Blog / How to approach computer and IT security
How do you approach IT security? Where do you start and what should you do? These are great questions that people ask all the time because IT security is an understandably specialized field that requires more training than natural skill. There’s a lot that you need to know before you even start to get good at it.
Some people think that IT security is just about protecting computers and servers. That’s certainly not all there is to it, but let’s pretend it is for just a second; in this scenario, what do we need to know to reasonably secure a computer? Well, let’s put together a list. You’d need to know:
- how the operating system(s) works (the more detailed the better, and don’t forget there can be more than one OS on a computer than just Windows),
- the physical layout of the computers (shoulder surfing is an attack vector),
- which medium(s) those computer use to communicate with each other (Wi-Fi, the internet, networking),
- the software on each machine (every program has its own possible vulnerabilities and attack vectors), and
- methods to externally connect to the computers (bluetooth, USB, file sharing, the internet, networking, and more).
I could keep going, but you get the point. Also, remember this list is only concerned with protecting computers. There’s also servers, UPS systems, IoT devices, HVACs, SCADA equipment, and so on. Each device and every piece of software need to be protected, with no magic silver bullet that can handle it all, so how do you even start to tackle such a broad problem?
The first step is adopt the proper mindset, currently called the ‘Zero Trust Approach’. It’s an approach that means any new introductions to your organization, whether they’re a new employee or a new computer, should not be trusted. In fact, zero trust should be your default position. From an IT standpoint zero trust means plugging a new computer to the corporate network (or creating a new active directory user) should result in zero access. All doors should be locked by default and keys given only to the specific resources that need them.
As a bit of side advice, you may want to prepare for some resistance here. People will almost always complain if they don’t have enough access, but they rarely do when they have too much (and that’s not a sign of ill intentions either as most of the time employees with too many privileges don’t even know it). Applying a zero trust mindset can be difficult at first, but once you make the necessary adjustments it’s no more difficult then anything else.
Once you’ve got the proper mindset, it’s time to implement specific actions to protect yourself. Just installing anti-malware software on computers is not good enough. The Center for Internet Security (CIS) has published a list of security controls that anyone can access to improve their own security. The latest list, version 8, includes 18 different items explained in order of effectiveness.
So, now you have a zero trust mindset and a guide with specific items to address your security. We’re done, right? Well, no. There’s still one more issue, and it’s the assumption that everything will function properly. At this point it’s useful to adopt an ‘assumed breach’ mentality. It sounds a bit weird to assume your new defenses are insufficient, but that’s really what this step is about. Pretend everything failed and someone managed to get in. What could they take and how could you have stopped it?
This is usually the point where you start to think of things like using file encryption to protect secure data, segregating the network to limit how traffic moves, or even using physical security like installing cameras in secure areas. Now we’re trying to limit access, slow down intruders to improve the chances of detecting them, or introducing new detection methods. Repeat this process until every conceivable hole in your defenses is filled. Then keep doing it and do it on a regular basis. Never to assume your defenses are perfect because complacency is easily followed by disaster.
So there we have it—a mindset, a place to get started, and a methodology to use for improvement. It may not be perfect but it will get you moving in the right direction with a solid set of tools for improving your defenses overall. Just because IT security can be complicated doesn’t mean it can’t be understandable.
Today’s Shakespeare comes from Henry V: “The game’s afoot: follow your spirit, and upon this charge cry ‘God for Harry, England, and Saint George!'”
If you have any questions about your IT security approach or posture, please reach out to your TRINUS Account Manager for some stress-free IT.
By Kind, Courtesy of Your Friendly Neighbourhood Cyber-Man.