By DAVE COURBANOU //
When it comes to assessing your IT infrastructure for vulnerabilities, the best approach is a multipronged one.
A holistic approach to protecting an IT infrastructure assesses both the physical technology environment and the internal employee culture at a company. The reason for this all-encompassing attitude is simple: Cybersecurity is never “done.”
New vulnerabilities and attacks are always being crafted. We can’t expect the vulnerabilities and exploits of 2022 to be the same in 2023 or 2024 – the quicker users adapt, the quicker hackers adapt. So regular maintenance and friendly checkups are critical to staying ahead of the game.
Every IT-infrastructure assessment checklist should start with penetration testing. First and foremost, are the front and back doors locked?
David Courbanou: Security officer.
A penetration tester (sometimes called a “white hat hacker”) will attempt to find holes in your network internally and externally. On the external side, the tester checks to make sure any web-facing servers, ports or services are properly secured (or appropriately switched off). Internally, a gamut of scans will test if network users can gain unauthorized access to critical files or servers, and also check for vulnerabilities on any internal company services.
Network security of switches and routers should also be examined, detecting if a bad actor could use an open ethernet jack in your office to wreak havoc and steal information.
Security-awareness training and phishing simulations are also important. Vulnerabilities aren’t just unpatched servers or open firewall ports – unwitting employees may click on the wrong links, triggering malware hidden in phishing e-mails. There’s a plethora of research showing that humans tend to be the weakest link in the IT security chain.
To mitigate the risk of human mistakes, security-awareness training emphasizing phishing, social engineering and what to look for when detecting spam is a must. And remember, these lessons aren’t always learned on the first go: Follow-up training featuring a phishing simulation – an e-mail crafted to look like an external phishing attempt, armed with special links alerting the user and the security team that the user has been fooled – are a safe way to continuously test employee vulnerabilities (and flag the frequently fooled for more training).
Last, but certainly not least, is assessing the physical vulnerability of your data. Sure, your data may be safe behind a firewall with proper access control, but is it safe from hardware failure?
Fast break: No matter how fast users adapt, warns Courbanou, hackers adapt faster.
Ultimately, no hackers are needed for the security of your data to be at risk. Our IT security team recommends the “3-2-1 rule” – three backups, on at least two separate media, one off-site.
Example: Data is copied to an on-site backup server, also copied to tape for archival purposes and pushed to the cloud for safekeeping. Plainly stated, if you’re not running some form of the 3-2-1, you’re vulnerable.
This checklist is short and by no means exhaustive. These are just the major first steps to take when trying to determine if your digital house is in order. The results of these findings could reveal new paths to keeping things secure, and that’s exactly the point of the entire process – assess, address and repeat.
David Courbanou is information technology administrator of Intelligent CloudCare, a subsidiary of Hauppauge-based Intelligent Product Solutions, and the head of CloudCare University.
