{"id":18016,"date":"2025-08-26T18:34:56","date_gmt":"2025-08-26T22:34:56","guid":{"rendered":"https:\/\/joindeleteme.com\/?p=18016"},"modified":"2025-08-26T18:38:51","modified_gmt":"2025-08-26T22:38:51","slug":"def-con-redux-with-rachel-tobac","status":"publish","type":"post","link":"https:\/\/joindeleteme.com\/blog\/def-con-redux-with-rachel-tobac\/","title":{"rendered":"DEF CON Redux with Rachel Tobac!\u00a0"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">This Week on \u201cWhat the Hack?\u201d<\/h2>\n\n\n\n<h2 class=\"wp-block-heading\">If You Have to Ask What a Penetration Test Is, You\u2019re Probably Not Ready for One.&nbsp;&nbsp;<\/h2>\n\n\n\n<p>The simplest trick in a hacker\u2019s playbook is asking nicely. This week we double down with our second installment focused on the most basic method of cyber attack: Social engineering.&nbsp;<\/p>\n\n\n\n<p>As social engineer and SocialProof Security CEO Rachel Tobac explained to me at DEF CON, the most effective attacks are often focused on tricking people into an exploitable trust situation.&nbsp;<\/p>\n\n\n\n<p>The human element is often the attack vector because it reliably yields security vulnerabilities. So you\u2019d think that\u2019s something you want to test for at your company, right?&nbsp;<\/p>\n\n\n\n<p>According to Tobac, most organizations that ask for a penetration test aren&#8217;t prepared for this kind of attack, and in her work she routinely turns down requests because a pen test against an unprepared organization is often demoralizing, and usually a waste of time and money. As with all tests, her theory is best to take the class first, study, and then see how you do.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"On Our Podcast This Week:\" width=\"500\" height=\"281\" src=\"https:\/\/www.youtube.com\/embed\/Ht6F7zn5UEk?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">All Too Human<\/h2>\n\n\n\n<p>When it comes to things cyber, the most effective attacks exploit human nature. The Social Engineering Community Village at DEF CON is the proving ground for this cybersecurity home truth. Gamifying the process, contestants enter a soundproof booth and call real companies to get real sensitive information in real time. The goal isn&#8217;t to be mean or threatening; it&#8217;s to provide proof of concept and a solution, that the human vector is real, and there is a solution.&nbsp;<\/p>\n\n\n\n<p>This is all about learning by doing. Social Engineers, attackers, and pen testers build rapport quickly, using small details to create a convincing story. The approach is informed after hours are spent scouring public information\u2014from social media profiles to data broker sites\u2014to find clues to start a conversation, connect and download information. A seemingly harmless detail found online could be the key to a physical breach.&nbsp;<\/p>\n\n\n\n<p>As Tobac explains, attackers know that even the most secure companies can be breached with the help of a well-placed phone call or a friendly voice.<\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"On Our Podcast This Week:\" width=\"500\" height=\"281\" src=\"https:\/\/www.youtube.com\/embed\/xJM9eJfbFDg?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">The Art of Target Hardening<\/h2>\n\n\n\n<p>Q: If a pen test isn&#8217;t the first step, what is? A: target hardening.<\/p>\n\n\n\n<p>Before Tobac ever attempts to hack a company, she works with them for months, and sometimes even a year, to update their security protocols. This isn&#8217;t a top-down mandate; it&#8217;s a collaborative process. Tobac runs workshops where frontline teams, like the IT help desk, are empowered to create their own identity verification procedures. By giving them ownership of the process, they&#8217;re more likely to follow it and feel confident in their ability to stop an attack. This approach ensures that a company&#8217;s defenses are built from the ground up, making the entire organization a much tougher target. When a pen test finally happens, it&#8217;s not a demoralizing, 30-second failure; it&#8217;s a meaningful exercise that tests a team that is ready to defend itself.<\/p>\n\n\n\n<p>This layered, inside-out approach makes companies stronger before she ever tries to break in. But even the best in-house processes can\u2019t erase the fact that employees\u2019 personal details: phone numbers, home addresses, favorite movies, recent vacations, are shared across the internet, waiting to be exploited in a social-engineering attack.<\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"On Our Podcast This Week:\" width=\"500\" height=\"281\" src=\"https:\/\/www.youtube.com\/embed\/EV7DBKkaCWI?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">The First Step Is Data Removal<\/h2>\n\n\n\n<p>One of the easiest ways to harden your company is to make it an annoying target. Attackers want the path of least resistance. If your information is hard to find, they&#8217;ll just move on to the next target that has its data readily available.&nbsp;<\/p>\n\n\n\n<p>This is where a digital footprint cleanup comes in. You can start by manually from data broker sites, or you can use a service like DeleteMe to do the work for you. Proactively removing this information is the first and most crucial step in making yourself less of a target.<\/p>\n\n\n\n<p>Whether you\u2019re a company or an individual, don\u2019t wait to be hacked to realize you were never ready. Build resilience. Focus on preparing your team, strengthening your protocols, and cleaning up your public data first. A strong defense isn&#8217;t built in a day; it\u2019s built one smart step at a time.<\/p>\n\n\n\n<p>A pen test shouldn\u2019t be the first step in security. It should be the final exam. The real work happens long before. By the time the test comes, the goal isn\u2019t to catch you off guard, it\u2019s to prove you\u2019ve already made yourself harder to hit.&nbsp;<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>This Week on \u201cWhat the Hack?\u201d If You Have to Ask What a Penetration Test Is, You\u2019re Probably Not Ready for One.&nbsp;&nbsp; The simplest trick in a hacker\u2019s playbook is asking nicely. This week we double down with our second installment focused on the most basic method of cyber attack: Social engineering.&nbsp; As social engineer [&hellip;]<\/p>\n","protected":false},"author":37,"featured_media":18022,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[38],"tags":[],"class_list":["post-18016","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-learn-more-data-brokers"],"acf":[],"_links":{"self":[{"href":"https:\/\/joindeleteme.com\/wp-json\/wp\/v2\/posts\/18016","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/joindeleteme.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/joindeleteme.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/joindeleteme.com\/wp-json\/wp\/v2\/users\/37"}],"replies":[{"embeddable":true,"href":"https:\/\/joindeleteme.com\/wp-json\/wp\/v2\/comments?post=18016"}],"version-history":[{"count":0,"href":"https:\/\/joindeleteme.com\/wp-json\/wp\/v2\/posts\/18016\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/joindeleteme.com\/wp-json\/wp\/v2\/media\/18022"}],"wp:attachment":[{"href":"https:\/\/joindeleteme.com\/wp-json\/wp\/v2\/media?parent=18016"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/joindeleteme.com\/wp-json\/wp\/v2\/categories?post=18016"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/joindeleteme.com\/wp-json\/wp\/v2\/tags?post=18016"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}