By Jared C. Hooks, PhD, Science Communicator
At a recent SDEE event, there was a booth setup with an image of a masked man typing furiously on a computer as if the actual Holy Grail was hidden somewhere on a hard drive or server. While I considered it somewhat tongue in cheek, there can be a perception that to target someone’s business at an IT level takes a concerted, concentrated effort that will be wasted on small startups and entrepreneurs.
In today’s world of cloud computing, rented servers, freely shared flash drives, and a plethora of other technological goodies, being compromised at the IT level can often be a crime of opportunity. Ransomware, phishing emails, and other dastardly schemes operate on a numbers game to eventually find a careless user. As the internet of things expands many devices left on a network aren’t fully protected from malicious actors. Beyond security, how does a startup or entrepreneur go about setting up IT operations so that productivity and quality of service are built from the ground up at conception? That’s what SDEE wanted to tackle at a recent event on IT security and operations. We had many speakers, including Jim Maddox who is the director of ScaleMatrix and two agents from the Cyber and Counter Intelligence Division of the FBI, but for informational purposes, I’ll focus on two of our speakers.
Aaron Contorer, the CEO of FP Complete, was our first speaker who gave us an introduction to creating an IT system from development of the software, to deployment and scaling, and finally keeping a system operating and reducing downtime. This whole process is known DevOps. The common theme through Aaron’s talk though is to really think about building and/or securing any IT operations you’ll need for your business every time a new piece of software or service is utilized. There are plenty of services and vendors that can assist you along the way for this, but ultimately you want to ensure that whatever is utilized was built with security, traceability, and documentation in mind. These are aspects that must be present at the genesis of each IT solution.
If a program is built on a coding language that is inherently weak on security, there is really no way to safeguard the information it will process. If computers accessing a program or service can’t be assigned different permissions and the types of information they’re accessing isn’t traceable, the data being handled is at risk of being compromised. If the deployment and maintenance of a program isn’t documented, or additional changes made to the system while that program is in operation are done ad hoc, you’ve now created a vulnerability and additional difficulty in identifying any incompatibilities. These are all issues that are much more easily solved when being built around rather than attempting to enact after your business has already grown.
Dan Tentler is the founder of Phobos Group, which operates as a boutique computer security company. With recent headlines of hacks ranging from Equifax to Sony to the Office of Personnel Management, Dan challenged us to really think of what our risk surfaces are and what keeps us up at night from a security perspective.
First is what exists in your company that needs to be secured. What systems and networks are exposed to the internet and who has access to these? It might sound simple, but without knowing all your weak points, you will never be able to fully protect your business. Second, is having a plan when vulnerabilities are exploited or you’ve been specifically targeted and data has leaked. Even if that plan consists mainly of triage and damage control, it’s better than ignoring the problem or feigning ignorance leading to additional losses (looking at you Equifax). The process of creating a plan allows you to explore different scenarios and secure yourself against those so that as you dive into finer details, you can shore up vulnerabilities to increase your security. That leads to the third point of good housekeeping. That is, as you contemplate and identify weak points, what actions should you take to make your business more secure. It can be anything from matching sure the latest patches are compatible and installed or pulling a machine off a network if the software it’s using is outdated, but still essential to its operation (e.g. many systems that were built on Windows XP and support was discontinued). Finally, keep practicing all of this. It doesn’t have to be crazy, especially at the outset, but every now and then take time to consider what risks you might have accumulated, how do those fit into your plans in case an issue or vulnerability arises, and what do you need to do to head some of these problems off at the pass.
IT security and operations are like any other aspect of a business, whether new or established. An entrepreneur must constantly assess their business, decided what direction you want to grow, and then take measures to secure that area and create contingency plans in case unexpected problems arise. By applying this to the technology aspects of your company, you can build a secure and efficient IT infrastructure.