Social engineering is a major factor in most cyberattacks. Users are bombarded over time by Trojans, phishing emails, spear phishing, and other sorts of digital scams, particularly users who work at companies and organizations which have a high value to an attacker, such as banking an financial institutions. Social engineering experts play a valuable role in the cybersecurity industry, as they address the human element in security which can often bypass the best corporate firewalls and antivirus software.
Jenny Radcliffe is a social engineering specialist, and the host of the Human Factor Security podcast, which I had the honour of appearing on last year. I had the opportunity to interview Jenny recently, and I really learned a lot.
KIM: Your specialty is social engineering. How did you get into that?
JENNY: I learned a lot growing up in a tough place. I always saw things in a different way than most people. I studied people a lot and was lucky to have employers who gave me work that challenged me and brought out other skills. I studied, practised and made a lot of mistakes. In the end, the cyber industry recognized the contribution that social engineering and physical infiltration make to security, and gave me opportunities to use my weird skillset.
I never thought that anyone would think that what I could do would be accepted as a contribution to keeping people safe. I’m grateful every day that the community welcomed me and legitimized the role. I’m still excited and love my job.
KIM: If someone wanted to learn more about social engineering as it pertains to cyber attacks, how would you advise them?
JENNY: I get asked a lot, “where should I start?” I always say it’s about really understanding people. As groups, as part of a company, and as individuals. I really think that to be a good social engineer you should be fascinated by human behaviour and learn to observe patterns, interactions and habits whenever you can. Analyze language, how people spend their time, look at the gaps in intelligence collected, and find the hidden story.
Try not to insert yourself into the narrative. Ego is the curse of social engineering - it really is all about ‘them,’ not you. The second someone loses sight of why they are doing the job, protecting people, they lose their edge. Don’t aspire to be a social engineer if you don’t fundamentally love people and want to protect them. Everything else is decoration.
KIM: Obviously social engineering knowledge can be acquired without school, but are there credentials that employers may insist on?
JENNY: Social engineering is likely the final frontier when it comes to standards and credentials. It’s hard to measure capability or even prove ability and experience. I feel that standardizing something so intangible and nuanced is counterproductive, but I am concerned that the term is often diluted so much that clients and employers don’t know what to look for.
Perhaps then it’s apt that for a nuanced role, there is no standard measure.
I advise people to give scenarios or case studies to see how someone thinks, rather than rely on qualifications. I am working on addressing this and perhaps having some accreditation mechanism in the future, but it’s a challenging problem for the industry.
KIM: Are there credentials in other areas of cybersecurity that may help someone in their social engineering career?
JENNY: I would say that certs and experience away from the purely technical, but focussed on security, would be useful. For example, a lot of law enforcement and military people I work with understand the human factors very well and understand risk in this context quicker than if they only saw the tech side. So, things that give a holistic picture of business continuity and risk are good.
KIM: Have you spent a lot of time researching Trojan malware? For example, the social engineering aspect of it?
JENNY: Yes. I analyze the (programming) language for persuasion and influence levers and have been asked to profile the attackers from the mechanisms and tactics used.
KIM: Have Trojans gotten more deceptive over the years, in your opinion?
JENNY: I’d say that attackers learn quickly what works well and will build on that. Whilst some are lazy, I find myself almost admiring those that are more sophisticated and elegant in their approach, although the goal is still criminal and harmful.
KIM: Has phishing become more sophisticated too?
JENNY: Yes and no. Whilst there are more attacks reported, the majority of them are just blanket emails playing the percentages and hoping someone will fall for a usually pretty lame pretext. However, I notice tweaks to certain emails that seem to indicate that the criminals are taking and acting on ‘feedback.’
For example, I see a changing tone in sextortion phishes based on gender which indicates a worrying amount of adaptation and learning. Spear phishing with real tailored, researched content is rare, but generally works well as trust is built quicker.
KIM: Have you seen the phishing sites and email kits that are being sold on the Dark Web?
JENNY: Yes. It was bound to happen, and I’d imagine such an approach is often fairly effective. Again, at the risk of sounding like I’m marking a paper, I frown on a lack of effort and creativity, but if it works someone will buy it.
KIM: A really thorough pen test would include a company's employees and contractors to be tested for susceptibility to social engineering. How should that be done?
JENNY: It should be related to the business as much as possible. When my company does this, we are usually looking at worst-case scenarios where bribery or blackmail or worse may be used, so we do look at personal information as well as company related things.
In most cases, a sample cross section of anonymized staff information should be sufficient to show the personal vulnerability and how it might link to the company. Again, it’s very hard to give an estimate, as each target is very different. I’d say be thorough, ethical and able to back up any evidence presented with solid reasoning as to how it might be used.
KIM: I often say that most cyber attacks in general involve social engineering at some point or another. Is that true?
JENNY: I’d say most attacks have some level of social engineering involved. There has to be a ‘patient zero’ as most attacks need human intervention at some point, as attackers use it as a direct and quick route around tech defences.
KIM: Do you think our industry underestimates the importance of social engineering?
JENNY: I think the industry as a whole absolutely accepts how dangerous social engineering can be these days. It’s only occasionally I hear the odd comment about tailgating, or an obvious phishing email as not being a sophisticated attack. This does bring out the devil in me because the best mark is the one who thinks they can’t be taken, and I see a lot of opportunity in arrogance.
Mostly though people are savvy to the risks in the industry and acknowledge that social engineering needs attention, especially if I’m likely to hear what they say!
KIM: Do you think those of us in the cybersecurity industry overestimate our ability to resist social engineering techniques?
JENNY: Tailgating and phishing isn’t sophisticated, but assuming that’s the limit of social engineering is naive. I think the cybersecurity industry is a lot more switched on to potential social engineering than the general public, for sure. However, the right script at the right time can catch anyone and everyone out. No one is immune, especially if they think they will spot everything.
KIM: Is tailgating more common that I assumed? I don't hear about it very often.
JENNY: It’s still a standard attack vector in physical infiltration and is part of the lexicon when social engineering is being discussed. Not used so much on higher security targets!
KIM CRAWLEY: What have you been up to lately, professionally?
JENNY RADCLIFFE: I think it’s fair to say my job has changed a lot in the last year. I do fewer physical infiltrations, although the facilities I am engaged to work on are at a higher level of security. I’ve also contributed to research and standards in defining social engineering and how to assess practitioner capability around the world, which is an honour to be part of.
KIM: What do you think makes a good podcast, and what inspired you to start yours?
JENNY: Be original! Really do your research and don’t do it for followers or recognition. Also, try and study interview technique a little. I think a lot of shows are out there but are done in a lazy way. People think it’s easy to just ‘have a chat,’ but the best podcasters really work hard at what they do and focus on quality and non-standard questions.
If you look at say ‘Smashing Security’ with Graham Cluley and Carole Thierault, they make it seem effortless, but I know how much work goes into their show and that’s why they are successful and rightly so.
It’s a bit like anything else - you can have a go at anything and have a bit of success, but to do something well takes effort. That said, if you want to start a podcast get going, work hard and persist. The security community will show up and support you!
I really enjoyed my conversation with Jenny, and I hope you check out her podcast, “The Human Factor”.
About Jenny Radcliffe
Jenny Radcliffe (@jenny_radcliffe) speaks, consults and trains people in the skills of “people hacking” and explains how social engineering using psychological methods can be a huge threat to organisations of all sizes. She reveals how that same knowledge is a valuable tool for security professionals of all types in the prevention of these attacks, scams and cons of all kinds.
Using a mixture of scams, psychological tactics, advanced profiling and non verbal communication skills, Jenny highlights how criminals, special interest groups and others with mal-intent, can talk or trick their way into gaining access to personnel, buildings and confidential information.
A regular keynote speaker at major security events (Infosec, Rant, DISA, Nordic IT Security, ICS2, Trend Micro, Cisco, NTT, Bright talk, Cyber Security Week) and a multiple TEDx contributor, Jenny has been a guest expert on security, scams and social engineering for various television and radio shows.
Jenny is also the host of the podcast “The Human Factor” interviewing industry leaders, bloggers, experts and fellow social engineers, about the human factor of security.