Better security through creative hacking
Stephanie ‘Snow’ Carruthers
Chief People Hacker for X-Force, IBM
I hack people to show businesses where their risks are related to social engineering or physical security. In fact, social engineering — getting people to divulge confidential information — is the number one attack vector bad guys use to discover weaknesses and break into networks. I can help our clients find those weaknesses before the bad guys do, so they know where to focus efforts and remediate these attacks. You can patch a computer, or a system, but you can’t patch a person. People are still the weak link.
Today there are college degree programs, but when I came into the cybersecurity industry, there was no traditional path. My husband has a big security background, so I was introduced to it through him. For years, he wanted to take me to DEF CON in Las Vegas, the world’s largest hacking conference, so one year I finally decided to go with him.
First, I went to a technical talk, which was completely over my head, but then I wandered down the hall and found the Lock Picking Village. They taught me how to do it, and I was able to get out of handcuffs and pick a lock that day. Something magical happens when someone picks a lock for the first time. You can see it in their eyes. The Lock Picking Village was my entry to the hacking world.
After I started going to DEF CON, I became fascinated by the Social Engineering Village, where contestants sit in soundproof booths in front of a live audience and try to elicit information from companies. The conference organizer pulled me aside and told me that people actually make careers out of this. Since I am a people-person, I got really interested and bought every book I could on the topic. I studied, and then went back for three years in a row, and I finally won the Social Engineering ‘Capture the Flag’ Black Badge.
Going through the competition in front of a huge audience was terrifying, but it also helped me get outside my comfort zone. That was the moment when I realized I could be successful at this. It boosted my career in information security, and I’ve been invited back, along with my husband, to lead the brand-new Social Engineering Village at the next DEF CON. It’s been quite a journey.
It’s almost like method acting. I adopt an employee point-of-view so I can understand how they think. I do a lot of research on the target company to put myself in their shoes. Social engineering assessments can be done with emails or phone calls or onsite, by breaking into buildings and getting into areas where you’re not supposed to be. I like both methods, but I prefer physical assessments — to be able to see body language and read people.
Before I got into social engineering, I was a special-effects makeup artist for indie films. That experience still helps me to think about things differently. For example, when I go onsite, I might dress a little bit differently. Again, going back to method acting — who am I pretending to be, so I know how to walk and how to talk? Using that experience has been very helpful.
When you think about cybersecurity, you typically think about someone who is extremely technical or knows how to code. That’s stuff you should know, and it’s helpful. However, those skills can be taught. Instead, I look for someone who won’t take yes or no for an answer. They ask questions. They want to figure it out. Curiosity — being able to look at something and thinking about how to make it work differently — that’s the most important thing.
If you get into an area where you’re not supposed to be, a lot of people will go into a bathroom to collect their breath, just because it’s scary. You could be trembling and sweating. Your voice could be shaking. There’s a lot that’s hard to control, but it’s an absolute adrenaline rush.
I like to push the boundaries as much as I can. For example, before a recent physical assessment, I went online and found a visitor application, which should not have been available on the web. I filled it out with bogus information, went to the target building and gave the application to the front desk security guard. When he issued me a guest badge, that was a huge win, but I didn’t stop there. I like to think creatively — how can I take this a step further? How else can I test them?
Every day, I made it progressively harder for myself to get in. The first day I had the pass with the fake paper. The next day, I printed out the application and left it blank. I folded it in half, presented it, and they let me through. The next time, I showed them a random piece of paper from my purse, and that worked, too. Finally, I went up to the security desk and told them I forgot my piece of paper — and still got past security.
I like to discover where the boundary stops. It’s one of the things I teach my team. Once we start an assessment, we go through all of our objectives. But at the end, that’s where we play. We try new concepts and new techniques because this is where we advance our craft. And that’s where the fun is.