Copyright (c) 2025 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.

3.1.1. Summarize various security measures and their purposes. (Obj. 2.1)

šŸ’” First Principle: A comprehensive security strategy protects assets through layers of both physical controls (what you can touch) and logical controls (what you can access).

Effective security isn't about a single magical tool; it's about creating multiple layers of defense, a concept known as defense-in-depth. If one layer fails, another is there to stop an attacker. These layers fall into two broad categories: physical and logical. Physical security is the first line of defense and involves protecting the physical IT infrastructure from unauthorized access, theft, or damage. This includes tangible measures like locked doors on server rooms, security guards, surveillance cameras, and swipe-card/biometric access readers. If an attacker can't physically get to a server, it's much harder for them to compromise it.

Logical security controls the access to data and systems using software and policies. This is where a technician spends most of their time. A core tenet is the Principle of Least Privilege, which states that a user or system should only have the absolute minimum level of access and permissions required to perform their job function, and no more. This drastically limits the damage that can be done if an account is compromised. This is enforced by Authentication (proving who you are, e.g., with a password), which is made significantly stronger by Multifactor Authentication (MFA). MFA requires a user to provide two or more types of proof: something they know (password), something they have (a phone app code or security key), and/or something they are (a fingerprint). Other logical controls include Directory Services like Active Directory for centralizing user identity and policy enforcement, and Data Loss Prevention (DLP) software, which acts like a security guard for data, inspecting network traffic and endpoints to block sensitive information (like credit card numbers) from leaving the company network.

Technician's Action Plan: Scenario: A company is setting up a new office. As the IT technician, you are asked for input on the security plan.

  1. Address Physical Security First: Recommend that the room designated for network equipment and servers be equipped with a key card access lock. Only IT personnel should have their badges programmed to open this door. Suggest the installation of a security camera covering the entrance to the server room.
  2. Implement Logical Access Controls: For the new user accounts, recommend a policy based on the Principle of Least Privilege. Propose creating security groups in Active Directory (e.g., "Sales", "Accounting", "HR") and assigning permissions to network folders based on these groups, rather than to individual users. An employee in Sales should not have access to the Accounting folder.
  3. Mandate Strong Authentication: Strongly advocate for enabling MFA for all users, especially for access to email (Microsoft 365) and any VPN services. Explain that this single measure is one of the most effective ways to prevent account takeovers, even if a user's password is stolen.
  4. Incorporate DLP: For the Accounting and HR departments who handle sensitive data, recommend exploring a DLP solution to prevent accidental or malicious exfiltration of employee PII or financial data via email or USB drives.

Reflection Question: How does the "Principle of Least Privilege" directly reduce the potential damage caused by a compromised user account?