IT Support: Every Question is a Security Question
In every industry there are times when you realize the landscape is completely changing. Manufacturing had the production line that became the foundation that all products were built on. When you created a new product that could be sold to consumers and tested your prototype, you then figure out, how can this be manufactured efficiently and effectively in a production line. The production line became the foundation and the norm for product manufacturing. There was no way to get away from the question:
Can we manufacture this on a production line?
So whats your point?
In the same way that you could never get away from that question in manufacturing, you cannot get away from the most important question in the IT industry:
Is it secure?
This completely shifts the approach to incidents, requests, problems, and changes. Now when we perform any task we have to keep security at the front of our minds. So, how do we do it?
Tips for Providing Secure Support
For starters, its hard to perform a task for security if you don’t have an understanding of what is secure. There are best practices for a lot of processes, but organizations still have to decide what is an acceptable risk. This will change from client to client depending on various factors. Here are a few good questions to ask yourself when performing any task:
- Am I making an account or device more easily accessible?
- Could this action expose PII?
- Is this action increasing public (internet) exposure?
Of course there are many more questions you could ask, however, this is the mindset to follow. If you are not asking questions about security when trying to resolve an issue, you should be.
Use Proper Change Control
When making changes sometimes it can be hard to really understand the scope of what you are doing. IT is a bit of a beast with a lot of moving parts, so putting major decisions in the hands of one individual can lead to some messy situations. It is for this reason that Change Control exists. If you don’t have a process for Change Control you should definitely consider creating one.
I don’t want to go too deep into the weeds of Change Control, but lets look at some criteria that can help mitigate risk and ensure changes are more often secure.
- Will the change impact an entire department, location, or organization?
- Have we made this change before?
- Could this change impact other services?
- Will the change impact customers or systems containing customer data?
Asking questions like these not only allow us to determine if a change is significant enough to go through a change control process, but also give us the chance to think critically about the security. Not to mention, the changes would be reviewed and approved by a technical lead or SME and client (if applicable).
Understand Acceptable Risk
When it comes to security there will always be risks. There are some that will not be negotiable and others that are acceptable.
For example, a credit union may not be willing to block all RDP connections internally and externally, even if the suggestion is made for security reasons. However, they may acknowledge allowing external RDP connections is a risk and allow connections to be blocked at the firewall. Now, we know the risk involved in allowing RDP connections internally is (at this time) considered acceptable risk for this credit union.
Now, this obviously does not mean it is a good or bad decision, it simply highlights the risks these businesses are willing to take vs the cost of an alternative.
There will be occasions when an idea to increase security is presented and it is shot down due to cost or time. Honestly, it is inevitable because we cannot do everything and buy every security product. Most importantly we need to make sure we clearly convey security risks and allow clients the opportunity to make a decision that will increase security.
After we perform the above actions, we can get an idea of what is considered acceptable risk as it relates to different organizations. It is not an easy thing to do or understand, but it is imperative in order to make the right decisions in IT.
You’re still here? It’s over. Go check out THIS article on GDPR.