The Path to Infosec Is Not Always Linear

Okay, we have Rachel Tobac talking about the path to infosec is not always linear. She is the CEO of social proof security where she helps people and companies keep their data safe by training and pen testing them on social engineering risks. She was also winner of Def Def Con's wild spectator sport, the social engineering capture the flag contest three years in a row. She has shared her real life social engineering stories with a variety of different publications and many more. In her remaining time, she works as chair of the board for the non-profit Women in Security and Privacy. Without further ado, Rachel. Thank you. Thank you. Thank you. Can everybody hear me? Yes? Okay, awesome. Thank you so much

for coming today. I'm really excited to be here. This is probably the largest screen I've ever gotten the chance to present on, so I'm really excited. Today we'll be taking a deep dive about how I went from the rat lab to hacking some of the largest companies in the world. What I learned along the way and there will be a few surprises today as well. So we just introduced me, but I figured you might want to see a real cool picture. My name again is Rachel Tobac. I am a hacker, but I'm a human hacker and I got my start in infosec in a competition called the Def Con social engineering capture the flag SECCFT. Who here has

seen an SECCFT call before? Awesome. Okay. So we're given a real life company target. We have about 20 minutes to hack them in a glass booth and we have to call them. They don't know we're calling and then we try and get as many flags or pieces of information as possible in that amount of time. We also do this live in front of an audience of 500 people, so that's fun. I have been a winner of this Olympic style event for the last three years in a row. Specifically, I've gotten second place for the last three years in a row, so I'm quite consistent. When I'm hacking over the phone, I'm able to gain access in a little less

than 5 minutes, but I'm not malicious as I've already mentioned. I'm a white hat hacker. I'm the CEO of Social Proof Security. I do vulnerability assessments, fishing pen tests and social engineering training in addition to training red teams. I'm also the chair of the board for WISP and we're going to have some cool WISP announcements today as well. Recently though, I've been doing quite a bit of thinking on my non-linear path to infosec, but first things first. I tweeted about this, the fact that I'm going to be on this massive screen here and I also tweeted about the fact that I am under 5 ft tall and so by having myself on this screen, I am 10x-ing

myself, which is very Silicon Valley. And then Will B had a brilliant idea, make a 6-in version of yourself and then you will 100x yourself. So that's what I did. And I brought the whole outfit so you can see it. Here I am. Not going to put the whole thing on, but can somebody take a picture for my future pitch deck so you can see that I'm 100x-ing myself? Yay! Sure.

Thanks. I appreciate that. Figure some venture capitalist will want to know what I mean by 100x one day. Okay, so what do I usually talk about? Usually I'm talking about the majority of cyber attacks starting with some sort of human element and how the cost of that is about 11.7 million dollars per company on average. I'm also talking about usually the exploits that we use, the principles of persuasion that you can't switch off. So I talk a lot about Robert Cialdini, his book Influence, but that is a different talk, so we're not going to go into that today. We're also not going to go into the major tips that I have, but in case you want to bring them back to your

company, these are the tips that I have on social engineering. Be politely paranoid is the thing that I probably say most often. But today I'm here to talk about my non-linear path to infosec. So let's go back to the beginning. Woah woah woah. The very beginning. My path to where I am now was definitely not linear, but if I was paying attention, I probably could have guessed it. Here I am in the '90s holding a large hunk of continuous feed printer paper like the cool techie that I am. And I was a pretty loud and rambunctious child. I actually still am to this day. I had a flair for the imagination. My first sentence that I ever said, first

full sentence was things come to life in my imagination. Extremely creepy. But true. I was always interested in human behavior and understanding persuasion. Usually just because I wanted to talk myself out of detention, but I didn't realize back then that this had a name, social engineering. I had a love for science at a young age. I fell in love with science when I learned that you can win prizes by coming up with cool ideas. This has clearly stuck with me and here I am with my groundbreaking science fair project, how flowers absorb colored water. Newsflash y'all, if you put food coloring into white carnation water, it will turn them blue. And I did win for

this, which is extremely exciting. I won what's called a future scientist award, which I feel is a little off cuz I was definitely a full-blown scientist at this point. The takeaway that I had at this point was you can win contests for science and you can get prizes. I found that very cool. Then this movie came out. Who here has seen this movie before? Yeah, it's extremely fun. It's a little orange VHS cuz it was on Nickelodeon. So if you're around my age and if you're a girl, then you know that this movie revolutionized the way that you feel about yourself. I for the first time in my life realized that girls could also sneak around. They

could also do OSINT, open source intelligence gathering and could change the world with their discoveries. This was the very first time that I realized a girl could do this, but I was still missing the fact that a girl could get paid to do this until a few decades later. My takeaway from this point in my life, girls can be spies, too. And as soon as I learned that I could be a spy, I started a journal. My very first OSINT work started when I was around 6 years old. Here I am when I first started that journal. I found that journal recently and I went back and looked at it and the majority of the

findings that I had were about macaroni and cheese. So don't feel bad that you started OSINT maybe a little later in life. This began my curious rambunctious years of my childhood. I was a wild child and I got in trouble constantly. I struggled really hard in school. The sciences did not come easy to me, so I made up for it by passing notes and just laughing as much as I could. I soon found a love for improv, musical theater, creative writing and pretty much anything that had to do with being social. That was what I could control as a kid, so I leaned into it really hard. I wanted to go into honors English and

be a creative writer one day, but I had a gatekeeper. My gatekeeper was my English teacher at the time and I came to her with a slip. She had to sign the slip in order for me to be able to go into honors English and she said to me, "Rachel, I'm not going to sign your honors English slip because I know if you go into that class, you will fail. But I'm sure I'll see you on MTV one day." If anyone knows anybody at MTV, please reach out and let me know because I would love to give her a shout out. By the way, I got an A in honors English. Ultimately, all of this clowning around

throughout school made me a better social engineer down the line. I learned how to build relationships quickly with my teachers to try and get better grades cuz I wasn't getting them naturally. I learned persuasion and communication, which helped me in mock trial, which is why I have this super cool suit on. And it also helped me talk my way out of detention multiple times. Sometimes I had detention every single day in a week. And it allowed me to sweet sweet talk my way into the computer lab to use AIM Express when I was actually stuck after school in detention. Honestly, I don't know how good of a human hacker I would be now if it wasn't

for this part in my life. So I learned something really important here. The struggle isn't just part of the journey, it's what allows for success later. It took me a a while to learn what I was good at. I learned about neuroscience and AP psychology in the very end of high school and I fell face first into neuroscience, behavioral sciences and I got into a small liberal arts college in Pennsylvania and I poured over behavior modification textbooks and spent my nights hacking basically in the rat lab. I didn't know what I was doing, but I kept coming up with studies and eventually I had kept my sense of humor and showcased my skills with my

groundbreaking project how to train a rat to press a lever when it hears T-Pain but not the rapper Ludacris. So that was very cool. What did I learn throughout these times? The importance of self-teaching. I learned that I have to try to be able to learn it. This is a pretty hackery mindset, right? So it's something that really stuck with me. I was heads down in a book the majority of the time and pretty much everything that I learned was self-taught because I learned I absolutely suck at school. And many people here might be able to relate to this, maybe not, but that's something that I had to learn on my own through, you know, trial and error over and over

again. And I'm still this way today. I can't read about it. I can't watch a video about it. I mean, I can do those things, but I have to actually get up and do it in order for me to learn how to do it. I got my degree in neuroscience and psychology from a small liberal arts college like I mentioned before in Pennsylvania and I wasn't exactly sure what to do with it. I became a special education teacher and moved out to San Francisco. Here I am. And I'd always been really into comedy. So in order to kind of ease the transition of moving out to San Francisco from Pittsburgh, I started taking improv classes in the

city. Eventually, after practicing for a year, I started performing improv Friday and Sunday nights, not Saturday though. Not good enough for that. I learned how to think on my feet and I got comfortable on stage and get over my fear of failure during improv. I also learned that humor can get you pretty far, which is very related to social engineering. We'll get there. My takeaway from this point in my life is, don't fear the failure. You have to fail in order to get good at stuff, so you might as well try it. Then, dun dun dun, Def Con happens. My husband's a cybersecurity researcher. He goes to Def Con. And he goes, "Hey Rachel." He calls me

while I'm at work on a Friday and he's like, "You know how I told you that you don't have to come to Def Con and I'm just going to be hanging out in Vegas." And I was like, "Yeah." He's like, "I lied. You have to come." I was like, "No, I don't know what I'm doing. It's going to be over my head. I'm not smart enough." And he's like, "No, you should really come. There's this thing where people get in glass booths and they hack people and they don't use code to do it." I was like, "Okay, well, I guess I'll try it." So, I flew out there Friday night. And by the time I got

there, as you know, Def Con's like pretty much like half over at that point. But I found all of the different rooms. I found the CTF rooms. I went through this giant hallway. If you remember this insane choke point in Bally's, I guess we're going to have that again this year. Um I see hardware hacking, CTF, chill out room. Finally, I find the SECTF room. And I get there late on a Saturday. By the time I'm actually in this room, Def Con's almost over. I missed the majority of it and I only had time to see two SECTF calls. They weren't super successful cuz they kept going straight to voicemail. If you've ever seen SECTF, you've probably

seen this before. Also, some of the pretexts when they did pick up, who they're pretending to be, they didn't really ring true and they didn't work. So, I didn't get to see a successful call, which was a little nerve-racking for me. But, I couldn't believe it. This sport had everything. Every single thing in my life. It had science. It had spying. It had humor. It had law cuz you're not allowed to record cuz of wiretapping, requiring two-party consent in Nevada. It had leak fashion. There I am. It's very grainy, but look how cool I am. It had behaviorism. And it had improv. So, pretty much all the things that I liked were combined into one sport that

I never knew existed. And I thought, how's that possible that they're going to do this thing out here? This blew my mind. I knew I was home at that point and I had to get accepted to compete. But again, I was a total noob. I'd never done this before, so how was this going to work? I studied for about 20 hours a week on top of my job. I read all of Chris Hadnagy's books. I I read Cialdini's book on influence. I listened to podcasts on my way to work. And if you also live in SF, you know that's like an hour and a half commute each way, so plenty of time for podcasts. And I joined InfoSec Twitter, which as

you also know is important part of this journey. I was so tired at this point in my life from all the learning that I could pretty much sleep like this anywhere. I found out in February that I ended up getting selected for the SECTF. I was selected as a noob. I couldn't believe this. I was given a real-life company target and I got to work. I had about a month or so to find all of the information that I needed on this company and in this period of time learn how to actually attack them. I asked for mentors. I got three of them. I watched people hack live on YouTube at Hope. I'm still not sure how they do that.

And I tried everything I could. I called my service providers. I would call um every insurance company that I could think of and try and get information about myself. I basically practiced as much as I possibly could. My call time that first year was on a Saturday. How was I going to get an employee of a company to pick up on a Saturday? I had no idea. I spent about 100 hours doing that OSINT, 50 hours preparing for my pretexts and scripts. And I arrived at Def Con and I watched the calls on Friday. Turns out, I was completely off. Every script, all those hours I had spent writing them, was wrong. I couldn't believe it. I had seen my

first successful call and realized, holy crap, everything I did was wrong. So, I went home from the SECTF and I went back to our shared room. I think we were sharing with like 12 different people at the time. And I got to work. I rewrote all of my pretexts, who I was pretending to be, all of my scripts. I stayed up until 3:00 in the morning finding new phone numbers. And then, it was time for my call. There's nothing else I could do. I had to get in that booth. So, the day of my calls, I got in that glass booth. My heartbeat was pounding in my ears. I could barely hear them when they picked up.

And I gave it everything I got. You're looking at my first ever actual vishing call. I did it live in front of an audience. And that year, the theme of the companies that we were targeting was cybersecurity companies, so no pressure. All of my social engineering script basically employed the principle of reciprocation. So, I would give information about myself, encouraging them to give information about themselves. So, I would say stuff like, "I'm a nervous flyer and I don't know, I'm really scared to go to your training facility. Um if I get there, I usually just FedEx everything. Does that work for you?" And they're like, "Sure." And then I would say like, "I don't know, I I I think it's it's my talk or

whatever is not going to work when I get there and I'm just really nervous that it might be because my machine's outdated and I I I don't know how I'm so bad at computers. Can you check your computer and just make sure that you're on Windows, too?" Like, "Okay." Right? So, eventually, I got flag after flag after flag. I was shocked that it was working. By the end of the day, I stuck around and they ended up announcing the winners that year in SE Village and I found out I had won second place. I couldn't believe it because my first ever vishing call and I ended up winning. I I I just didn't even know that was

possible. So, my takeaway from that point in my life is, don't self-select out. Let other people choose for you that you shouldn't be there or that you don't belong. And that was something that really stuck with me because at any point down the line, I could have said, "Well, I don't know what I'm doing, so I shouldn't be here." Or, "Well, I don't want to get in that booth and look like an idiot." Right? Somebody decided that you were good enough to be there, so you might as well try. That's pretty much what you should do. I decided to compete again the next year. This time the theme of the companies we were targeting were gaming

companies. And this year, I spent about 100 hours preparing and about 20 minutes in the glass booth again. And my call was on a Saturday again. This year, I called a man who was in charge of vendors. He was out to the movies with his son. I'm sorry, I'm a horrible person. I still managed to get the majority of the flags out of him before I heard the dun dun dun dun dun dun dun dun dun dun dun dun dun dun dun dun dun dun dun dun dun dun dun dun and then he was like, "Honestly, girl, I got to go." So, this is also the year that I called the 24/7 knock agents at that gaming

company. I pretexted as a woman traveling to their location to give a talk to their team and I wanted to make sure my talk link would work when I got there. They pick up They picked up. The pretext worked and I got two of the knock agents sitting side by side to go to my fake malicious URL over the phone. My takeaway at this point in my life is, you have to let other people tell you no. You have to ask questions that you think people will say no to in order to get anywhere. If I hadn't done that, there's no way I would have won because I why would I think that a knock agent

would put in that? I competed again the following year. This is the last past year at Def Con. And this year, my target was unbelievably challenging. It was a transportation company and they had no access to the internet. And the biggest point value flag during the SECTF is getting a target to go to a fake malicious URL. They could not do this without the internet. I had prepared an internet-less script hoping maybe I could get it to work. And I got into the booth and I pretended to be a new manager in IT support and needed to assist them in getting their machines up to date because I screwed up something on my end and they ended up falling for

it. It worked. I actually ended up getting someone getting someone to go to the fake malicious URL on their phone because they were on the Wi-Fi network on their phone. And I got second place again. Again, consistent. What did I learn from this experience? Be prepared, but more importantly, it's time to bring other people along for the ride. I've gotten to do some pretty cool stuff at this point. And Def Con changed my life, so I figured it's time to bring other women there, too. I started a scholarship along with WISP with my work. And companies and individuals donated thousands and thousands of dollars last year. And by the end of it, we we ended up being able to bring 57

women to Def Con alongside us, which many people in the audience I know here supported us. And thank you so much for that. This is a life-changing experience for women in the industry who have not found support from their employers or are just breaking into the field. And here's just a sampling of those 57 women. Here's an insane wall of text that I do not expect you to be able to read, but you can take a picture and show it to your employer to get the go-ahead to participate possibly as a scholarship sponsor because today we have a very big announcement. Can I get a drumroll, please? The 2019 WISP Def Con scholarship is now

live. We're super excited about this. You can apply to be a scholarship winner using that top link, so you can take a picture of that and go to that whenever you want. And each scholarship will come in at $900. So, last year it was about 800, this year 900. And this will cover the $500 travel stipend to get women to Def Con, the team that supports the scholars on the ground, and enough to cover the rumored Def Con badge price increase. So, every person who reaches out to us and donates some sort of scholarship or helps towards that will be thanked on social media by yours truly, if you're into that kind of thing. I'm not going

to do it if you don't want it. So, if you do end up donating, if you do get a do get your employer to convince you convince them to be able to donate to this and send a scholar, that would be awesome and I would love to see that. So, apply now and comment on the WiS then, which will go up as soon as I get off the stage. So, what am I up to now? I guess my typical start getting in front of a live audience and hacking like that wasn't exactly how most people transition into the field, but I get to do some pretty cool stuff now. I now get to train pen test on social

engineering. I do vishing, so I actually do phone attacks. I train red teams on OSINT and vishing vishing attacking. I get to give keynotes and speak all over the all over the world on real world human exploits that I actually get to use. And now I'm the chair of the board of WiS, so I get to bring other women along for the ride. And so now, I'm not the only one who has a non-linear path to infosec. It's time to bring other people along for the ride and share the stage. So, right now, I want to have a surprise here and I'm going to welcome up Ashley, Phillip and Elizabeth to share their non-linear path

to infosec for a few moments. And everybody, let's give them a round of applause.

Is this on? Okay. First of all, thank you Rachel for inviting us up on the stage. So, non-linear paths. So, for me, about 6 years ago, I was standing in my last year undergrad and I was not sure what I wanted to do next. I was doing computer science, but I loved three things. I loved poetry, I loved business and I loved comp sci. So, I spent the year starting to fill out MBA applications, literature PhD applications, few computer science program applications, but I thought let's do one more internship to really figure out what I want to do. So, I go to Google and I type into the search bar computer science internship California, cuz I

also want to be in the sun. So, that year I actually got accepted to go to Stanford to participate in the REU for undergraduates. And that summer was like a staple in my career. I learned a lot about security. I learned a lot about patient health care records and how patient data is like spilled when patients are transferred across state lines. And then at the end, I actually found out that the program was specifically created to introduce people like me, underrepresented minorities, to the field of security. Um, 2 months after I completed that internship, my internship coordinator reached out to me and she said, "You know, you should present what you learned at the at a

conference we have coming up." And I was like, "What?" She was like, "Yeah, you should just do it." Um, I went to that conference and presented what I learned, but at that conference, I got to see a research presented by these professors at CMU, Carnegie Mellon. And I thought, "What is this Carnegie Mellon place? Where is it? I need to go there because this is the stuff I want to learn." So, I go back to my research coordinator and I say, "What should I do?" She said, "You should apply. You should apply to Carnegie Mellon for grad school in cyber security. I think you'll get in." 2 years later, I finished my masters in cyber security from CMU.

And then returned to Stanford to work full-time. So, for the last 4 years, I've actually been an analyst at Stanford. Um, and I don't think I'd be there or on the stage right now if it weren't for two things and that's programs like the Trust program that I did that introduced people like me to fields they don't know exist. And then people who are just like willing to give you a nudge to do things that you're not sure you can do. So, while my path is definitely not linear, I do like to think it came full circle. WOO!

WHEN I GRADUATED SCHOOL in high school in 1984, I didn't have any clue what I wanted to do for a living. College wasn't really in my plans. So, some of my friends recommended to me since I lifted weights and was a fairly big muscular guy back then that I should go into professional wrestling. So, I went to wrestling school and actually during that time, I actually wrestled a bear during that time. And so, I did that for a while and I got married and I had to have more stable income. So, one day I was watching television and a commercial come on about this trade school. They were teaching they were telling about a course they taught in computer

assisted design. So, I went to trade school to be a a computer aided draftsman. I did that for a while while I was working in CAD back in the early '90s, you know, I didn't have a lot of exposure to computers, but as I worked in the field, I got exposure to computers and learned about sysadmin work and I found I had more of a knack for the computer side of things. So, I took a Novell NetWare class. It was like 90 days prior to that, I taught myself how to build PCs. So, I got a job as a sysadmin. Did that for a few years and then moved into infosec and I spent some time in

application security. And when I got laid off from my job at a mortgage company in 2012, it was a dream of mine to become a penetration tester. So, I went to work as a pen tester and then eventually uh actually when it moved into teaching pen testing. So, now my path has taken me to penetration testing as well as teaching penetration testing, which all those years ago when I was wrestling bears, I never would have thought that I'd have been using my brains to make a living.

Hi everyone. Um, so I thought attorney for female president. That was decided at the age of 10. So, I worked really hard, got to Berkeley. Um, then the world kind of opened up including minoring and partying. So, I got a little distracted um for a few years. It took me kind of a while to figure out what I wanted to do, but throughout my career, I've basically been a program manager in some way or another. Um, at one point, I was working as an immigration paralegal, super passionate about the work, but if you live in the city, you know that you're not going to make it as a paralegal here for very long. Um, and I happen to be traveling

to visit my family down to San Diego and I randomly said something to the woman who was behind me in the clear lane and I was like, "You know what? You want to I'm just sitting at the bar for like 2 hours. You want to join me?" She's like, "Yeah." So, we chill I mean, I'm talking to this person I'm never going to see her again. So, I'm like spilling my whole life, telling her what I want to do and she's just kind of like mentor-mentee kind of conversation happening for a couple hours at the bar, mimosas, you know, probably helps the conversation go. Um, I land and she gives me her card and I was like,

"Okay, cool. Nice to meet you. Bye." Um, she follows up. I read the job description that she referred me to and I was like, "What? I don't know any of that." I mean, nothing with regards to information security ever in my life. I'm like, "They said this is crazy. Let me send her my resume that will show her that I've never done anything in this field." Um, she follows up. She sets up a whole interview for me. So, I met her Friday. By Thursday, I have a group interview with her whole team. By Friday, I have a job offer and Monday, I accept it. I never stepped into the office. They were based in Mexico. So, I'm like, "Do I mean, am I

jumping off a cliff into like an abyss or is this the best thing I've ever done for myself?" It was the best thing I've ever done. Um, and now I work for a penetration testing firm. I'm their program manager there. I love it. I'm super happy where I am and now I also because I work for the boutique consulting firm, learned everything about infosec and kind of have decided what to pick and choose and what I like and it's been a really amazing past 4 years and I'm really happy to be a part of this community. Yes. Love that. So, the last couple of takeaways we have here is the first thing that I really

hope everybody takes out of this is to realize that you don't want to self-select out. Let other people be the ones that tell you no. You want to go out and do as many things, apply for as many things, talks, competitions, anything like that. Let the other people decide you're not good enough. You don't want to be the one that decides that yourself. The next one is embrace the failure. That's where the good stuff happens. And the last thing that I have is hire folks from non-linear paths because the other side for sure already has. Thank you so much.

Thanks everybody. Thank you.