CyberWire Daily - Marina Ciavatta: Going after the human error. [Social engineer] [Career Notes]
Episode Date: January 16, 2022Social engineer and CEO of Hekate, Marina Ciavatta, shares her story of how people think her job is a la Mission Impossible coming from the ceiling with a rope and stealing stuff in the dead of the ni...ght. Marina does physical pentesting. Starting with an unused degree in journalism, Marina turned her talent for writing into a job as a content producer for a technology company and this appealed to her self-proclaimed nerdism. She fell in love with hacking and got into pentesting thanks to a friend. Marina recommends those interested in physical pentesting "try to find other social engineers to mingle. It's in the name. We are social creatures." We thank Marina for sharing her story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024. These traditional security tools expand your attack
surface with public-facing IPs that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security. Thank you. Learn more at zscaler.com slash security.
Hi, I'm Marina Chavada.
I'm from Brazil and I'm a social engineer and CEO of Hackity Inc.
Most people think I'm 007 you know like just like mission impossible i'm coming from the ceiling
with a rope and and stealing stuff in the dead of the night but it's not
i wanted to be so many things astronaut you know the the good old i want to be so many things. Astronaut, you know, the good old, I want to be an astronaut
when you're a little kid. I wanted to be a writer for a very long time.
And because of that, I kind of steered my way into journalism, my first degree. So
very far away from where I am today. I didn't even went to get my diploma.
I still don't have the diploma.
I'm finished.
I'm graduated and all, but I just never used it ever.
Growing up, I was, you know, a little nerd.
Still a big nerd, actually, now.
Because of that, gadgets, you know, video
games, computer, they have always been near me. Sci-fi is very big when you're a nerd. Being a
little geek, technology is part of your day-to-day. And you always wanted to, you know, tear things
apart, get to know how they work. At least I was like that. Wanted to be an astronaut when I was a kid, turned into
a passion for astrophysics. And because of that, I've always been quite close to technology.
I always liked storytelling. I've told you for a very long time as a kid, I wanted to be a writer.
I actually wrote a book with six years old. So I carried that dream of communication and storytelling through school.
And one of the teachers, she was like, if you don't do anything related to communication,
you're just going to waste your life because you're very good at it. But I was also a very
punk and anarchist and revolted little teenager. I had a very deep hate against journalism because back in my
country, you know, corruption is very big. It's a poor country. And a great part of that is how
media handles the politics around the country. And I could see that very clearly. And that would
really make me very mad. So I was like, okay, if I have to go to
communications not to waste my life, I plan on going to journalism. That way I can change the
way things are from inside out. I can graduate into a journalism and I can go into the communication
and try to make things a little bit better for us on the other side of this chain.
I really disliked journalism as a career.
Everything, every path that was presented, that you could be a journalist, a sports journalist, or a fashion journalist, or just a news reporter, or all of those options, even radio,
which I really liked. They just didn't seem like good career paths for me. I always wanted to work behind a computer, mostly because even though
I was in communication, I was always quite weird and socially dislocated. I would always have like
social anxiety going to places and all of that. So I didn't want to work close to people.
But writing was quite a passion. So I thought maybe I can be an editor
or something. At that point, I've given up of the writer dream because I already knew that writers
would starve and make no money. So yeah, going through college, I had a really rough time on figuring out what I wanted to do. I started working in this little geek
website where I started to building critiques on video games and web series that I liked.
It paid pretty much nothing, but I would have lots of fun with it. That's when I noticed,
okay, I have to work with something because I guess that's what
makes me happy. I saw this job posting from a information and technology company in need of a
content producer. And I was like, oh, okay, I maybe can write about technology. And at that point,
I had no idea that security, infosec, and hacking were a completely different part of technology.
The people from the company were very surprised with my ease to write about security and hacking.
And I got the job.
It's where I had my first contact with hacking and security.
And I started just falling in love completely with the subject.
You have to learn the stories to be able to tell the stories so you have to really dive yourself
into the culture and what people are like. I just started to get intoxicated with hacking.
what people are like. I just started to get intoxicated with hacking. Social engineering,
my first contact with it was I started to organize a bunch of hacking and infosec events around the entire country. I have organized more than 250 events of it. And I was like, oh, that's kind of
like hacking for people like me because I was not technical at all. I had a humanities background
and I never dove into the technical field. I was interested in the culture and the behavior,
the way people expressed themselves. And social engineering just spoke very loudly to me at the
time, but I didn't become a social engineer until a few years later where a friend of mine was dealing with this client
and the client asked for a physical pen test. He came to me and he was like, hey, you're very good
with people. Do you want to come and help me with this assignment? Do you want to actually go and do
it? Oh, sure. Of course. Break and enter and steal stuff and I'm not going to go to jail.
Yes, let's do it. And that's how I got my first physical pen testing assignment.
My job is to test all of the security layers, especially the human ones at a company,
and make sure they are indeed prepared and paying attention to security as they should.
Because if they're not, I am going to find their flaws.
Not only that, but I'm probably going to make them make mistakes.
flaws. Not only that, but I'm probably going to make them make mistakes. I'm going after the human error to take advantage of someone who left a door opened or that will believe me and try to
help me and put me inside a room that I shouldn't be. Or they will turn away when I steal something
and they won't say anything. I'm going to test how they respond to my mischievous acts.
I'm a physical pen tester. If you're waiting for me at a door for checking my credentials,
I'm just jumping through the back. I'm not there to to the door with your permission.
Try to find people who will help you.
It is very hard to do this by yourself.
You got to go to the events.
You got to know people.
You got to start asking around because this is a huge field and it changes so fast.
For young girls out there that want to be a physical pen tester, try to find other social engineers to mingle.
It's in the name. We are social creatures. We won't push you away. Quite the contrary.
A lot of people ask me about self-control and I gotta say it is really hard.
If you don't have very good self-control, you may get unhinged and that's very dangerous because you realize how powerful you can become. You really have to stay to your script.
You stay very truthful to why you're doing that. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.