Last week, I spoke with bug bounty triager and Ubuntu fan Sophia Sanles-Luksetich. This week, I had the honor of speaking with social engineering specialist Jenny Radcliffe. Contrary to what a lot of Nigerian Princes would tell you, in my opinion social engineering is one of the most misunderstood areas of cybersecurity. Kim Crawley: Please tell me a bit about yourself and what you do. Jenny Radcliffe: I’m a social engineer, which I’ve been doing for over 35 years! I started young and have always focused on people, psychology and being where I probably shouldn’t be. KC: Wow, I'm 35 years old. Go figure. Did you get into psychology before computing? JR: I’m not in computing. I am retro, old school and genuinely a social engineer. Psychology was never my major, but I’ve studied it for years. Very specific areas, though. KC: I think it's a common misconception for laypeople to think that cybersecurity is all computer technological. I find social engineering is a factor in most cyber attacks. What are some other misconceptions about what you do? JR: That it’s simple and easy. That it’s about phishing, that it’s about tailgating. That it needs to be complicated, that women are better at it than men (uniformly), that it’s OK to stand on a stage and waffle about it when you never so much as stolen a candy bar. I hate the way it’s been reduced to the minimum sum of its parts as an industry. Done well, it’s an art and a science, and it requires nuance and subtlety of approach. KC: Do you still find that the phishing techniques that worked 10 years ago are just as effective now? JR: People are people. If we use what people have in common, that is emotional drivers as well as physiological and psychological needs, then people will always be vulnerable. In that sense, nothing has changed. Technology has given us different delivery channels, but the methods are broadly the same and often exactly the same as they always were. KC: I see kits for making phishing websites and emails sold in dark web markets now. Has that had a noticeable impact? JR: Honestly, you don’t have to go dark web. Look at the SE Toolkit and follow the topic on social. Everything anyone needs to do to try it is available. I was self-taught for a lot of the stuff I use and just refined it over the years, and when I started, nothing was available. However, the availability of both techniques and OSINT (open source intelligence) tools has made it easier to try, and so I’d say it’s making an impact in that there are more people learning it and trying things. Clients are telling me that social engineering is at epidemic proportions, and if we match that with a poor understanding of the gravity of the risk, as well as a dilution of the term and the tools to try and prevent it, it paints a pretty grim picture. KC: How often do you find cybersecurity people susceptible to social engineering? JR: All the time! You just need the right script, and you can catch almost anyone out. It’s a question of approach; everyone has something they wish to protect, love or want to keep private. We all have ambitions, objectives and weaknesses. We are all vulnerable, and if you think you know what an attack looks like, then you have already failed. The other thing about tech people is a tribe mentality which comes from the best of our community. Inclusivity is always a way in, and we have a strong sense of community in the industry. It’s one of the best things about us, but it’s also a weakness that I’ve seen exploited. Also if you are in security, you are reluctant to admit if you are conned, even to yourself. We are humans first; everything else is secondary. A good social engineer will operate on that level. KC: Excellent. Yeah, I always remind myself that I can be fooled, and I think not being overconfident might be a hardening measure! Have you been following the tax agency scam phone calls, emails and text messages in the United States and Canada? JR: Not in the States! We have plenty of tax scams to worry about over here! KC: I mean the calls or texts that say, "You owe the IRS lots of money. Call us back to arrange Bitcoin payment or you'll be arrested." I got such calls and text messages from parties spoofing the Canada Revenue Agency last year. I think the CRA, the IRS and cryptocurrency wallet apps like Jaxx have all made public service announcements saying "real tax agencies don't take Bitcoin and that's not what we do if you owe us money." JR: Yes, same type of thing over here. Use of fear and self-doubt to raise emotional temperature and lower decision-making capacity. In that moment of emotional confusion, the attacker offers a route out of the emotional state. Pay this, click this, do that. In hindsight, it may seem an obvious scam, but in that emotional moment, people like to follow a lead. KC: Yeah, I've heard of people who sent $20,000 worth of Bitcoin in one of those scams! Has sexism ever been a factor in your career? JR: I never really dealt with overt sexism on the job. Plenty of creepy bosses, over-familiar clients and people underestimating me, but I never thought it was gender-based. I’ve had good and bad experiences with both men and women in work, but if it was because I’m female, it was lost on me. I do get a lot of requests for a “female” social engineer, but when you question why it is very rarely an unshakeable reason, and I’ve only had one or two assignments when it had to be female and nothing else would work. KC: Are you doing what you thought you would be doing professionally when you were a teenager? JR: I was working doing this as a teenager, but I always thought it would be a sideline, I never thought it would become acceptable as a full-time profession. I knew I’d always do it but speaking about it in public and training others to do the same? No. KC: Are the ways into your profession different now? JR: I still don’t really see one to be honest. I am yet to see a degree, qualification or job description that teaches or describes it fully and accurately. However, at least there are jobs that get close these days and ways into security more generally, at least that can put a person in the right industry. That’s progress! KC: Excellent! Do you have any advice for people who are considering specializing in social engineering? JR: You can either be great or mediocre. You need three things to get great: patience, integrity and a ferocious work ethic. Everything else is decoration. Good luck! Previous Interview
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
