In unrestricted areas, it’s preferable to use a “blacklist” approach that excludes only those users, code, or machines that are predetermined to be dangerous. Logging only detected security events is generally considered tolerable and useful in this context. In restricted areas, you can add a “whitelist” via which you allow only things based on a list of “known good” users, code, or machines. Regulations may mandate the use of logging for audit purposes in these areas.
In a college or university network, the areas that must be strictly controlled should be separate from areas that are expected to operate with little restriction. This separation minimizes the ability of threats or “bad actors” to cause problems by moving from one area to another, raising the level of their access privileges as they go.
Beyond this, we can provide users with tools to protect their own personal areas, as well as education about how and when they might wish to apply them. These tools could include things like:
- Backups: Regular, tested backups should be taken in sensitive areas to limit outages caused by data-damaging malware (like ransomware), hardware failure, and other catastrophes. As basic backup functionality is freely available in all major operating systems, educating students, teachers, and staff about the benefit of taking backups could be a useful tool for decreasing your IT support costs.
- Encryption: Encryption helps protect data that’s not in use from being viewed by people who shouldn’t be able to access it. This should be applied both to data on disk and data being sent to or from sensitive areas of your network. Encryption is also freely available in major operating systems, as well as many popular communication apps. You may want to let your users know about these resources so they can help protect themselves.
- Authorization lists: Authorization lists assign users permissions for what resources they can access. You should maintain these lists in sensitive areas, and users can also use these to limit access to certain people or groups over time (such as research that should not be publicly available before a certain date).
• Multi-factor authentication tools: Many data breaches are caused by or result in lost login credentials. One of the best ways to mitigate the damage is to implement a second factor of authentication (verifying that users are who they say they are). Many online services already make this functionality available, and it’s a cost-effective tool, thanks to the amount of risk-mitigation it offers, to add to other login processes.
In general, people aren’t opposed to security, but rather to the loss of personal control it often implies. By understanding the context of the controls, and enabling users to protect their own resources, we can make security measures more palatable.