and monitor you, they can. We have allowed ourselves to be tracked. We've allowed ourselves to be monitored. And we live in an age where everything is recorded. Everything we do is being recorded. Do you realize if you give me your cell phone, I can trace your location. I can trace everywhere you've been for the last six months. I can track everything you've said, everything you've done, every phone call you've made, every text message you've sent, every email you've received. We are tracking and monitoring. We are allowing these devices to basically spy on us, invade our privacy, and have access to all of our critical data. And then what do we do? We back it up to the cloud so we don't lose it. So now not only do we have all of our data in one spot, that's tracking, controlling, and monitoring us, we have a major privacy issue. But now we're letting all that data go up to the cloud, and we're letting third parties now have access to that data and that information for our benefit.

Host

At least that's what we're told.

Dr. Eric Cole

Our benefit. Right. What exactly does that mean? Right. Not to get in, like the too much politics here, but I don't know if you're following what's happening in the United States now with Elon Musk and this new Department of Efficiency, but basically, he's claiming, in the name of efficiency and in the name of helping citizens, we need access to all the data the government has. And the reality is Elon has an AI engine, Grog 3, he released a week or two ago. And what do AI engines need but data? So now you just have to think, is Elon going in and trying to access all of the government data for efficiency purposes, or is he trying to access it to make Grog smarter and better in a more efficient AI engine?

Host

That's a tough question. I don't know the answer to that.

Dr. Eric Cole

It's one of those. I always tell people, I think we know the answer, but I don't think any of us want to admit it.

Host

Absolutely. Now, when we think about these different threats, and specifically now we're talking about the mobile threats, of course, this also means that there must be a lot of companies out there thinking about, okay, but how can we help protect these people? I know, for example, data privacy is a huge thing in Europe, Germany being a great example of that, where they're really very, very careful about what data is collected or even allowed to be collected. If you have to guess, what are some business opportunities that exist right now for companies that want to invest in software solutions against these threats?

Dr. Eric Cole

I would say the biggest area of investment I'm looking at, and I recommend our viewers look at, is data correlation, or making the data useful. Because right now we are capturing so much information we are in data overload. There is so much information, there is so much data, we can't possibly use it. So everyone's focusing now on AI, which is all about generating huge data sets. And then what does AI do? Generates even more data. But here's the problem. Where's the intelligence? Where's the correlation? Where's the analysis? So to me, the companies that are going to make it and be able to print money over the next five to seven years are companies that can figure out how can we take all of this data, how can we take all of this output from AI, how can we take all of this new information we're generating and actually correlate it, analyze it, and create intelligent information that's in a digestible form? Because the reality is we can't digest the information that's coming at us. I sat down the other day with OpenAI and I do brainstorming sessions with myself where I just start asking it questions and it starts generating. I'm like, hey, create this, do this, try this. And the next thing I know is after a five minute brainstorming session, I generated about 40 pages of data that I am not only probably never going to actually look at, but then here's the scary part. What does AI do with those 40 pages? It feeds it back into the model to make it even smarter and better. So it's basically taking what I generate and using it to either help me or hurt me, depending on which side. So what we really need to figure out is companies need to start up and figure out how do we deal with the intelligent information, how do we deal with the correlation, how do we deal with managing and limiting information as proposed, to creating so much data we have no idea what to do with it.

Host

Security is not only, I mean, the lack of security rather is not only a problem, it's of course also a business opportunity. I mean, I've worked in this industry for more than two decades now, so I know there's a lot of opportunities there to help people be safe and of course, to create a profitable and useful business out of it. When you think about security specifically and security industries or cybersecurity, what specific training or certifications would you recommend to our software people listening to us right now, developers or people who want to do product design to build a strong foundation in cybersecurity, especially with an AI focused lens.

Dr. Eric Cole

So there'd be two main areas that I'd really focus on. One is penetration testing. Now, that might sound weird because penetration testing is offensive. It's where you're trying to break in and exploit systems, you're trying to exploit software. Well, here's the reality. If you're developing, designing, building or overseeing software, you need to know how it's exploited. You need to know how the adversary thinks and how the adversary behaves. If you don't understand concepts like buffer overflow or SQL injection or things like that, and you don't understand how they work and how they operate in terms of the error correction and the design, you're not going to be able to build systems that can defend against it. So the first thing I recommend is even though you're not going to be doing pen testing for a living, you need to understand how it works in the mindset of the adversary. And then second, secure coding courses there, there's actually ways to build code that's functional, it performs very well, and it's also secure. This idea that you hear people say this all the time, functionality, efficiency, security. Pick one. My answer is why not pick all three? I believe if you understand the attacks and how they work, if you understand the way systems are exploited, you can actually build software that's fast, efficient and actually secure.

Host

Those are great recommendations. Definitely the secure coding for those of us who are more coding oriented is going to be important. But pen testing, don't forget, it's not only about understanding the code, but it's also understanding how to prepare that, like what kind of, let's say, vulnerabilities there are, how to exploit them and so on. And that's a very important understanding for all of us who then want to work with security and protecting people. Now your book Cyber Crisis is of course in the show. Notes for people to go and check it out right after this. Definitely gripping read with some very interesting inside stories of how security was brought, or at least attempted to be brought to some high levels in the us. But what would be another resource, perhaps a book, a course, a video where our audience could go and learn more about this intersection of AI, pardon me, and cybersecurity.

Dr. Eric Cole

A lot of it is just really staying up on the different news groups. Because AI and cybersecurity is so new, there's not really a lot of authoritative sources out there. I speak a lot about AI and cyber. So if you want to either follow me online at Dr. EricCohl D R E R I C O L E or my recommendation is understanding artificial intelligence. So. So go in and look at some basic books on what is artificial intelligence, what are neural networks, what are rule based systems, what is machine learning. Because the reality is the more we can really understand artificial intelligence and know what it's really trying to achieve, how it works with data sets and predictability, the better and smarter we can get. So to me, instead of trying to look at the correlation of AI and cyber together, I would recommend study AI, study cyber, and then together we can work to be able to create new creative solutions for securing and protecting the digital frontier.

Host

Yeah, absolutely. And one of the things that is clear, of course, is that it is all of our responsibility who work with technology because the security is everywhere. Anything that people use, whether it's a website or a mobile app or whatever that is, security needs to be there. Dr. Eric Cole, thank you very much for being with us. You already mentioned that people can follow you online. Where would they go?

Dr. Eric Cole

So in social media it's Dr. Eric Cole. D R Eric C O L E. My company website is secure-anchor.com and my personal website is Dr. EricCole.org.

Host

Absolutely. We'll put the link to all of those resources in the show notes so that people can easily find them. And thank you very much, Dr. Eric, for being with us and sharing with us all your generosity and your time.

Dr. Eric Cole

My pleasure. Thank you.

Global Agile Summit Announcer

Hey friend, thank you for staying here. Is all you need to know about the Global Agile Summit. If you've ever suffered or know people who are suffering from agile fatigue, this event is for you. Agile fatigue is that feeling that settles in when we can't really see a light at the end of the tunnel. We get discouraged, especially when conversations revolve around the same old frameworks, the same old buzzwords and theories. We don't feel that energy anymore.

Host

Well, the Global Agile Summit is a.

Global Agile Summit Announcer

Different kind of event. We're bringing you real life first person stories of Agile succeeding out there in the real world that will inspire you to take action and transform the way you work. The Global Agile Summit will happen In Tallinn, Estonia, May 18th. That's the workshop day. Then 19th and 20th, the conference day. And Tallinn, Estonia is one of the most innovative tech hubs in Europe. The Global Agile Summit is hosted together with Latitude 59, which is kind of a citywide celebration of software startups and groundbreaking ideas. And we'll have a shared ticket for you to attend those events as well. So who will be speaking? Well, we've got an incredible lineup of thought leaders in software and agile. For example, Clinton Quinton Keith, the person who wrote, literally wrote, the book on game development with Scrum and is busy bringing Agile to the world of game development. You must check his session. The very famous and well known Jurgen Apello, author of Management 3.0, will be talking and exploring about AI's impact on leadership. We also have Goiko Adsic, who's taking an unconventional look at at product growth with his Lizard Optimization keynote. Other speakers include, for example Sven Dietz, who's challenging everything we know about software development by ditching, literally ditching contracts and estimates. Can you imagine his teams deliver software before their competitors are even done with the contract negotiation?

Host

How agile is that?

Global Agile Summit Announcer

But there's more. We'll cover engineering practices in our developer track with talks on, for example AI assisted test driven development, developing products in minutes with a different approach to how we develop, configure, deploy platforms, and much more. We also have a product track where we cover cutting edge ideas around product discovery, delighting customers with product delight frameworks. We'll have a talk about that. And we also have an Agile Business track where we will talk about, for example Open strategy, a very agile approach to managing organizations and delivering software faster to clients faster than you can even write a contract. Literally. I mean, I already told you about Svendeet's story is amazing. It definitely is a must see.

Host

I'm sure you'll be inspired and get.

Global Agile Summit Announcer

A lot of ideas for your own software projects and software delivery. Now, whether you're a business leader, a product innovator or a developer, you'll definitely find value in our three focused tracks.

Host

That's Agile Business for those working with.

Global Agile Summit Announcer

Businesses and organizations, Agile Product for product managers, product owners and innovators and Agile Developer for the builders making agile work in practice. The coders, the testers, the designers, the producers, the Scrum masters, you name it. If you join, you will meet over 200 agile professionals from all over the world. People who just like you, want to grow, want to share and want to learn by challenging the ideas that don't work anymore. At the Global Agile Summit, you'll get new connections, fresh ideas and the energy to take your own Agile to the next level. And who knows, maybe even find your next career opportunity. So don't miss out. Check out the full full program and grab your ticket now@globalagilesummit.com I'm really looking forward to seeing you all in Tallinn, Estonia in May.

Host

I'll see you there.