DEF CON Redux with Rachel Tobac! 

This Week on “What the Hack?”

If You Have to Ask What a Penetration Test Is, You’re Probably Not Ready for One.  

The simplest trick in a hacker’s playbook is asking nicely. This week we double down with our second installment focused on the most basic method of cyber attack: Social engineering. 

As social engineer and SocialProof Security CEO Rachel Tobac explained to me at DEF CON, the most effective attacks are often focused on tricking people into an exploitable trust situation. 

The human element is often the attack vector because it reliably yields security vulnerabilities. So you’d think that’s something you want to test for at your company, right? 

According to Tobac, most organizations that ask for a penetration test aren’t prepared for this kind of attack, and in her work she routinely turns down requests because a pen test against an unprepared organization is often demoralizing, and usually a waste of time and money. As with all tests, her theory is best to take the class first, study, and then see how you do. 

All Too Human

When it comes to things cyber, the most effective attacks exploit human nature. The Social Engineering Community Village at DEF CON is the proving ground for this cybersecurity home truth. Gamifying the process, contestants enter a soundproof booth and call real companies to get real sensitive information in real time. The goal isn’t to be mean or threatening; it’s to provide proof of concept and a solution, that the human vector is real, and there is a solution. 

This is all about learning by doing. Social Engineers, attackers, and pen testers build rapport quickly, using small details to create a convincing story. The approach is informed after hours are spent scouring public information—from social media profiles to data broker sites—to find clues to start a conversation, connect and download information. A seemingly harmless detail found online could be the key to a physical breach. 

As Tobac explains, attackers know that even the most secure companies can be breached with the help of a well-placed phone call or a friendly voice.

The Art of Target Hardening

Q: If a pen test isn’t the first step, what is? A: target hardening.

Before Tobac ever attempts to hack a company, she works with them for months, and sometimes even a year, to update their security protocols. This isn’t a top-down mandate; it’s a collaborative process. Tobac runs workshops where frontline teams, like the IT help desk, are empowered to create their own identity verification procedures. By giving them ownership of the process, they’re more likely to follow it and feel confident in their ability to stop an attack. This approach ensures that a company’s defenses are built from the ground up, making the entire organization a much tougher target. When a pen test finally happens, it’s not a demoralizing, 30-second failure; it’s a meaningful exercise that tests a team that is ready to defend itself.

This layered, inside-out approach makes companies stronger before she ever tries to break in. But even the best in-house processes can’t erase the fact that employees’ personal details: phone numbers, home addresses, favorite movies, recent vacations, are shared across the internet, waiting to be exploited in a social-engineering attack.

The First Step Is Data Removal

One of the easiest ways to harden your company is to make it an annoying target. Attackers want the path of least resistance. If your information is hard to find, they’ll just move on to the next target that has its data readily available. 

This is where a digital footprint cleanup comes in. You can start by manually from data broker sites, or you can use a service like DeleteMe to do the work for you. Proactively removing this information is the first and most crucial step in making yourself less of a target.

Whether you’re a company or an individual, don’t wait to be hacked to realize you were never ready. Build resilience. Focus on preparing your team, strengthening your protocols, and cleaning up your public data first. A strong defense isn’t built in a day; it’s built one smart step at a time.

A pen test shouldn’t be the first step in security. It should be the final exam. The real work happens long before. By the time the test comes, the goal isn’t to catch you off guard, it’s to prove you’ve already made yourself harder to hit.