Shellee Hale is a cybersecurity researcher and investigator who founded her own company. Michael Kassner asked her a few questions about how she pursues her job.


An interesting facet of Twitter is becoming acquainted with the people who follow you. Many, I would not have met any other way. For example, the founder of Camandago:

“Shellee Hale has worked with companies as a business and management consultant for over twenty years. As a Certified Anti-Terrorism Specialist (ATAB) and a Licensed Private Investigator with a focus on Cyber Security she participates as a member of Infragard and uses her skills to help individuals, corporations, and law enforcement on a variety of issues and cases.”

I felt this was a perfect opportunity for me to get a different perspective on IT security. Ms. Hale was kind enough to share her thoughts by answering the following questions:

TechRepublic: During our conversations, you mentioned how your interest in IT security started. Could you share that with the readers, along with why your company is named Camandago?
Hale: As a mother of a challenging teenager; Amanda, I became quite the investigator. Trying to stay abreast of the technology kids were using, constantly thinking about possible threats. I named my company Camandago, (See-Amanda-Go) to commemorate the cyberskills I learned trying to stay one step ahead of her.

TechRepublic: What does a day in the life of Shellee Hale entail?
Hale: My days are action packed. I usually start with emails and reading the news, followed by Mom duties. I still have school-aged kids. Then, I work on cases, some paid and some pro-bono. I then spend some time reviewing all the wires and news, publishing interesting bits on a few blogs of mine.

I might go to some of the forums and other blogs to see what people are talking about or sharing, often collecting information from sources that are related to issues I am researching. Then there is my volunteer work; I try to spend a portion of my day dedicated to public service.

TechRepublic: What are three cyber threats that keep you awake at night?
Hale:There are many, but these three really concern me:

  • Identity theft: The creation of online personas and exploitation of technology for the purpose to deceive, impersonate, or defraud individuals.
  • Outsourced databases: All the IT outsourcing in the public and commercial sectors that occurs overseas. It creates huge vulnerabilities from a systems and data integrity perspective.
  • Family online security: IM, Facebook, and all other forms of online social media will continue to create bidirectional threats. Lack of education, lack of awareness, and general naivety will continue to produce opportunities for digital trespassers.

TechRepublic: You mentioned that social engineering is particularly important to you. Why is that?
Hale: Social Engineering is when someone uses techniques to manipulate a person into divulging information or performing an act. We as a society give our trust easily. For example, we often believe a link is safe or the bank needs our account number and password. Without questioning, we click or divulge and become victims of fraud.

I spent a lot of time studying white collar crime, especially those involving social engineering. I wanted to understand how they worked and why they were successful. Now I try to educate people so they won’t be victims of these techniques.

TechRepublic: Social engineering has so many flavors, what are the top five things you tell people to look for in identifying a social-engineering scam?

Hale: Exploits are constantly changing, but these five still work:

  • Passive-aggressive behavior: A typical social-engineering trick is to be overly pushy and/or overly friendly. Scam artists use simple psychology to virtually sit down in your kitchen or living room. This vacillating passive-aggressive behavior creates an illusion of familiarity or acquaintance.
  • Offering rewards or prizes: Although fake; they seem so real, making it hard for victims to resist. They also target specific content, meaning they know what you like. So they will offer something that is appealing to you.
  • Instant credibility: Using search engines, it is easy to become a knowledgeable friend. Employing that familiarity in the first few sentences on the phone or in an email can entice victims into a false sense of security.
  • Befriending you or family: The “digital samaritan” does not exist. People don’t just reach out to help someone over the Internet. So if you are getting contacted, receiving solicitous offers, or all of a sudden rubbing digital shoulders with someone you don’t know; stop and ask why?
  • Soliciting personal information: Always check your social-networking application policies. They change all the time, creating more liberal regulations designed to give the application vendor more rights over the information you put on the Web through their apps.

TechRepublic: Does being a private investigator play a role in how you approach IT security?
Hale: My investigative training helps me achieve the right mindset. Tracing exploits and tracking down victims take persistence, whether it’s in the physical or virtual world.

It also makes me aware of the need for educating people before they become victims. That is why I spend as much time teaching clients how not to fall prey to security threats as I do investigating.

TechRepublic: I often get asked by students how to prepare for a career in IT security; what would be your suggestions?
Hale: There are lots of great free online courses you can take to get some basic understanding of this field and career. Texas Engineering and Extension Service and FEMA have cybersecurity and information-assurance Web courses. Many offer certifications and cost you nothing but your time.
TechRepublic: Finally, you told me that the “Face of IT” should change, could you explain what you meant?
Hale: When we talk about cybersecurity, it’s shouldn’t always be about technology. That aspect is constantly changing and why I focus on user actions. If you think about it; when it comes to security, we are the weak link. I want to help people understand social-engineering threats so we become the first line of defense instead of the victims.

We also need to be proactive, not reactive, Along with removing exploitable vulnerabilities, we must get better at identifying and prosecuting cybercriminals. Focusing on those areas will help a lot.

Final thoughts

Viewing the user as the main line of defense was not my first inclination. It makes sense though. As stated, technology changes fast, and defensive techniques are always reactive. Informed users and removing vulnerabilities should be our first priority.

I want to thank Ms. Shellee Hale for taking time to answer my questions and providing new insight on IT security.