Sneaking your way into hacking the Humans, with special guest Jenny Radcliffe

Show Notes

Episode Summary

Jenny Radcliffe, a social engineer and known as the People Hacker, was recently inducted into the Infosecurity Europe Hall of Fame. Jenny is also an award winning podcast host and a conference speaker where she provides knowledge, expertise and insights on security, education and awareness to people around the world. In this episode of the Security Masterminds podcast, Jenny discusses her experience in the industry and how social engineering has changed over time. She also shares some tips on how to put together a team for a social engineering job, as well as some of her biggest social engineering failures and what she learned from them..

In this episode, you will learn the following:
1. The art and science of social engineering, and the importance of continuous learning.
2. The evolution of social engineering over time, and the need for diversification.
3. The importance of self-discipline in social engineering, and the need for details.

Jenny Radcliffe, The People Hacker

Jenny Radcliffe is a world-renowned Social Engineer hired to bypass security systems through a mixture of psychology, con-artistry, cunning, and guile. A "burglar" for hire and entertaining educator, she has spent a lifetime talking her way into secure locations, protecting clients from scammers, and leading simulated criminal attacks on organizations of all sizes to help secure money, data, and information from malicious attacks.

Jenny was recognized as one of the top 25 Women in Cyber in 2020 by IT Security Guru and as a Top 50 Women of Influence in Cyber in 2019. She was nominated for the prestigious "Godmother of Security" award in 2020 and won the "Most Educational Security Blog 2020." Most recently, Woman of Influence & a Top 30 Cybersecurity Leader.

Jenny is also the host of the award-winning podcast "The Human Factor," interviewing industry leaders, bloggers, experts, fellow social engineers, and con-artists about all elements of security and preventing people from becoming victims of malicious social engineering.

• LinkedIn: https://www.linkedin.com/in/jenny-radcliffe-the-people-hacker-%F0%9F%8E%A4%F0%9F%8E%A7%F0%9F%A7%A0-85ba1611/
• Website: https://humanfactorsecurity.co.uk/
• Twitter: https://twitter.com/Jenny_Radcliffe
• Podcast: https://humanfactorsecurity.co.uk/category/the-human-factor/

Show Links

• Jenny's Darknet Diaries episode: https://darknetdiaries.com/episode/90/
• Matthieu Ricard (Happy Monk) - https://en.wikipedia.org/wiki/Matthieu_Ricard

KnowBe4 Resources

• KnowBe4 Blog - https://blog.knowbe4.com
• Erich Kron - https://www.linkedin.com/in/erichkron
• Jelle Wieringa - https://www.linkedin.com/in/jellewieringa
• James McQuiggan, Producer - https://www.linkedin.com/in/jmcquiggan
• Javvad Malik, Producer - https://www.linkedin.com/in/javvad
• Music Composed by: Brian Sanyshyn - https://www.briansanyshynmusic.com
• Announcer: Sarah McQuiggan - https://www.sarahmcquiggan.com

Chapters

• 0:00: Introductions
• 1:52: How did you end up in cybersecurity, hacking humans?
• 3:32: How has Social Engineering Evolved?
• 6:20: With Social Engineering do you focus on the Cyber or Physical?
• 9:38: What are some lessons learned from SE failures?
• 12:22: What goes into making the Deception Work?
• 15:31: What is involved in putting together a team?
• 18:55: What is the Timeframe to prep for a job?
• 23:20: What was the impact of COVID on your Social Engineering Jobs?
• 28:00: How long does it take to hack the human?
• 31:24: How does emotion impact the mark?
• 33:13: How do you shape behaviors to protect against Social Engineering?
• 36:23: How can people find you?

Transcript

Jenny Radcliffe: 0:00

Social engineering is the oldest form of infiltration and of hacking. And in that sense, it'll carry on and continue into the future and adapt to whatever the human race does, whatever humanity does. My name is Jenny my handle online is the People Hacker and when old ladies on trains asked me what I do, and I say, I'm in security I have to elaborate a lot and say it's about being a burgular and a con-artist and all those things.

Announcer: 0:27

Welcome to the Security Masterminds podcast. This podcast brings you the very best in all things, cybersecurity, taking an in-depth look at the most pressing issues and trends across the industry.

Jelle Wieringa: 0:38

The world of social engineering is an art and science involving a variety of human interaction skills that require consistency, deception, and continually learning. We hear from one of the best in the industry and their expertise on successfully hacking people and ways to protect yourself from these styles of attack

Erich Kron: 0:59

Jenny Radcliffe, a social engineer and known as the people hacker was recently inducted into the info security Europe hall of fame. Jenny is also an award-winning podcast host and a conference speaker where she provides knowledge, expertise, and insights on security, education, and awareness to people around the world.

Announcer: 1:20

This is episode eight, sneaking your way into hacking the humans with our special guest Jenny Radcliffe.

Erich Kron: 1:27

Hey, it's great to be back

Jelle Wieringa: 1:28

So today got Jenny Radcliffe. We interviewed her and it was a lovely conversation. I was really impressed by what she told us and she's industry veteran.

Erich Kron: 1:38

Yeah. And Jenny's amazing. So we're seeing a little bit of behind the scenes of, what it takes to do some of this social engineering, this penetration testing that she's so good at. And frankly, I learned a lot of very interesting things from this.

Jelle Wieringa: 1:52

Yeah. One of the things we wanted to know how did she end up in cybersecurity? How did she end up hacking humans?

Jenny Radcliffe: 2:00

I had family who were loosely connected to the security industry, and when I was very young. I hung out with a lot of my cousins who were older boys and they did a lot of urban exploration. So a lot of empty buildings in and around my hometown and sort of taught me to get in and kind of look around all these abandoned buildings. When you do that, you learn very quickly, a few skills. You learn how to run very fast. You learn trespass law. And I learned to bypass alarms and things back then but I mostly learned that it was about people. And, that actually, it was easier to talk my way in than to break in. I looked so innocent that people let me do it. And I still don't look dangerous today. And I'm still doing it today, although a bit less than they used to because I'm older and not as fit.

Erich Kron: 2:51

Easier to talk your way in than to break in. And I'm betting once you've talked your way in the odds of the police becoming involved are probably a

Jelle Wieringa: 3:00

probably Well, you don't race too many alarms by talking your way in if you do it right. But that's the power of social engineering. It's basically being able to go anywhere at any time, talk to anyone actually in or get your way. And that's something that she's become really good at over the years.

Erich Kron: 3:18

Yeah, absolutely. And we got just a high level of

Jelle Wieringa: 3:21

So

Erich Kron: 3:21

she got into this. If, if y'all want a deeper dive into things, she did do an episode of Darknet Diaries where she really focused on this. It'll be in the show notes, if you want to check that out.. Jelle Wieringa: So cyber engineering actually changed a lot over time. We want to know from Jenny. What she thinks about that? How has the space evolved? And what's the next step?

Jenny Radcliffe: 3:44

I mean, when I started, I wouldn't have called what I did social engineering, and even now it's just, it's a good umbrella term for it. A heap of skills and tasks. These days. I mean, when I first stood on stages and spoke about it, there wasn't many people who would call themselves social engineers. I had to really explain the term even within the industry. I think now there's a lot more conversations about it. There's a lot more people and businesses focusing on it and promoting awareness around social engineering. But I think it's diluted and, we have to kind of explain, what type of social engineer you are, what type of pentester you are. And I don't know whether that's a useful thing, some of the t ime. and so I see that I think people are becoming more and more aware of it. A lot of us are putting a lot of effort into getting the words out there beyond the industry. So I do see that. It's been social engineering is the oldest. I would argue the oldest form of infiltration and of hacking. And in that sense, it'll carry on and continue into the future and adapt to whatever the human race does, whatever humanity does. So I see more and more people say that they are social engineers., I see a lot more skills coming in. People would bring in different skills and perspectives. Different, you know, degrees and qualifications and experience. And I also see a lot more people. Saying that there's social engineers who aren't, but they think they can talk about psychology behavior. And that makes them a social engineer while it's valid, but it doesn't make you social engineer. So , I think there's a dilution, that's not necessarily a good thing. And there's diversification, which probably is a very good thing.

Jelle Wieringa: 5:26

We work in the field, we know a lot about it. We have experience, but that doesn't make us a social engineer per se. It's like when you're building software, you might understand how to code a bit, but that doesn't mean that you can build a full blown software product. it's the same thing with social engineering. also I agree, with her that there's a lot of dilution in this market today in the sense that lot of companies now understand that you need to train your users against social engineering. We need to be able to better protect those users against phishing attacks against everything that's at the human and the more new insights we get, the better it is because we can apply those.

Erich Kron: 6:04

What I do think is interesting Jelle is that went from something that was kind of a hobby into a mature part of the industry where people actually hire folks. can now be a full-time career, not just kind of playing around to see what you can get away with. I really think that's kind of cool.

Jelle Wieringa: 6:20

So there's a lot of sides to social engineering. We've got things like the physical, the cyber, and we've got emotional and psychology sides. So to know from Jenny, do you work more in the physical or in the cyber side of social engineering?

Jenny Radcliffe: 6:36

I'm not technical social engineer though I know a little bit, and I know more and more every a year because people, we were much better at that than me. Teach me and I run my crew very often. So little things, man, in the middle of attacks and things like that. I've learned to do those and I love those. Now I specialize in the physical side of it and I specialize in the psychological side of it. I think because I am pretty specialist on physical infiltrations and I have a particular, contact base that I can pull in for different jobs. And also just because of word of mouth, we still get a lot of physical infiltrations that are very specific. and that's really where the bulk of my assignments do involve some sort of infiltration on site. I say to people who asked me, who are not in the industry, we work adjacent to cyber. So, you know, the cyber is huge and is probably the biggest part of hacking and security. But. It's easy for them. If I can insert a key logger, it's easier for them. If I can steal the laptop, it's easy for them. I can let them in. so sometimes I will be known for the physical side of it, I guess. The psychological side is, equally important. And again, just knowing some psychology is not enough. I think I know a lot of academics who are superb with the psychological sides, but they don't have a criminal mindset.. And that attacker perspective I spoke about years and years ago is, is really very key to the job. And so that's what we were hired for as well. So whether that's phishing emails, some spear phishing and OSINT work or whatever it is, there's a huge element of that as well. So it's about 50, 50.

Erich Kron: 8:07

So the attacker mindset is critical to the job. I love that part because

Jelle Wieringa: 8:12

part

Erich Kron: 8:12

not just true in

Jelle Wieringa: 8:13

it's not just really socially, but it was so many parts

Erich Kron: 8:17

to look at your system and

Jelle Wieringa: 8:18

at your system and go, okay, where are the can

Erich Kron: 8:20

was a

Jelle Wieringa: 8:20

I present bad

Erich Kron: 8:22

I try to get into this system?

Jelle Wieringa: 8:23

You need it. Even when you build a security awareness campaign, You need to look at employees, look at need to look at the group that you want to train. figure out how can you manipulate them? How can you actually, if you were a bad actor, attack them, because then you know sides you need to protect, which sides you need to educate them on. really want to go too far and scare people or make people mad because you are dealing with people that have intentions that want to learn. So you wanna keep them motivated. And it's that balance that I really like. So the perspective that Jenny has of, being that, bad guy and having that, view on how can I get in, especially with physical infiltrations. Then in our case, you need to balance that with being okay. So maybe we don't wanna go too far in this.

Erich Kron: 9:14

there's a lot of ways that

Jelle Wieringa: 9:15

a lot of ways that you can do

Erich Kron: 9:17

too far. And it really doesn't help with the outcome

Jelle Wieringa: 9:21

Now

Erich Kron: 9:21

you gotta be aware of what's going on in the room as well. If there's layoffs, you don't play around with salary stuff. However, if done right, done kindly and messaged well, people understand that is really a way to just practice the skills that you learn in training. That's what it's all about.

Jelle Wieringa: 9:39

we've seen some failures within what we do when we built , security, awareness campaigns. we've seen some failures within social campaigns, and we wanted to know from Jenny what her biggest social engineering failure was, what, and more importantly, what did she learn from the experience?

Jenny Radcliffe: 9:59

So, what I would say is I'm not going to give you any specific. I never really what people think I do, but I never really give specifics about clients or anything like that. And I never would, but I mean, I wouldn't say that we have a job, the failed that sticks in my mind, really. I don't, but what we did, but what I would say since lots of times where we've had pre-text, that's failed badly, you know, I'm thinking, I just think of some of them and you know, the problem is, is you can get too elaborate. And back in the day, you've got to elaborate on some of these pre-text and particularly with the bigger crew, you've got to keep it simple and the more props and the more elaborate the backstory, the more difficult it is to maintain. So for example, just this week, I was doing a job where the pre-text was security, like rent, a cop security. And, you know, it was like there was a budget to buy sort of outfits and jackets, flack jackets And I turn up and I can see three people and they're wearing the jackets and the earpiece, the black trousers and the hard cap boots and everything, but their caps and the caps says security on it. And it's too much, you know. So what will fail is too elaborate or someone who enjoys it too much or I failed by breaking my own rules. in my crew you're not allowed to eat on a job ever. You don't eat anything you find, however, delicious it looks and however hungry you may be from hidding in cupboards for hours. But I've eaten cake and things in a job. And as soon as you eat the cake you curse the job. But like there's no single point of failure that I go, that's a job that failed there's been lots of mistakes, but in terms of being sent an assignment by a client, even if we abort quickly, I'll always go back because it's professional pride, not to fail.

Erich Kron: 11:44

I got to say I failed pretty hard at some things in my career, in my life, but I find that you learn so much from those failures, honestly, a

Jelle Wieringa: 11:56

honestly.

Erich Kron: 11:57

from successes. At least that's my opinion.

Jelle Wieringa: 11:59

I agree. It's gotta make sure that if you fail, at least come out positive and learn something and, best fail quickly, so the one thing that I noticed in her answer was discipline. Think about it. in a cupboard for hours on end, and then you're not allowed to eat any of that cake that takes himself discipline. That is a lot too actually the deception work that Jenny does. And we wanted to dive into that a bit more.

Jenny Radcliffe: 12:31

The first thing is, is that detail is everything. When we assess credibility. So someone tell them the truth level, all these details that a lot of which are completely irrelevant. So if you, if you interview a criminal and they lie to you be they won't remember things they're not relevant to the story they've rehearsed.. Right. So,, but someone telling the truth will say, they'll say stupid things that have got nothing to do with it. Right. So you'll say, so tell me, you know, tell me what happened that morning. And they'll say things like, well, I was walking, I was walking down the road and I had my jacket on. It was quite hot, so it's, so I took it off and then it, actually, the clouds came out and I put it on again. You're like, let's get it. Let's get to the robbery. Say so on the one hand details important. But on the other hand and the liar will not have those extraneous irrelevant details. They won't. But on the other hand, you're quite right. Is that too smooth is rehearsed. And so we catch people out of deception where by getting them to tell that story every which way, um, because it's amazing what people remember in conversational hypnosis, and in interrogation, if they're telling the truth, but allow you to live, you remember the lie. You know, cause they're not there. So how did that know, how did that room smell? and you can see them trying to think. Well, trying to imagine it where somebody was there they'll go "it stank" or it didn't smell of anything. What a stupid question. Do you see what I mean? So there's a lot of that is about interrogation technique and of the translates into an event into a social engineering event and infiltration event because it's the little things that give you credibility, but too many of them is too much for it's too much cognitive load, essentially One thing too much, kind of like Coco Chanel, Coco Chanel stands. When a woman goes out behind the mirror and take one thing away, you're going to go on a security job and you're in pretext. Look on the mirror on one of those props is one too many You know,

Erich Kron: 14:29

that's some fantastic information there, one too many. I mean, the, the look in the mirror and take one thing away. That's an interesting thought. Hadn't really thought

Jelle Wieringa: 14:38

it

Erich Kron: 14:38

it like that, but I can see where a lot of times when I've seen people that tell stories, you know, call in sick and they have all of the details about every little thing, kind of go, yeah. You know, that doesn't sound quite right., but I loved the way she put that with the room. How'd the room smell. Oh, it stunk as opposed to trying to get too detailed. That's just fantastic information. I love that.

Jelle Wieringa: 15:02

It shows you that it's really hard to do a good social engineering job. It's not easy to do. you can hire actors and that will add to the reality, but creating authenticity. That's a whole other thing. Because it's a combination between authenticity building that trust within that your target, your mark, and, then remembering all of the details that you need to remember without,, over complicating it without the overkill. Now Jenny works with a lot of talented people we wanted to know from her. How do you actually put together a team for one of those jobs?

Jenny Radcliffe: 15:41

oh, so that's, that's a really good question. And people don't ask me that very often. so I have a, I have a small circle of people who helped me and then I have a wide circle of people who would help me if I need them or I can go see for advice. Um, and I, and one of the things that people don't realize is that social engineering is the con should focus on the mark, right? So every con is about the target. It's not about you and what resources you have or what pretext you usually use. It's about what fits the mark. And so we've always got to think of. Who were they? What are we trying to achieve and what might be needed? So, for example, I've got, I mean way by hurting, but don't use them anymore for lots of reasons. But, um, high works a roof work. I go up to the roof. What, I mean, I'm not a ninja. I'm not gonna like walk around the edge of a roof, although I have to do it, but I know people who do Parkour so if it's going to be a high job, a high-level job, I was always got people who were lunatics really. and say there might be some high work, right. We might have to go in high and climb down fire escapes and ladders and things. So you pull people in with the right skill set, but more than that, the right profile. So big old financial company in London, just to pick something out of thin air, I'd need people who sort of fitted the general vibe.. So I have a friend of mine. Who's a CEO of a company, nothing to do with our industry is completely rich has far too much time on his hands and just wants to play with being a burglar and is very good because I bring him on jobs and, you know, I don't have to pay him number one. So that's great. And number two, he's very good at creating distractions and things, because I say, , go in and be horrible, go in and cause trouble. You know, the room's not good enough. This isn't good enough why isn't. And someone has to make me where's the car. And he loves doing that because really it's a lovely person and he'd never really do it, but he fits it, you know, beautiful tailored designer suits and a has PA with them. And yeah. So like you fit the people and their skills and profile to the client, not the other way round..

Erich Kron: 17:55

How cool would that be to be like

Jelle Wieringa: 17:56

love doing that Hasn't with him. Yeah. I just that to be like, see hits to

Erich Kron: 17:58

and

Jelle Wieringa: 17:59

go around and play burden,

Erich Kron: 18:00

I can understand

Jelle Wieringa: 18:01

understand the

Erich Kron: 18:02

I'll

Jelle Wieringa: 18:03

to that, but I'll tell you,

Erich Kron: 18:04

lost me when she talked about

Jelle Wieringa: 18:05

She talked about,

Erich Kron: 18:06

I, I think I'll

Jelle Wieringa: 18:07

I think I'll just

Erich Kron: 18:07

and

Jelle Wieringa: 18:08

hang out and listen to the psychology piece, Cause

Erich Kron: 18:11

me up

Jelle Wieringa: 18:11

you're not I'll do it. It's cool. Right? I'd love Heights, but that's good. Cuz then we would make the perfect team. You do everything down on the ground. I'll do everything up high and Hey, there we go. I love the, the perspective that she has of building that team and having specialists there. and especially if those specialists enjoy their work. That makes it convincing. That makes it cool. And in his PA It, adds to the alure. It all adds to realism of the scene. I love that way of thinking that they have and building their, essentially their product to be as good as they can be to get the job done from the perspective of the client from this perspective of the user, cuz that's what we do in social engineering, interact with humans. So building a team like that and getting everybody together and deciding on what you're going to do must take time. So we asked Jenny, a timeframe to prepare for a job for physical infiltration look like?

Jenny Radcliffe: 19:12

It depends on the job. It's quicker now. I mean, back in the day, when I used to do it, obviously we have. A couple of weeks, even if just hanging around in surveillance, physical surveillance , but like waiting outside builds and waiting in cars sitting in all the bars that are near the building and sitting in cafes, listening to people, talking, I was always listening to whether people were bitching about on a Friday night and there was always somone they hated. And we've always been listening for that. Cause it can wait with the dynamic, you know, there'll be some guy usually in quality, no offense to our quality people. There's usually something quality you've got in the way that was, makes me laugh. Cause security say that we're the department of no and slow book every year. Every other department thinks it's them as well. So procurement people think it's them quality. It is them, you know, cause they have to stop things. So, so that used to take a long time. I'm still, I still try and do an element of fiscal surveillance. So weekends, weekdays nights, different times of the day, but generally now we can do a lot of research and OSINT online. and I would typically say certainly not less than three days in terms of billing. Now, so like it's longer, but like we would always say we allow definitely three days and potentially couple of weeks, depending on how big the job is how many sites and how big the site is. But buildings can be huge. I mean, it's bigger than you think. If you imagine, I mean, there was a job, it isn't again in London not long ago, and just to find that what we were supposed to look for and get hold of it and do a few things I think there was 28 floors, huge square footage. And really what we were looking for was things that were hidden away, you know, stuff in the basement, there's stuff at the ends of corridor. Or I always say, this is the one thing that people should look for for social engineers. Onsite is so is a person walking confidently towards a dead end.' cause that's what we're doing. And they're like, yes, I know exactly where I'm going. Oh, I'm just gonna tie my shoelace that wasn't undone anyway, and walk the other way. People should have realized we were there, but it takes a long time physical infiltrations I think a lot of people in the industry have spoken about simple jobs that take, you know, it is a tailgate or it's a couple of things, but it takes a long time. And I like to be in and out very quickly because if you're in a building more than about 90 minutes, you'll get made, and, someone will notice and these buildings a huge. And if you've no previous information, you find yourself wandering around canteens and atriums and bloody empty space, just large empty spaces.

Erich Kron: 21:44

Walking confidently towards a dead end. That's kind of funny. but walking confidently towards a dead end. I mean, I'm just imagining seeing this and how out of place that must look for people. So while OSINT can be done through digital means these days a whole lot easier. Once you get in that building. You're just kind of on your own. That's gotta be really tricky for them to be able to pull that off.

Jelle Wieringa: 22:10

Yeah. And just think about it. It's 28 That's a, an awful lot of square footage that you have to cover. It's tiring. You have to be constantly attentive to what you do cuz can't blow your cover. And then you can do a lot with OSINT, right? So all of the information that you get from public sources and open sources that produces actual intelligence, but then how much is actually known about the target in public sources? Not everything will be known. You can find a lot of Facebook or LinkedIn. You maybe can pull some building plans or whatever, but you can't figure out everything. So there's a lot of improv going. Like tying your shoe lace at the end of a dead end. All that, that that's improv. It's impressive. That's why they are the social engineers. And we, even though we're in the field do a lot, we're not it's that mentality that you can pull a job like this off. So now it's really cool. If you've got that 28 story building full of people and you can actually walk in and interact, but we had COVID the pandemic made it, that we all had to from home. For a company that does physical testing, physical infiltrations that must have been hard. So we asked how did COVID impact people when it comes to being scanned or tricked by social engineering?

Jenny Radcliffe: 23:27

First of all, obviously everyone's in shock. Let's, let's take you through be in a physical penetration test with a full crew during lockdown. First of all, everyone's shuts down and nothings happening. Well, after a while I started getting these calls saying, can you do some social engineering online for us? Oh yes, we can still do that. We can still do training and things. And then I knew it happened. And of course it did. And I get this call. I was like, can you do a physical penetration test on our premises, even though we're in lock down. Right. And it was like, it wasn't the initial one, but it was a little bit further on. And of course there's security, a lot of the regulations didn't apply because it's, security's a different category in the UK and I'm like, right. Guy says, and I'm saying the guy, but it's a combination. This is a composite character. it'll be really easy for you because nobody's here.. Well, I know, but on the other hand, if nobody's here and there's one person wandering around the office, even the most sleepy security guard is going to see me on the CCTV at least and go who's that? So it's kinda like, not sure then. We got a few physical jobs, which were actually quite small. I mean, I did a few actually entirely on my own and then added a few with just a couple of people. and it was the easiest thing in the world because all I had to do was put one of those, keep your distance signs outside the room. And just say one, word is just COVID. and I did one in this. Oh, it was supposed to be such a secure building and it was except the roof never is. And it wasn't a particularly high roof and it was just, I knew it'd be open because what you do in COVID you open all the windows for good ventilation. It was just like, oh, this is too easy. Go in and did the thing. And, and it wasn't one, when I was wandering around, I had two rooms to cover them. They were next to each other., but you know, sure enough. I see the light go on in the corridor and I think, oh God, I'm getting it. And I've got the mask on and I've got, you know, like, um, covered practically, right. And the hair's in a ponytail and everything's so hazmat type of thing. Wasn't quite, but it was almost HAZMAT as in the middle of the pandemic. And a guy, Because of that I went COVID COVID COVID COVID and he went, okay, and just walked away and you sort of go and that felt bad, but at the same time, people think it's fun, but you know, at the end of the physical, your feet ache and your heart aches, because. I insist on speaking to the people that I've face to face cons and just say to them, look, you know, it's not, you're not stupid. You're not going to be fired. It's really important now , that you understand that I just made you an ambassador for social engineering, right. That if you can fall for it, anyone can fall for it. and so just so cause you want that person not to feel like an idiot. You want them to say, look, this is, this is it's professional con artist. So sometimes it's very funny and there's a lot of humor that when I look back on some of the jobs, you know, and I've, I've writing my book and everything, and it is funny, but it's exhausting and the adrenaline that kicks in, and then afterwards that the dip from that adrenaline and , it's probably unhealthy. And is a roller coaster, you've got to, it's a very demanding job. And I think sometimes the impression given by the industry is that it's, that it isn't that, but, I'd add I'm very old-fashioned so I do it very old fashioned way and I'm very strict with the crew and I think that other people who do the job probably do it a bit differently.

Erich Kron: 26:49

And here's another reason I couldn't be a social engineer in times like this. I would be chasing people around the office buildings in a hazmat suit yelling. COVID I mean, I can just imagine how much fun that would be, but know, it's, it does have to be tiring. It's gotta be stressful. Can you imagine the stress that's on you when you're in there to pull something like this off and not get caught? You know, mentioning the adrenaline, rush and the come down from the adrenaline and then not being healthy.

Jelle Wieringa: 27:16

I have such respect for her because she comes in and talks to the people that met during the job. She actually explains to them, look, this can happen to anyone you're just a victim and can actually train you to become better. It's not you're fault. That's such a positive attitude.

Erich Kron: 27:36

Yeah. You know, that whole mentality of coming back and saying, Hey look, you know, we're not trying to shame you. We're not trying to make you feel bad. You're dealing with a professional thing here. Now you understand, now you may take it a little bit more seriously, and if we're lucky We end up with somebody that's an ambassador out of the thing. I think that's a, an important kind of, that runs in both sides there.

Jelle Wieringa: 28:00

So humans are not machines. It's not like you push a button and something happens. Humans are complex in nature. They've got their own free will we wanted to know from Jenny how long does it actually take you to hack a human.

Jenny Radcliffe: 28:15

And the answer is how long is a piece of string? It depends on your human depends on everything, right? some people I've thought would take, I was like, oh God, this is such a challenge. I'll never get to him. How am I going to get to him? And they just roll over like a puppy. Other people like there was a lady she should have been the easiest mark. She was so nice. She was an older lady. She was receptionists that kind of gatekeeper, the gray hair. She'd been with the company a million years, sweetheart, like brought cookies and for people, she was, she was just adorable. She had a little dog under the desk with her. Flipping nightmare, just no, no that's not right no.. Can't do that no. And she reminded me of a school- you know, if you've got kids in school, people with kids will understand what I'm talking about. There's usually a receptionist in a school and she'll be the person who's telling you if the kids forget the kit or the lunch, or you forgot to pay for some sort of trip. There so, so tough. She was the toughest cookie ever and it, and it was so hard. It was so hard to get her. Some people are hard to them with us to hack. And even within that individual, there'll be days and times when they're easy to hack than others. That's why sort of broad-brush phishing works. Silly fish that people think they can spot. And everyone says, well, why would someone ever click on that email? It's ridiculous. Well, because sometimes we're all just preoccupied and, you know, tired and ill. And we just, sometimes the stupidest thing works on the smartest person. So how can a human depends on the human and how ingenious? Sometimes we think of something pretty ingenious and that'll work, but I mean, mostly it's, it just depends on them.

Erich Kron: 30:00

I love that story about the lady who was very hard to, to crack there. And in my experience, I've

Jelle Wieringa: 30:07

that know

Erich Kron: 30:08

kind a mentality comes from being confident about something, you know, that your leaders have

Jelle Wieringa: 30:14

peers have your back. where you say no

Erich Kron: 30:16

Your policies

Jelle Wieringa: 30:17

all of

Erich Kron: 30:18

all of that comes into

Jelle Wieringa: 30:19

comes to and

Erich Kron: 30:21

is a

Jelle Wieringa: 30:21

that is a symptom of a strong security

Erich Kron: 30:25

Which is something that

Jelle Wieringa: 30:25

Which is something that we wanna see a lot more

Erich Kron: 30:27

to see

Jelle Wieringa: 30:28

We want to see people that are able to say,

Erich Kron: 30:30

No,

Jelle Wieringa: 30:31

know what? No,

Erich Kron: 30:31

just

Jelle Wieringa: 30:32

no, that's just not okay. Without letting somebody see, it's a really, I

Erich Kron: 30:35

that's a really important trait.

Jelle Wieringa: 30:37

Security culture is such an important thing nowadays in organizations and well, if you have somebody a receptionist or PA or a secretary that acts as a gatekeeper, empowering that person to not only do their job, do their job to the best of their ability and enabling that person to do her job and supporting her to be that gatekeeper, allowing them to make decisions on the spot about allowed to enter. Who's not allowed to enter. That's powerful. And that's all part of the security culture because you your employees, you trust the people in your company make the right security decisions because well, you've trained them well. And that's why, you look at security culture training is such an important aspect of it as well. Now we all know that emotion a big player when it comes to social engineering, how does emotion impact the mark or the infiltration when Jenny's on a job?

Jenny Radcliffe: 31:36

Yeah. I mean, emotional training will tell you, it's like putting, if you imagine a big pair of sunglasses, you putting the sunglasses on. So if you're, if you're angry, it's the red sunglasses, you know, if it's a romance scam, it's the big sunglasses. If you jealous, it's the green sunglasses, but everything is colored. And I say all the time, it's like, I should have it on a t-shirt, but emotions are high decision-making is down. And people's emotions are different. So we, you know, there's an onset. And it's different for different people and then there's an offset, but while you're in that emotional fog, you won't make good decisions. and, and so that's it that the key thing is, does this make you happy, sad, frightened, jealous, shamed, step back. And, and, and in terms of the other one, my four red flags that emotion, urgency call to action, and, money. And I say to people, the minute someone rushes you take your time. So the more agents it is, the more time you take, because just when you start to come down off it, you kind of realize what's going on

Erich Kron: 32:37

I feel so special because she just reaffirmed the same thing that I've been telling people for a long time now, which is you get a message that

Jelle Wieringa: 32:48

And is a small emotion.

Erich Kron: 32:50

it's time to be very, very careful. So it just kind of

Jelle Wieringa: 32:54

So just kinda facts up

Erich Kron: 32:55

for a while now.

Jelle Wieringa: 32:56

It's all about the think before you click, right? Those are all red flags. Those are all things that you need to be careful of. And the minute you see a red flag is the minute that you step back. Relax. Think about it before you actually take action. So I think she's actually spot on with her advice. Now we always like to give our listeners something that they can actually use some actionable that they can use straight away. wanted to know how do you shape behavior to protect against social engineering attacks?

Jenny Radcliffe: 33:28

You can't change human beings. I mean, you can't, you can't stop someone having an emotional reaction to something. I mean, if I studied emotions and for years, and one of the people that you study as a guy called, and I'll say his name wrong, but Matthieu Ricard I mean, he worked with the Dalai Lama. And I think his handle online is like the happy monk, but he was like the guy, as I understand it am I just got the shank, but I was always talking. He was the guy that told the Dalai Lama how to meditate, right? The most chill guy on air to the point where you could sit in a room, they could fire, make big noises, nappy hards, and his heart rate never lifted, you know, We're not him. And so, you know, you will respond to things. And the only thing you can do is can I, I mean, I really think is continually put the message in front of people, um, continually in as many ways as you can, without boring people to death with our patronize and anybody just keep warning people about what it is and what can happen. And then operationally and technically, prevent things getting in front of them in the first place people have enough to deal with. And so the tech really does a lot of the heavy lifting. It really does. We've got to minimize the amount of approaches people get and then keep on reminding them how difficult this can be. it's always going to be a thing. we will say to a client, will succeed sooner or later, we will get you.. And I'm confident to do that all your money back.

Erich Kron: 34:55

Yeah, or your money back . I do like this because we're talking now about the prevention and there are just billions of phishing emails that go out every week. It's insane numbers of how much of this goes. So these, technologies keep it to where

Jelle Wieringa: 35:10

Fair

Erich Kron: 35:11

we're able to do work instead of just

Jelle Wieringa: 35:13

instead of just be

Erich Kron: 35:13

emails.

Jelle Wieringa: 35:14

So cyber security is all about people, process and technology, and you wanna combine those in a holistic way where they each actually add value. That's why you need the tech and you need the training. It's not one or the other keeps phishing emails away, but it's always that 1% that slips through. And that's why you need the training. secondly, is that can't really change people. You can teach them the right And once you taught them the right behavior, they'll start using it in the beginning, but it will fade away. It's like riding a bike. Once you how to ride a bike and keep on doing it. There's not an issue. You'll you'll know how to ride that bike, but you haven't done it for a couple of years, once you get on it again, well, it takes some practice. It takes some getting used to, and it's the same with and security awareness. You need to make sure that you keep on top of your game. You keep on training, cuz everything is changing around you. All of the attacks are changing. They're becoming more complex. So it's that combination people, process and technology. If you get that right, that's when you're most secure. We loved listening to Jenny and we can imagine that you did too. So we asked her, can people follow you? How can they keep, up with what you do?

Jenny Radcliffe: 36:29

So, my handle on Twitter would be Jenny underscore, Radcliffe or people hacker. If you put in people, hacker or Jenny security, you'll find me and I just say to people, you know, the website is human factor security.co.uk. but LinkedIn, Instagram people hacker, real people hacker. I mean, I mean, easy to F paradoxically. I'm very easy to find online. I do human factor security podcast currently. Europe's number one security podcast I also do a few others as well, so there's plenty out there.

Erich Kron: 37:00

I had a great time with this interview and talking to Jenny, I gotta tell you, I, is such a nice person. I just can't imagine her being a real social engineer.

Jelle Wieringa: 37:10

When we went into this podcast, I actually was a bit scared on the one hand and really interested on the other, cuz miles ahead of what I do within social engineering. I really look up to her but then I think, well, that person has all the skills in the world to make my life really difficult, so we can learn a lot from her. So you haven't yet, please check out her podcast as well. It really is brilliant. Well, that's it from us folks. Thank you for listening this time to another episode of security masterminds, we hope you enjoyed the show. You can follow both Eric and myself through LinkedIn. The links are in the show notes you can follow this podcast through all of the major podcast platforms. We hope you join us again. See you next time. Say goodbye, Erich

Erich Kron: 37:55

goodbye, Eric.

Announcer: 37:57

You've been listening to the security masterminds podcast sponsored by KnowBe4. For more information, please visit KnowBe4.com. This podcast is produced by James McQuiggan and Javvad Malik with music by Brian Sanyshn. We invite you to share this podcast with your friends and colleagues. And of course you can subscribe to the podcast on your favorite podcasting platform. Come back next month. As we bring you another security mastermind, sharing their expertise and knowledge with you from the world of cybersecurity.