Make Social Engineering Your Career
Last month I covered the question we get all the time: “What should I take in college to become a social engineer/pentester?” But I must say that one of the questions we get equally is, “How can I make this my career?” The conversation starts this way:
“Dude, it must be so cool to get paid to phish people and break into buildings and steal stuff. Is it cool? Is it? No, really is it?”
Me, “Yah its pretty cool. I love my work, but it’s not all glory. Its like 10% glory and 90% actual work.”
“Yah but its cool right? How can I get a job doing that? Hire me!”
Okay, maybe the conversation goes a tad bit differently, but that is the general gist. I wanted to outline the things that I feel are important to making SE your career, and I am sure there may be others, but overall this is what I feel makes up a good social engineer and how anyone can get into this career.
Everyone’s gotta start somewhere
I was recently talking to a friend who gets really upset when they see someone start off in a new field and portray themselves as something they are not. I see their point, and at the same time, I feel that everyone has to start somewhere. Maybe you are a mechanic, network guy, chef, secretary, marketing guru, jr. pentester or straight out of school, but at this moment you decided to make SE your career. You have to start somewhere.
So own that moment, use your new excitement and energy to promote who you are and what you have done, not what you will do. Being a good social engineer is about being able to communicate with other humans. It is not just about manipulation, but communication.
I was not always the CEO of a company that does only social engineering services and training. I held many roles in my career from window washer, floor cleaner, sales guy, negotiator, network admin, landlord, security auditor, trainer, motivational speaker, computer repairman, and one of my favorites; chef. It is only in my recent life that I have settled here and made this my life’s path.
Sure, everything I have done in life lead me to this path, so I feel; but I didn’t wake up one day at the age of 5 and decide I was an SE. Since we all have to start somewhere, here are a list of the things I will tell you if you email me and ask me how to make this your career.
Now before I start the list, let’s get one sobering fact out of the way. Please take a moment to ponder what you are asking.
Did you get it? You are asking for a company to hire you and trust you to break in via phone, email or in-person and to trick, influence, dupe and then steal from their employees. Who do you hire to come and watch after your baby? Is it the scruffy-looking, scary dude on the street corner that looks like he might be too high to take care of himself? Or is it the responsible-looking person who gives off the appearance of professionalism and has good referrals?
Now this is not about your looks – this is to help you realize that what you are asking is to make a career of the very thing that is to expose the most private and personal parts of a person’s “baby” or company. Please ponder that as I go through this list.
Experience:
This may seem like a giant catch 22. You need to get a job doing this to get experience, but I am saying you need experience to get the career. I know this might seem a little confusing but let me clarify.
Don’t expect to start off as the CEO. You may need to take it in the chops a few years before that. You may be starting off working as a grunt on a team, learning from and writing reports for (ugh yes) this team ‘til you are asked to take lead.
But as you grow, so will your resume of what you can say you have done and been a part of. In the meantime there is something else you can do.
I am not talking about grandstanding, no, I am talking about giving back to the community. Can you write an article on social engineering? Can you help develop a tool? Can you apply to give a speech at one of the cons coming up (there’s always one)? Can you devote time to some research?
Any of these things can help get your name out there. Social-Engineer.Org is always looking for people to blog or write about SE. Once you do a few things and get your name out in the open people will start to equate your name with social engineering. As that occurs it will be easier to move into this as a career.
Can I give one personal word of caution? In the past couple years I have heard just too many people trying to do this very step by kicking down someone else. If I can use a personal example. Look, I get it, not everyone finds me attractive (ok basically no one). Not everyone thinks microexpressions are real. Not everyone thinks that body language is so important. Not everyone agrees with me that influence is better than manipulation… or even that influence and manipulation are all that different. But if you feel that to make yourself a name you have to call out my apparent lack of smallness, your disdain for people who believe in microexpressions, body language or the use of influence then you are trying to increase your name by cutting down the name of others.
There is an old proverb that says, “Rudeness is a weak imitation of strength.”
I read a paper that said that only 5% of the companies in America right now are taking advantage of phishing training companies. There is MORE than enough work for all of us, without having to attack each other to get it.
Remain humble:
Social engineering is not new, but those who have skill in it are sometimes feared or revered. With that admiration it can be hard to stay humble at times. Nothing attracts people to want to work with you more than humility. By remaining humble you also remain teachable and that means you can always learn something new. That is a win in SE World.
Make sure your desire is to help:
Imagine this. You go to the doctor for a weird rash on your leg. When you get there, the nurse puts you on the scale. She looks at the number and goes, “HOLY CRAP! You are fat!” and then laughs. You walk into the room and sit on the table a little sad and wait for the doc and he comes in to look over your chart and proceeds to tell you how stupid you are. “If you ate better and exercised you might not have this problem, moron.”
By now, you are looking for a new doc. Well, when a client comes to you to diagnose their problems if your number one goal is to show how awesome YOU are, and to always blame the victim then you will surely turn off the customers. Remember there are very very few stupid users, but there are a LOT of uneducated users that need help. How we view then talk to our clients can make a huge difference.
Okay so now you start writing, blogging and speaking on SE, you promote yourself without the use of insulting others and you remain humble… so now the SE work will just fall in your lap? No, not exactly, now you have to start by choosing one of two paths.
Path 1: Get a Job
Start looking for either SE companies or pentest companies that do SE and start making calls. Call around, see who is hiring, what type of work they have and what kind of requirements they have.
Path 2: Start a Company
If working for someone else is not your cup of tea, then you can hang your own shingle, put up a website and start offering SE services to local companies that know you. If you did the steps above, it will be easier since they know you or you can refer to public work you have done.
Actually, either path you want will be easier if you followed those steps above. Now I can’t take the time to outline how to start an actual SE company here as there are so many aspects to that it just doesn’t fit in this newsletter. But if you can master the tips above, the path that fits you best will become very evident.
I can tell you personally, the world of SE is rewarding and fulfilling. I get to help people every day. Yes, it is a heck of a lot of fun to do what I do too… that is a great bonus, but overall, I leave my job everyday feeling satisfied that my team and I are making a difference.
‘Til next month.
Written by: Christopher Hadnagy