Homegrown Hacker: The Good Kind
In the workplace, every piece of information and every image you post on social media has the possibility of being used for large-scale security breaches. Personal information shared online may be gleaned by social engineers who use psychological techniques to manipulate employees into divulging information that could lead to a cyber attack.
The social engineers are searching for financial data; details about your computer hardware and software, where you travel and shop, your favorite airline or hotel chain and the names of your friends and work colleagues. They can then use this information to build your trust.
Security expert Rachel Faber Tobac, Mt. Lebanon Class of 2007, is CEO of the San Francisco-based consulting firm SocialProof Security, which she co-founded in 2017 with her husband, Evan. Their firm has helped companies ranging from small mom and pop shops to some of the largest technology companies in Silicon Valley, such as Facebook, to protect themselves and their data from malicious attackers.
As Tobac emphasized at a recent Tech Talk in San Francisco, “Every picture you post from work, every status, every photo is a potential back door to your employer’s data.” Translation: that selfie you take at your desk in front of your computer with the anniversary bouquet your husband sent to the office might seem innocuous, but it’s not.
SocialProof Security teaches clients that the first line of defense against cyberattack is their own employees. When Tobac contracts with a company, she engages everyone from the janitorial staff to the CEO in security training so that no one inadvertently divulges private information. In addition to hands-on training, her firm offers social engineering penetration testing and social engineering security assessments.
Tobac graduated from Allegheny College with a dual major in applied behavioral analysis and neuroscience. She didn’t specifically aim to enter the security field; still, “studying the human brain and especially human behavior was the ideal building block for me,” she says. When she and Evan, a 2007 Chartiers Valley grad, moved from Pittsburgh to the Bay Area, where he worked in the security field, she joined Course Hero, an online study aid, and began researching user experience—how people interact with apps, websites, operating systems, etc. and whether their experience is negative or positive.
At her husband’s suggestion, she flew to Las Vegas to watch the popular social engineering Capture the Flag competition at DEF CON, one of the world’s largest hacker conventions. Since 1993, the conference has attracted computer security professionals, journalists, lawyers, government employees and hackers, all of whom are interested in learning about any software, hardware or other device that can be hacked.
For Capture the Flag, people compete in glass sound-proof booths to see who can break into a company’s system via their employees using the phone. The more secure the information, the higher the points earned. (No real data is compromised.) Intrigued, Tobac applied and was accepted to participate the following year. Competing against seasoned IT professionals and hackers; she earned second place and was invited to compete the next year.
Preparing for Capture the Flag meant investing hundreds of hours researching strategies for extracting information by phone from employees, commonly called vishing. Tobac’s resulting success in the competition showed her she had what it takes to think like a white hat hacker—a computer specialist who breaks into protected systems and networks to test and assess the strength of their security—and continues to benefit the firm she and Evan formed.
But it isn’t just good computer skills that led to her success. Tobac is outgoing, resourceful, tenacious, funny, creative, solves puzzles and performs well under pressure. These traits, combined with experience in improvisational theater, helped her become the good kind of hacker—a trainer who helps companies protect themselves.
Here are a few basics tips Tobac share with trainees:
Never post photos of your computer or post statuses about work on social media. This exposes your software details which can be used to tailor cyberattacks to your computer.
If you post something about your job, remember that it is information criminals could use to gain your trust. Just because someone knows who your boss is, what you work on, or what software you use doesn’t mean they are trustworthy. Be politely paranoid of people who reach out to you for information or try to get you to click on or type in links.
Realize that hackers can seem friendly and non-threatening, which can make us more trusting than we should be with our employer’s information
And Tobac’s number one tip?
Workplaces need clear social media guidelines for employees and third-party vendors.
For more information, visit www.socialproofsecurity.com.