Career Notes 2.6.22
Ep 86 | 2.6.22

Chris Hadnagy: Show them that you're worth it. [Social engineer]


Chris Hadnagy: Hello. My name is Chris Hadnagy. I am the CEO and Chief Human Hacker at Social-Engineer and CEO at The Innocent Lives Foundation.  

Chris Hadnagy: I won't go back as far as like four and five, when I thought I was going to be an astronaut or whatever, but I was in college and I was in a programming class and, uh, modems had just started coming out. We had 4800 baud modems. And I was practicing some scripting and I was like a minor phone phreaker. Like I love the idea of figuring out how phones worked and I, you know, carrying the Cap'n Crunch whistle and getting free phone calls and all that. And I had figured out how to create the same tones using a computer that you could with the whistle. So I wrote a script that dialed a number, it then played that tone that told the number to shut itself off for about 90 seconds. And it then dialed another number, hung up and dialed another number. And then I threaded it. So I was doing like 16 numbers on one modem. Then I connected two modems using, here kids, an LPT1 cable and I connected two modems so I can do 32 calls at once and I ran this. And I ran it for about 15 minutes. I wasn't trying to be disruptive, but I shutdown, uh, 75% of Sarasota County's phone system for a day. Everything went dark. Police came to the college and they went, "Ah, who did this?" And I went, "Oh, that, that was me." Cause at the time there weren't any laws. And they're like, "Don't do that again son, that was bad." And the dean went okay, "We're embarrassed, you're out." And kicked me out. And I went, this is what I want to do with my life. I'm like, this was amazing. I want to learn how that happened. I want to know how that worked. I want to know everything about that. And that kind of started the fire in me that I wanted to understand. InfoSec technology, all that different stuff.  

Chris Hadnagy: I became a chef. I owned a window cleaning company. I was a car detailer. I then went to go be an it person at a manufacturing company. And while I was there, I talked them into letting me become a negotiator for stainless steel in India and China. And I traveled the globe negotiating prices on stainless steel and then I got bored with that, and that's when I'm like, I gotta go do other stuff. And that's when I entered the realm of learning offensive security. 

Chris Hadnagy: I started looking for courses. I found the CEH and I found the OSCP. The certified ethical hacker and the OSCP, and I kept looking at both and both had reviews, but, and this is crazy way to make this decision, the OSCP was cheaper and I said, I had that much money. So I'm going to go there. So I went and I bought the OSCP and I fell in love. Oh my gosh. The offset course was like a new type of education. Something I never experienced getting to actually do the thing, not just read about it. Having someone push you to create programs, to write scripts. I was learning like a sponge. I would stay up all night and then worked in the day. I became an addict. I literally was like a drug addict on this. I kept buying lab time. This is maybe not so humble brag, but I was the first person to ever break FC4 in their network that this machine that they put up that was supposed to be an unbreakable. It took me like three straight days. And when I broke it, the owner of the company reached out to me and he said, do you want a job? He was like, you broke FC4. If you pass the cert, then let's talk. I went and took the cert. I passed it first time. I know it's a huge deal. And then I met him in DC. He came in and at ShmooCon, I got hired to be the operations manager and co- trainer for offensive security. 

Chris Hadnagy: I can't even describe it as like a dream come true. And I also learned that I was never going to be a coder. It wasn't going to happen. Every time we did a pen test, I'm like, I'm better at talking to people. I'm better at sending a phishing email. I'm better at picking up the phone. That's what I need to do. He goes why don't you write a framework for social engineering. It took me about nine months. I wrote the framework. I put it on and overnight, I couldn't believe the amount of people that were on it. I get a call from Kevin Mitnick's publisher and they say, "Hey, no one has ever written about social engineering like this. Will you write a book? And I'm like, no, I'm not an author. Like I, I'm not interested. And I hung up. So I call her back and I'm like, "Hey, I changed my mind." So I wrote my very first book, "Social Engineering: The Art of Human Hacking." Do not read it. It's horrific. But that was a labor of love. 10 months later, that book came out and it changed my whole life.  

Chris Hadnagy: When I started out, I would describe myself pretty much as a jerk. Um, I was, I'm a very D type communicator, which means I'm really direct. And I learned over the last decade that that is not a great way to lead. You don't garner loyalty when you lead that way. And I learned that by teaching social engineering as a communications tool. I would say now that my leadership style is more, something based very much on empathy and where I really do care about the people that are under me to the point that sometimes I make even bad decisions for business because I care about them. And one of the other things I learned is that good delegation means that when you give somebody a task, you back away. You know, you stay available if they need you, but you back away, and that gives people empowerment to really own projects and then to feel a lot of pride when they accomplish those projects. 

Chris Hadnagy: First of all, read a lot, get educated. What I tell people is get educated and it doesn't mean go to college. You can, but I think read books then start writing and sharing content with the community. Cause this shows you shows people you're educated. Write a blog, spread some free knowledge, put the things you're learning out there. Help other people learn. That's what started me as writing that framework, is getting knowledge and then sharing that knowledge for free, not expecting people to pay for it. And then you'll find that people will come to you and they'll go, "Hey, I really liked that article you wrote on this. You know, can you come on the show or can you come talk to my people or can you do that?" 

Chris Hadnagy: Another path is you can do the same thing with education. But you go to a pen test company or a InfoSec company and you get hired and you start from the ground up and you start to work your butt off and offer your help in the SE world and doing this and that, and eventually you'll see, they'll start using you more and more, and you build a name for yourself. There are 526,000 jobs in the U S alone that are needed to InfoSec. I tell any person that wants to be in this industry, you can find the job just don't expect to walk in the front door and say, pay me, show them that you're worth it.