AI or Not

E007 - AI or Not - Opeyemi Kolawole and Pamela Isom

Season 1 Episode 7

Share episode

Welcome to "AI or Not," the podcast where we explore the intersection of digital transformation and real-world wisdom, hosted by the accomplished Pamela Isom. With over 25 years of experience guiding leaders in corporate, public, and private sectors, Pamela, the CEO and Founder of IsAdvice & Consulting LLC, is a veteran in successfully navigating the complex realms of artificial intelligence, innovation, cyber issues, governance, data management, and ethical decision-making.

What happens when artificial intelligence meets the cutting edge of cybersecurity? In this episode of AI or Not, we sit down with Opeyemi Kolowole, a respected red team operator and ethical hacker, to uncover the fascinating interplay between AI and red teaming. Opeyemi shares his rich journey from penetration testing to his current role, and even gives us a peek into his personal interests, like playing soccer and chess. This episode promises an engaging blend of professional insights and practical advice for anyone interested in the cybersecurity landscape.

Opeyemi delves into the dual nature of AI in cybersecurity, highlighting how it enhances efficiency through automation while also presenting new vulnerabilities. He sheds light on the necessity of human oversight to ensure the accuracy of AI-generated results and the potential pitfalls when cyber adversaries exploit these technologies. The conversation covers intriguing topics like the concept of "jailbreaking" AI systems such as ChatGPT, and offers a balanced view of the benefits and risks of integrating AI into red teaming practices. It's an eye-opening discussion that emphasizes the indispensable role of ethical considerations in this fast-evolving field.

We wrap up the episode by exploring the critical importance of continuous learning and ethical conduct in cybersecurity. Opeyemi underscores the value of obtaining specialized certifications to stay ahead of advanced persistent threats (APTs) and the rapid advancements in AI technologies. He shares practical tips on setting learning goals, embracing areas of weakness, and the necessity of ongoing education. For those eager to thrive in the dynamic world of cybersecurity, this episode offers invaluable guidance on maintaining personal well-being and professional excellence amid the industry's high demands.

Pamela Iosm:

This podcast is for informational purposes only. Personal views and opinions expressed by our podcast guests are their own and not legal advice, neither health tax, nor professional nor official statements by their organizations. Guest views may not be those of the host views may not be those of the host.

Pamela Isom:

Hello and welcome to AI or Not, the podcast where business leaders from around the globe share wisdom and insights that are needed now to address issues and guide success in your artificial intelligence and digital transformation journey. My name is Pamela Isom and I am your podcast host. We have a very special guest with us today Opeyemi Kolowole. Opeyemi is an experienced cybersecurity leader. He's a red team operator, he's an ethical hacker, and there's more, but I'm going to let him tell you about himself. Okwui, welcome to the podcast, AI or Not.

Opeyemi Kolawole:

Thank you for having me. It's good to see you once again. I'm happy to be here. My name is Okwui Emi Kola-Ole. I'm working as a cybersecurity professional. I focus in the realm of traditional testing red teaming, currently working as a red team operator for the last about a year now being in this role as a red team operator. I have prior experience in penetration testing, ethical hacking. And, aside my job, I do more soccer game for exercising, sometimes during the weekend. I like indoor games, sometimes just to have some fun. I play chess, I play Scrabble. Those are the things I do aside work activities, and also I love movies. I love to go see movies at my leisure time. That's one of the things I enjoy doing at my leisure time. To wrap it up, I've been in the security field for almost six years now and I'm working with different organizations helping them to secure their IT infrastructure. So that is just a brief introduction about me. Once again, I'm happy to be here.

Pamela Isom:

I'm happy that you're here. You and I met a few years ago and I remember I was a cybersecurity executive and I brought you on board to work with me as a cybersecurity leader, taking care of the red teaming and the ethical hacking and really looking at penetration, testing of environments from the website perspective, but not only that, just in general to look for vulnerabilities, and you did a great job and that's why you're here. I have very fond memories. Thank you, so yeah, so when you're giving your background, I just want to say I recognize you and the sports that you mentioned. You're athletic.

Pamela Isom:

I heard you mentioned that you like the movies and things like that, so I'm so glad to see you take care of your personal well-being. I have a colleague and we oftentimes talk about how it's so important to take care of your personal well-being, especially when you're dealing with situations like what you're dealing with, where there's a lot. I know that you feel like that rests on your shoulders as a cybersecurity leader, so I appreciate that. I appreciate you. So just a quick question for you how has red teaming evolved in the day and time of artificial intelligence?

Opeyemi Kolawole:

So red teaming, let me say, in terms of improvements.

Opeyemi Kolawole:

Firstly, it has helped in automation, basically helping us to automate things within the infrastructure.

Opeyemi Kolawole:

Ai has been helping us a lot on that, even though we still need humans to check for errors, which is why you can't really rely on AI, because this AI, they are written in codes and they are also human beings write this code, so there can still be an error or mistake. So, which is why, even when you use AI to automate your threat detection, responses, mitigation processes and all that, you still need human to analyze those results and to make sure there's no gap within those kind of results. But generally, it has been a lot of relief for security professionals in the realm of AI, because I would say we can do it alone, because every organization we're looking for a way to make things go faster, work faster for us, and AI has been helpful on that in terms of automation, automating processes within the organization. So it's been very helpful, even though it has its own, you know, cons I would say cons as well but for that, overall, it's been helpful because we're using it in the right way, not in the other way around.

Pamela Isom:

What's the other way around? I know that from some of the advantages, like you mentioned, I can appreciate that and I agree with you. So some of the advantages being advanced automation is really more advanced automation and access to information faster, oftentimes more reliable. But that's some of the pros and cons of AI. So it depends on the type of machine learning that you're applying, or whether you're using generative AI or not. I understand that, but I would think that when it comes to identifying threats and recognizing threats, I would think that AI is helpful. Do you agree with that or what's your take?

Opeyemi Kolawole:

I would say, to some extent it can help to identify threats. It might not be everything, because sometimes, when there are some vulnerabilities that might be hidden that the AI might not be able to see, but this is why I said earlier that human beings are still very useful in this. This is where we come in to do more thorough testing. Even though we automate with AI, we still need to do some validation and check for some false positive or false negative things like that. So we come in to make sure all this information is right. So AI has been very good. It's been very helpful. I won't say it's 100% helping in terms of the testing part, but it has been helpful in terms of automation and some little testing which is in the right supervision.

Pamela Isom:

So it's helped with the automation of the testing, but you still have the human in the loop to help to verify and validate the outcomes. Yes, Okay. So let's talk about some of the disadvantages. Have you found some challenges with the AI as it relates to cybersecurity?

Opeyemi Kolawole:

So one of the major concerns regarding that is the manipulation. Part of AI can be manipulated or deceived by sub-tactile cyberattacks, for example adversaries, apt. They can leverage AI to craft evasive malware, like they can build malware, launch stealthy attacks and even fool the AI-based security system through the adversary attack. So this is where the concern comes in that it can be abused by cyber threats group APT group. They can abuse this AI and use it to their own advantage. For example, let's use ChartGPT as an example.

Opeyemi Kolawole:

Have a ChartGPT that creates a malware that will bypass an antivirus or a specific solution. It will tell you it's not ethical. I can't write that for you, but there is a way attackers can trick that around. What they will say is they will tell chat GPT, assuming you are an hacker or put yourself as an hacker, how will you build a malware that will invade this type of solution or antivirus? Let me tell you it will respond and it will write that code for you. Because you've manipulated the AI, you've put the AI in that situation that he is the hacker. How will he do it? So I've seen a couple of articles like that that people have manipulated that child TPT, for example, to write some dangerous malware and it's even though if you write, ask direct questions to help you, to say it's not ethical to do that, but if you manipulate the AI, it will give you the results you want. So those are the ways APT groups have abused this AI, even in more advanced way that's scary.

Pamela Isom:

Yes, that's scary, but I understand. I appreciate you bringing that up. So I understand that you can tell the chat GPT or the generative AI prompts, the prompt based AI, because eventually they're going to change it. They're not going to call it chat GPT, they're going to call it something else, but anyway. So you can tell the prompts that it is a hacker and by telling it that it's a hacker, you can tell it to bypass the vulnerability checks and safeguards that are in place so that it can do X Right and, depending on how well the LLMs are behind the scenes and the rules that are in place to detect, it, can literally circumvent the situation and push malware into environments, which I think they call that jailbreaking. It can basically do that. One way is by manipulating the prompts and the capability that you have within chat GPT to say hey, you are X role and therefore provide a response as though you are X or you are a hacker. So provide a response based on you being a good hacker and it'll do it.

Opeyemi Kolawole:

Yes.

Pamela Isom:

Yeah, so that's a vulnerability of AI. That is definitely a vulnerability. I'm glad you brought that up because I have been thinking about a few things and I know about jailbreak and I haven't had that happen to me yet, but I know that it's contributing to a lot of vulnerabilities today. So I appreciate you bringing that back to the remembrance that this is a very real situation. Yes, yeah, so okay. So if we think about your career path and we think about your certifications, you have several, so tell me more about your certifications and why you chose that route.

Opeyemi Kolawole:

Okay, firstly, why I chose the offensive, security, penetration, testing and writing route is because it's something I always wanted to do. I wanted to learn about, even though back in the days when I've never, when I've not come to the us, I've been trying to do my own thing, try to learn about no resources then. So when I came to the united states, that was when I feel like, okay, this is a place to learn this thing. This is what I've been aspiring to. Do. This, even though I focus more on the arcane arc, I just want to know the technology. I'll be watching some movies, see how they do some act like how do they do this? So, even though it's a movie boy, that kind of interests me more. So when I started the journey, when I started doing some learning, so I started shifting to the how you can use that to protect organization. Not only the hacking part, but to help organization secure their infrastructure is even most important part. So I started building that mindset up. So I would say shifting a little bit from just the hacking hacking but building the mindset of helping organization to secure, which is the most important thing. So by doing that it helped me with strong foundation and when I started my career.

Opeyemi Kolawole:

Self-sac certification is something I love to do, not because of the paper, not because of the title, but because of the training. It helps me to stay up to date. It tells me to keep up with my skills. It tells me to learn more about cybersecurity and what vulnerabilities are there that I might not know about. So, which is why I focus I pick different certification web application presentation testing, red teaming so, for example, on the web application, when I took those certification I focused on the web application. I want to learn more web application, how to find vulnerability within the web application, how to remedy it and mitigate vulnerabilities found within those applications. So that application helped me to gain more understanding about web application.

Opeyemi Kolawole:

Then I shifted to some Red Teaming certification, which is what I'm doing right now. That also gave me the attacking and adversary mindset that APT and our APT group are there, how they operate, how they perform, how they launch attacks. Red teaming certification training give Red Teamer that kind of mindset to it, lb, that mindset, attacking mindset to emulate all these APTs. So basically, what APT can do, we also can do it. So that also gives us an edge that can help us to secure organizational assets. So before APT we also can do the same thing. So that helps us to stay up to date within the space and also to help organizations secure the accountability that can be found within the environment. So those training has been helping me and I'm still doing more training nonstop, so it's no end in journey, obviously. So you just have to keep up to date with what is going on out there.

Pamela Isom:

Okay. So the certifications that you have you have many of them, but you're saying that you chose that route because you are doing it to be effective for organizations. Yes, so that was your primary motivator is so that you are effective for organizations. So that was your primary motivator is so that you are effective for organizations. But I think it's very good of you to say, and a good characteristic of you in that you know that over time, certifications they have meaning. Yes, you know that you have to keep up and ultimately, you're doing it to ensure that what you bring to the table is going to be valuable to the organizations, because of the responsibility that you feel comes along with being a cybersecurity expert.

Opeyemi Kolawole:

Exactly.

Pamela Isom:

I know I summed that up really good. I think that that's a really good characteristic and trait to have, and the reason why I bring that out is because you do have many certifications, and I want people to understand that there's more to it, there's more behind that, so that's what we want people to understand. And then the other thing you pointed out is you're doing it because the advanced persistent threats they are advancing very rapidly. Advanced persistent threats they are advancing very rapidly, and I heard you say that these types of trainings and tools that you're picking up is a way to keep you ahead of what's coming and able to recognize that. You see, because of the education and training that you're getting, that goes along with the certifications. Exactly, okay, great, okay, all right. So then is there anything else? I know that the use of AI in the cybersecurity world is good and that it's only going to evolve more, and that I personally want the use of AI in cybersecurity to advance further and maintain responsible ethical patterns and behaviors. What do you think about that?

Opeyemi Kolawole:

Well, I would say, like I said earlier, ai is really good. It has its pros and its cons. So, for example, in the aspect in the realm of AI, there are some AI-powered attacks, let me put it that way. So basically, attackers leveraging AI and machine learning are going to launch some certificated attack or cyber attack. So these are one of the challenges we are facing within the cybersecurity phase, especially while utilizing AI for automation and other processes like that. So, for example, data privacy concern is also part of it.

Opeyemi Kolawole:

So if you're AI storing data, what if there's a bridge? What if there's a gap or what if there's a vulnerability that can be exploited within that AI and that bridge might come through that AI technology. So a lot of people don't know. You ask questions with AI. They store all this information. It's more like they have a memory of their home, so they store information. So that's why sometimes you have to be very sure of what you're putting out there, asking AI to do, or what information you are giving out to AI. So those are the gaps we're facing within the cybersecurity space using AI. But on the pro part, it has been helping. You know the processing, helping with automation process within the writing field. So I want the credit. Ai's something that's been very useful, but we just have to use it the right way, not in the other way.

Pamela Isom:

So maybe we want to start looking at because I agree with you so maybe we want to look at from a cybersecurity perspective, dig deeper into what are responsible uses of AI in the cybersecurity realm. I think that we are doing that to some extent. Everybody's talking about responsible AI, but maybe we want to take a deeper dive and a deeper look into what does responsible AI use in the cybersecurity domain means yes. So you and I have been talking about some classes and things that we may be doing, so that may be something that we include.

Opeyemi Kolawole:

Yeah, that sounds good. We need to do that.

Pamela Isom:

Yeah, so I know that we don't have to elaborate this point, but I know that there is a whole area and a large dimension of cybersecurity specialties and areas that people can specialize in, and I know that you have already explained how you chose the penetration testing route and the red teaming route. There's the blue teaming route, there's different paths, and so earlier you were talking to me, not on this call, but earlier we were talking about different roles and responsibilities. The security architect and others in cybersecurity engineer things like that. So what we can do is I think that we should understand what the different roles are and then look at what are those AI considerations for those various roles and what does it mean to be responsible? I think that that's something that, to add on to what you were saying, that we probably want to dig deeper into. And the other area is the large language models and even the micro models.

Pamela Isom:

As we start to build the micro models, how do we make sure that we're not introducing vulnerabilities and how do we catch those that are trying to jailbreak? How do we check that type of malware where that's intended to circumvent and use the backdoor channels and all this and that? So how do we have AI, help us solve and address these types of problems and not insert those types of vulnerabilities. So I think that's something that you brought up that I was just elaborating on, because I agree with you. So we're running out of time. I know that you have words of wisdom, as I know you, so I know you have words of wisdom or advice that you want to leave with me and the listeners, so can you do that now?

Opeyemi Kolawole:

Thank you for that. So one thing I would say is, regarding this cybersecurity field, we chose this route, we chose this path. Nobody forced anyone to become a cybersecurity professional. It's what you determine to become, so we have to take responsibility and accept it that way. And one other thing I would say is constant learning is very, very important. The field grows every day rapidly and a lot of technology tools introduced into the field every day, so, which is why a lot of people don't want to do cyber scared or don't want to become a cyber, because it's more of like constant learning that a lot of things changes every time, so you have to stay up to date on your game. So make sure you stay up to date on your game. So make sure you stay up to date in your learning. Define a route, define a path for yourself. Set your goals this year. I want to learn this. I want to learn how to write with Python. Set another goal next year. So it can be six-month goals, it can be one-year goals, it depends, but make sure you challenge yourself with those kind of goals and tasks that will help you to boost your morale and to go to learn more and stay up to date because this field grows every day. A lot of things changes every day, new technology, everything. So you have to keep up to date.

Opeyemi Kolawole:

Another thing I would say is training is very, very important. You should take training seriously because this is how we can improve on our skills, on our learning and on our knowledge. So this training can help us to be a better version of us. So it helps you more to you know on your day-to-day activities, on your tasks within your organization, what you do. You can add, improve those. Whatever you learn on those training, add it to the value you bring to the organization, help them secure the IT infrastructure, their network, their application, with all those training. So training has been helping me.

Opeyemi Kolawole:

For example, I said go this year that I want to learn more on the cloud because I know I'm very weak on that. So, first thing, you have to accept what you don't know. Make sure, okay, I don't know this, I want to learn it, accept that. So by accepting that, then it's helped us to grow more. So I said I want to learn more on the cloud this year and I've embarked on the journey of learning more about cloud. So that is how I keep up to date on those learning processes. Last thing I had is no knowledge is lost Always. We should always make sure we learn something new every day. Before you know it, in the next six months, one year, you must have known a lot. Try to read, sometimes even me personally, every time I sit on the computer doing some hacking. Sometimes I read articles, sometimes I just lay down, pick up my phone, just reading some blog. I'm learning through all those things. So we just need to incorporate that into our life to make sure we always learn something new every day.

Pamela Isom:

Whether it's related to your field of expertise or not.

Opeyemi Kolawole:

Yes, I mean, no knowledge is lost, but just cultivate that habit of learning something new every day.

Pamela Isom:

That's interesting. So no knowledge is lost. I like to play back what I heard, especially when we get to this part, because these are words of wisdom for me too. So no knowledge is lost. Learn something new every day. Do what you do, because that's what you signed up for and it's a part of the responsibility of being in the cybersecurity profession, so own it and embrace it.

Pamela Isom:

So I heard you say that, and then you pointed out that develop a learning path. So take responsibility and develop a learning path for ourselves and apply that path, because learning should be continuous. And it goes back to you saying try to learn something new every day. Whether it's career related or not, learning is continuous and it never gets old. So learn something new every day. And then there was one other point. Oh yeah, you pointed out that you decided that you wanted to learn more about Python and the cloud environments, which is good, but you wanted to learn it for your own self-sustainment. But also, you mentioned a couple times, as you were summarizing, that we do what we do for the sake of the organizations, because they lean on us to help to defend the environment and they lean on us for that. So take it seriously and do what we do, including the certification that you have gotten to help do and accelerate and secure the organizations, those that depend on us for what we bring to the table.

Opeyemi Kolawole:

Exactly so, yes, that is why we are hired, that is why organizations hire us to help them, and we have to make sure we stay up to date and do our job, do our part, make sure, because they lean on us, like you said. So we have to take that responsibility and make sure we're good in what we're doing. So training is very important to stay up to date.

Pamela Isom:

Okay, all right. Well, that's been a great discussion that we've been having and I really really appreciate you being here. I really appreciate you being a part of the podcast AI or Not. You are one of the podcast AI or not. You are one of the early guests and we just go back way back Well, not way back, but we go back there and so I'm a big fan of yours. You've been doing great and I want you to keep doing great, and I'm just honored to have you on the show. So thank you very much for being here.

Opeyemi Kolawole:

Thank you very much for having me. I'm really happy to be here. I enjoyed the opportunity to share my own knowledge and experience as well.