Wednesday, April 4, 2007

Social engineering in the workplace: avoiding the "evil security guy" tag.

Security is evil. We say no (that's "default deny" to you), we enforce policies, and we make life difficult.

We ask hard questions, we poke holes in the beautiful software that you just wrote, and worst of all, we take up your time that could be spent on more important things than doing security assessments and configuration checks.

Really, we just get in the way.

Or, at least, that's how it feels a lot of the time. Then, a security event happens, and suddenly the security guy has a new shine!

Sadly, that's not the best way to work with IT staff. Security needs to work effectively with IT staff and the organizational community all of the time, not just during emergencies. What can we, as security professionals, do to build ties with the administrators, staff, and other employees? I have a few favorite tactics to make security staff more available to the rest of the organization.

Lunch with the security guys

Every few weeks, I eat lunch with a group of systems administrators from across the organization. It isn't a formal meeting, just a meeting of fellow geeks. Often, more useful information is exchanged at these lunches than in a week of meetings - and more happens as a result of them.

The real security benefit, however, is that I'm available as a resource in a non-formalized environment. Questions that never come up elsewhere are brought up, discussed - and often I don't have to provide an answer. The others in the group will already know it, or they've heard it from me before.

The key here is being approachable - the same ideas work for CISOs and other security management professionals - up to a point. Define a line of professionalism, but make yourself available.


In larger organizations, security staff may only heard of when they're bringing trouble to your door. It helps to build ties before the event. I've made a habit of getting out periodically and chatting with various contacts across campus. They tend to refer things to me, and it helps me keep my finger on the pulse of the IT community.

There is a balance here - at some point, being heads down working on security projects is more useful, but making these contacts can be an effective part of a security outreach program.


We all like to read about social engineering - why not do some of your own. If you walk into my office, you'll find a bright yellow 1960's Civil Defense Geiger counter, magnetic building toys, and a selection of candy all out and easy to get to. Why?

They lure in IT staff.

I've had more conversations because of someone wandering down the hall and spotting the Geiger counter through my open door than I can count. The candy means that people make a stops, ask a question, grab a handful, and meander back out. The building toys give engineering types something to play with as they explain their problems.

Simply taking the time to chat with the folks you work with is a valuable security tool. Yes, the "evil security guy" image is useful at times, but having an IT community that willingly comes to you before the problem becomes an issue is worth the trade.


MTI said...

Great article David. I'm amazed at how many "security professionals" don't see the need to make themselves available in an informal fashion to folks in other departments/specialties. Instead they would rather have the "evil admin" title. I truly believe that by communicating informally your security awareness program, policies, procedures etc... have a far greater chance of being adhered to from the start rather than "adopted in the end."

Be careful through, as "being everyone's friend" may remove the distance that is needed for an objective incident response. More reasonably "be friendly to everyone." Ah the life of a Security Professional.

H. Carvey said...

Great advice, really! As a consultant, when I've done interviews of IT and audit staff during assessments, trying to get that door open just a little bit has been tough. I like your advice...every useful stuff, as it humanizes the security nerd!

Now, if I could just translate that to the IR consulting arena... ;-)

Author: "Windows Forensic Analysis"