Jenny Radcliffe PHOTO: Human Factor Security.

A Psychological Hacker Bridging The Gap Between Humans And Cybersecurity

Jenny Radcliffe: A People Hacker from Liverpool

Di Freeze, Managing Editor

Northport, N.Y. – Sep. 11, 2019

Jenny Radcliffe is a “hacker,” but not what you might initially think when you hear that term. She’s a “people hacker” or “psychological hacker.”

“Outside of the security industry, most people are familiar with the stereotypical ‘hacker’ of popular culture, usually a young male in a black hoody hunched over a keyboard, so the term ‘people hacker’ gives a good description of someone trying to achieve the same goals, unauthorized access or manipulation of a system, just without using technology as the means to achieve this,” she says. “In the security industry, I would be known as a ‘social engineer.’”

She says it’s “psychological hacking” because instead of bypassing or controlling computer systems or tech in some way, a social engineer manipulates the human element of a system or organization to achieve their ends.

“As with all hackers, social engineers can be both criminals and on the defense side of the industry,” Radcliffe says. “People hacking bridges the gap between humans and cybersecurity, as often the quickest route into an organization is via the people who work there. Systems and tech are generally well-defended, but it takes an educated and alert human to stop a social engineering attack.”

Radcliffe says that all of us can be vulnerable at different times and to different scams of this type. “Additionally, social engineering is a good place to start when it comes to awareness training, as it’s easier for people to imagine a human-based attack and its potential consequences than a more technical issue that may seem quite intangible to a layperson.”

She says she’s been a social engineer more or less her whole life, although she never would have called it that. “Before I was able to do the job full time and openly, I was a trainer and a consultant in related areas such as negotiation and influence, and I still teach those things today, but with a more security focus than before most of the time.”

She worked in procurement for many years as well, traveling widely for that job. “I always did social engineering on the side, at the same time as visiting suppliers all over the world. It gave me a good understanding of how business works, something that I hope helps when I talk to businesses about their security challenges to this day.”

She recalls how growing up in Liverpool prepared her for what she does now. “Liverpool is a wonderful city, but I grew up at a time when a variety of social and political factors had made it a tough place to be,” she said. “I learned to be streetwise and live on my wits quite a bit. It’s where I first began to ‘read people’ in order to work out social hierarchies and what individuals and groups were intending to do.”

Like many kids, Radcliffe and her friends poked around derelict buildings and got into some mischief. “I learned how to read a crowd, pick a lock, watch people’s patterns, and run fast in Liverpool! More importantly though, Liverpool is a place that fosters creativity, innovation and rebellion, and I hold that with me to this day.”

Catching the attention of the security and intelligence industries helped her launch her career. “I was speaking at conferences about related topics and training people, and I would slip in anecdotes about breaking into buildings or gaining access to places as part of my talks. This led to more and more clients booking me for security assessments and pentests and eventually me speaking at a conference in London as a social engineer.”

Years before that, she was given a job where she was asked to put a card inside a desk, inside an office, inside a building in Liverpool. “The call came through while I was working at my graduate job, and I never questioned who it was or how they found me, but I’ve been working in various guises on a global basis ever since,” she said.

Radcliffe says that every job is different, but some unusual locations, or events that happen, make them more memorable. One location was a theme park. “It was interesting because it was a lot of space to cover and I had to avoid security while hiding behind roller coasters and ghost trains! A place like that at night is very eerie, and I was more spooked by some of the rides and decorations than by the job itself.”

She got inside the control room of the ghost train and laid low as security was doing their patrol. “I thought they might see me, so I stepped inside the body of the ride. It had glow-in-the-dark skeletons and plastic spiders hanging from the ceiling. I’d like to say I wasn’t bothered, but I was spooked enough to notice my heart rate going through the roof, which made me start to giggle with nerves. The whole situation was vaguely ridiculous, and I was thinking how on earth this had gotten to be my legitimate job!”  

One place she got into was an enormous accommodation block and office building at a university. “It had over 100 bedrooms, and dozens of board rooms and offices. The whole place was empty, and I was locked inside until the morning. I’d wandered around and done the job but had the feeling I was being followed around. There was no one else in the building, and back then no security cameras. It was very unsettling, and I ended up very methodically walking around, testing every door and being more thorough than I had to be just to distract myself. There is something very strange about being the only person in a large building overnight, and I was very glad to get out of there in the early morning.” 

She recalls sitting on every bed and turning every light on and off. “I felt like if I missed even one, something strange would happen! I’m not remotely predisposed to anything supernatural or otherworldly normally, so this stood out for me. It shows how fear can grip you and make you act very strangely.”

She’s also done difficult jobs with a full crew of people working with her. “We’ve been chased by guard dogs, climbed over fences, and spent numerous nights on rooftops while finishing the assignment. I was in Europe recently and intended to use a fire exit as my access point. It started to rain very hard and lightning was forking across the sky. I couldn’t use my phone, as it was so wet, so I was fumbling around with the door in the dark trying to open it and hoping I wouldn’t get hit by the lightning before I managed to open the door.”

Once she was inside, the job was very straightforward. “But its moments like this when I think I might have considered an easier way to make a living!”

Radcliffe says that tenacity, being calm under pressure, a good imagination and the confidence to improvise are all good traits in a social engineer, but she thinks some other skills can be learned. “The tools of a people hacker would include the ability to build rapport with people quickly, influence and persuasion skills, and good emotional intelligence are all key. Traits that, in my opinion, are less desirable would be attention seeking, arrogance and a lack of self-awareness. All of these will get you busted on a job!”

Radcliffe is still amazed from time to time that what she does now has “legitimacy and is seen as a useful skill that protects people.” “The security industry, and especially cybersecurity, has welcomed me with open arms and has been very open to listening to me when I talk about my career and how it helps protect people. I am very grateful that people are open to hearing about it all, and I am so happy to be part of the community.” 

One of her goals is to bring more cybersecurity events into Liverpool to boost the cybersecurity community there. “We ran the first Bsides Liverpool in 2019 and are planning 2020 to be bigger and better than before!”

Radcliffe also likes to hear the personal stories of others in the security industry. This interest inspired her to start a podcast, “The Human Factor.” “The guests do me a great honor coming on the show and being so candid and open about their careers and passions,” she said. “They offer advice to people listening about some of the challenges faced by those of us in the industry and tell us their own journeys into security. The show’s success doesn’t surprise me only because the guests are so amazing, and when people speak honestly about their work, it is always compelling. I’m so grateful to everyone who listens and takes the time to come on the show and share their experiences. I hope I’m documenting the experience and wisdom of a wide variety of people in the security industry at an exciting time for us all.”

Women Know Cyber Archives

Di Freeze is Managing Editor at Cybersecurity Ventures.