In her role as an ethical hacker in Orange Cyberdefense Norway Ragnhild Sageng works to test the security of Norwegian companies using social engineering. In August, she went to DEF CON in Las Vegas where she gave a lecture on the ethical issues of the job. This week she gave a talk on the same topic at Black Hat Europe in London.
After first studying health and social studies, Ragnhild Sageng shifted her focus to the IT industry, where she worked with operations and support in Viken County Municipality. After three intensive years of full-time study, combined with a full-time job and becoming a mother of three children, she has now landed in a job that involves both human psychology and IT.
As an ethical hacker and penetration tester at Orange Cyberdefense Norway she specializes in social engineering in IT security. This is about using psychological tools to manipulate users of IT systems, with the goal of defrauding people or companies. This is something Ragnhild and her colleagues test and train their customers in.
This experience has led to a great interest in the human aspect of these processes. Whether what they are doing is ethically justifiable.
"When you talk about social engineering in this industry, it's often about how we deceive people. It's war stories. But what about thinking a little outside the box? We want to test people, but are we ethically responsible enough when we conduct tests at customers' premises? I kind of raise my hand and say; Have we thought about this here? In order to further develop the industry, this is a topic that should have received more attention," says Ragnhild Sageng.
These are not just thoughts she has had for herself, while continuing her work as before. This has resulted in a lecture on the job's ethical issues, which she has had this week at Black Hat Europe in London. This is an internationally recognized cybersecurity event, offering the most technical and relevant research that has been produced throughout the year. After the presentation at Black Hat, Ragnhild exclaims:
I felt I was quite nervous, but people were interested in the topic and many have stopped me and asked questions and been engaged both before and after the presentation, so I am very pleased!"
Ragnhild has also received international recognition for her presentation on this topic earlier this year when she was accepted as speaker of DEF CON in Las Vegas in August.
DEF CON is one of the world's oldest and largest hacker conferences, held in Las Vegas USA, every year. Here, hackers and IT security professionals from all over the world gather to learn from each other and put things on the agenda in the global academic community. The conference is divided into different villages, which have different themes. Ragnhild thought that the Social Engineering Village was a perfect arena to share her perspectives with the right target group.
"I submitted an application with a description of what I wanted to talk about, how I wanted to talk about it and what issue I wanted to address. The fact that the jury chose me as one of six to give a speech there, among nearly 100 applicants, was incredibly large," she says.
Ragnhild got on the plane to Las Vegas to attend the 30th edition of DEF CON on August 11-14 this year.
In the lecture "The aftermath of a social engineering pentest - Are we being ethically responsible?" she questioned whether we take good enough care of the pentesters who test, the people who are tested, and whether we make sure the company treats them correctly afterwards. It was also this lecture she gave during this week's Black Hat in London.
"With pentesting, you can find security holes and conclude that something was configured incorrectly. But when we test people, it will cause them to fail as human beings. They may feel that they are failing themselves, as opposed to the fact that there is a technical system around them that has failed. You can feel like you've been cheated and maybe feel stupid," she explains.
Naturally, not everyone will take this personally. But pentesters don't know what people they're testing, what point of view they have in life, and where they are mentally.
"Imagine the worst-case scenario: if you've tested a person who might feel like they've been holding their life together with duct tape, and this is the last straw that tips them over the edge. How will you, as a pentester, feel about it? This is not often discussed. That's exactly why I wanted to put it on the agenda. It's an overlooked aspect of what we're doing.
She also talked about appropriate boundary setting for the company that has ordered the test.
- If the company wants the names of the people who went on a phishing attempt. Is it necessary? Others may want to test the five leaders they have. Is it ethically justifiable to test so few, when they can reason who went to the experiment? Where do we draw the line, and how much should we protect the customer from themselves? We are an advisory body that will ensure that the test is carried out responsibly, and not just give them what they want.
"I don't have all the answers to the questions I asked in the lecture, but for me it's important that this is a topic that gets more attention," Ragnhild explains.
Ragnhild admits that she was a little nervous before going out on stage. It's one thing to give a presentation to someone unfamiliar with the field, but speaking in front of a hall full of specialists in the field is quite another.
"Fortunately, the lecture was well received. I had to stand and answer questions long after I was actually done, and I take that as a good sign. People came over to talk to me the next day as well. It was nice to see that so many people were involved in the topic, that it was important for more people," she says.
During this year's DEF CON there were about 80-90 people from the Norwegian IT security industry present. Ragnhild hopes that her message reached many of them, so that it can contribute to a positive development in the industry at home in Norway.
"Internationally, social manipulation began 10-15 years ago, so this is still relatively new. And Norway is unfortunately lagging behind, compared to a lot of countries. There are some ethical guidelines that should be followed, but there is no industry standard that must be followed. Maybe it should be.
Perhaps it is through conferences such as DEF CON and Black Hat Europe, where some of the industry's brightest minds share their thoughts and perspectives, that something like this can grow to grow.
"Arenas like this set the agenda in the industry, so it will be exciting to follow the development further. I certainly want to be part of DEF CON and Black Hat Europe again. I may well have something more on my mind by next year," concludes Ragnhild Sageng, ethical hacker and pentester at Orange Cyberdefense Norway.
You can watch Ragnhild's lecture at DEF CON here.
Ragnhild also recently shared an exciting report of a real Red Teaming operation: Why break in through the window when you can walk in through the front door?