As a company we do not struggle with on boarding new talent. We are actually really good at bringing folks in, making them feel welcome, and emphasizing how they are now a part of the team. Their first day they sit through a series of presentations, meetings, lunches, and tours to get to know who they will be working with, including the executives and their own team members. During the security presentation, I make sure to point out that they are now responsible for protecting THEIR clients’ data, not ‘our’s’.
However, as a small IT and Security team, we do struggle with the technical on boarding side. Especially with college grads or interns. Something I have noticed as time has gone on is new job market entries really struggle with understanding what their day-to-day should look like. Especially if they have never held a technical job. This isn’t just challenging to the new hire, it’s also challenging to the other team members. There are expectations both ways, and the new hire doesn’t want to twiddle their thumbs, and the current team doesn’t want to watch them do that either.
My proposed solution to this is pretty simple and straight forward, and helps out both sides of this equation. Documentation review. Which sucks, but is a pretty solid need. I can almost guarantee that having a new set of eyes do a deep dive on your documentation and review how technical systems are documented, will lead to some surprising/enlightening results.
Our Method
We have our new folks cover 10 domains, with a ‘capstone’ project at the end. The capstone is really meant for interns, but there is no reason that you should NOT practice your procedures and DR plans, so I encourage everyone to do this.
Networking Overview
A network map, detailed documentation regarding our physical assets, auditing the configuration firewall alongside a network engineer. This domain exposes the new hire to our networking methodology. During their review of our network, they should become familiar with our VLANs, ingress/egress points, network device configuration, and get to know our network engineers better (side point, this project also forces the new hire to meet and interview our SME’s on these topics).
Authentication Overview
One of the greatest security misconfigurations a company will ever have, and it will almost always have some of it, is over privileged accounts. Plus, unknown accounts, unused accounts, etc, etc. This is a deep dive into as much authentication management as possible. The two major themes from this is identifying authentication methods in use (RADIUS, Kerberos, etc) and their configurations, and identifying and documenting assets that are not a part of a single sign on method. The last piece of this puzzle is auditing our MFA deployment, and whether we are following our standard for this.
Storage and Virtualization Overview
This domain challenges a new hire to better understand the ins and outs of our virtualization technology, as well as review the configurations for each of these technologies, and the inventory of each.
Data Inventory
One of the challenges a company will always have, and one of the top SANS Critical Controls, is maintaining an inventory of your data containers/assets. This is challenging, but not impossible. The task for the new hire here is compiling their own inventory through interviews and investigation and comparing that with what we have documented. They may not build a 100% complete inventory, but they may identify areas we weren’t expecting.
Third Party Application Inventory
Similar to the Data Inventory, this is just a task to interview cross department heads and users and find what all known third party apps we are using. Again, the new hire may not build a full scale inventory. The goal, though, is to help them become more aware of our environment, while identifying potential gaps in our own inventories. A side benefit with somethign
Detection, Prevention, and Compliance Controls
These three domains go pretty well hand in hand. Detection revolves around our ability to detect threats and compromises: IDS, SIEM, and other log management. Prevention: AV, Firewalls, IPS, etc. Compliance is a bit more vague, but essentially covers our risk management and security framework compliance (SOC2, NIST CyberSecurity Framework, etc). As a security guy, these three domains are where I spend the majority of my time, but not all of your new hires will be security folks.
Ticketing and Change Management Overview
One of the biggest challenges IT departments face, is user interaction. In an age where more and more of a help desk is done remotely, IT becomes nothing more than a shadow land where the other departments lack clarity or insight on. Making sure that procedures are in place to ensure prompt ticket turnover, as well as identifying common complaints can help a service desk become more user friendly.
Another common IT challenge that revolves around ticketing and projects, is change management. ITIL is a great standard to increase reliability, but if you’re a fast paced Agile shop then the cumbersome slowness of a CAB and TAB will not work. However, even fast paced environments need approval and control methods to ensure rogue employees do not push bad code or upgrade infrastructure incorrectly.
Budget Review
The budget review portion of the project is to help leadership, and employees in these departments, to understand where the money is going. This shouldn’t just be a spreadsheet showing totals and dollar signs. The analysis portion of this domain should identify what other domains the money is flowing to, and if that trend is aligned with leadership’s vision. This should lead to interesting conversations between a new employee, and their boss and team leads. This area probably shouldn’t reveal any major new information, but can identify whether the correct budget information is being track or managed.
CAPSTONE: Plan and Lead a Tabletop Scenario
The final domain is really meant for the interns of the group. Practicing disaster recovery, and other procedures, is hard. It is also hard to not feel silly in a group of your peers as you try to pretend a server has been compromised and needs quarantined, eradicated, and restored. The best case scenario is where you actually have a duplicate of your environment and can actually launch ‘attacks’ against it and see what happens.
For the Capstone project the interns are responsible for designing a DR scenario that can be reenacted through a tabletop. The second portion is the intern has to actually lead the scenario. This is a challenge that will make some interns seriously struggle, while others may find that they absolutely enjoy it.
Summary
Bringing new folks on is a time consuming and challenging task. It is also expensive. However, bringing new folks on incorrectly can make those costs increase, and foster resentment which will gnaw at your teams’ functionality. Performing an initial project to go through and analyze, document, and just learn about their new team can be extremely impactful and kick start their performing to your standards.
Guided Security 