The Four Rules Everyone Who Offers IT Security Need to Follow
If you or your business is involved in IT, or IT security, then you know just how hectic and busy work can be. There are always new viruses and bugs, patches to install, and general break-fix work to do. After a certain point, unless you’re highly motivated, it becomes painfully easy to become apathetic to the entire process…
Well, this shouldn’t surprise you, but not caring is the worst possible thing you can do.
IT security isn’t something you can just learn and be done with. It’s a constantly changing and evolving field. You can memorize your ABCs, but the closest things to that in IT security are the four cardinal rules of IT security.
Amusingly enough, the four cardinal rules of IT security I was taught turned out to be the same as the four cardinal rules of gun safety. Let’s take a look at those rules and break them down
1. All guns are always loaded.
Consider anything entering your network the same way you would a firearm. It could be loaded with malware, or be manufactured in such a manner that its operation could result in it blowing up in your face. You might be inclined to trust your user’s ergonomic keyboard they brought from home, but even that isn’t necessarily safe these days.
In short: Assume nothing, and sandbox everything.
2. Always point the muzzle in a safe direction.
Patches, updates, installations, this applies to everything. If you’re going to change anything on your network, don’t just plow ahead and do it. Aim those changes in a safe direction (like a test server, or non-critical system) and try things out there first. If things work well on the test server, then safely implement the changes across all systems. You wouldn’t play Russian-Roulette with a gun, don’t play it with your network either.
In short: Test everything before it goes live.
3. Keep your finger off the trigger until you are on target and ready to shoot.
It’s good to stay ahead of the game, but there’s a fine line when it comes to appropriately updating your systems. Just because you can update two pieces of software at the same time doesn’t mean you should, and just because there’s a newer version of some program, that doesn’t mean you need to install it.
In short: Don’t change anything on the fly and don’t install anything without considering the results.
4. Know your target, and what lies beyond.
When changing anything, make sure you are fully aware of what it is, what it does, and what needs it. Try to remember what happened around the release of Windows Vista. A lot of people updated to Vista because their computers were capable of running it, and run it did. Unfortunately, a number of devices which relied on XP’s resources no longer functioned as a result. Users were scrambling to figure out why their printers, webcams, and other gadgets no longer worked, and it caused quite a headache for the people who supported those systems.
In short: Do your research. Systems aren’t as modular as they seem. Updating something as innocuous as a printer could bring your network to its knees.
Above all else, always remember that you can never know too much. Keep on learning, keep reading those security blogs, and keep reading those forums. You will never know if something you learned is relevant until you have to do it yourself.