Cybersecurity Basics for IT Professionals
Cybersecurity isn't just for the security team. Every IT professional touches systems that need to be secured. Here's what you need to know.
The CIA Triad
Every security decision comes back to three principles:
- Confidentiality — Only authorized users can access data
- Integrity — Data hasn't been tampered with
- Availability — Systems are accessible when needed
When evaluating any security control, ask: does this help with confidentiality, integrity, availability — or all three?
Common Attack Vectors
Phishing
The #1 attack vector. An email tricks a user into clicking a link or entering credentials.
Defense: User training, email filtering (Microsoft Defender for O365), MFA everywhere.
Ransomware
Malware encrypts your files and demands payment. In 2026, ransomware groups target backups first.
Defense: Offline/air-gapped backups, network segmentation, least-privilege access.
Credential Stuffing
Attackers use breached username/password lists from other sites.
Defense: MFA, unique passwords (password manager), monitor for leaked credentials with HaveIBeenPwned API.
Insider Threats
Malicious or negligent employees with legitimate access.
Defense: Least privilege, logging/SIEM, behavioral analytics.
Network Security Fundamentals
Firewalls
A firewall controls traffic between network segments based on rules.
Key principle: Default deny. Block everything, then explicitly allow what's needed.
# Example iptables rule — allow SSH only from management network
iptables -A INPUT -p tcp --dport 22 -s 10.10.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROP
Network Segmentation
Don't put all servers on the same network. Segment by function:
- DMZ — Public-facing servers
- Production — Core business systems
- Management — Admin access only
- IoT/OT — Isolated from everything else
If an attacker breaches one segment, segmentation limits lateral movement.
VLANs
VLANs (Virtual LANs) create logical network separation on shared physical infrastructure. Essential for:
- Separating user workstations from servers
- Isolating IoT devices
- Creating dedicated admin networks
Identity and Access Management
Least Privilege
Users should have the minimum permissions needed to do their job — nothing more.
# Check what groups a user is in
Get-ADUser -Identity john.doe -Properties MemberOf |
Select-Object -ExpandProperty MemberOf
# Find users with Domain Admin rights (review regularly)
Get-ADGroupMember "Domain Admins" | Select-Object Name, SamAccountName
Multi-Factor Authentication
MFA is the single highest-impact security control you can implement. A stolen password alone isn't enough with MFA enabled.
Prioritize MFA for:
- Admin accounts (highest priority)
- Remote access (VPN, RDP)
- Email and M365
- Any internet-facing service
Privileged Access Workstations (PAW)
Admins should have separate dedicated workstations for admin tasks — never browse the web or read email from an account with admin rights.
Patch Management
Unpatched systems are the #1 exploited vulnerability. The process:
- Inventory — Know what you have (can't patch what you don't know exists)
- Prioritize — Patch critical/high CVEs first, especially internet-facing systems
- Test — Test patches in staging before production
- Deploy — Use WSUS, SCCM, or Ansible to push patches at scale
- Verify — Confirm patches applied (WSUS compliance reports)
- Repeat — Monthly cadence minimum, emergency patches within 48h for critical CVEs
Security Monitoring Basics
Windows Event IDs to Watch
4624 - Successful login
4625 - Failed login (brute force indicator)
4648 - Explicit credential login (pass-the-hash indicator)
4720 - User account created
4726 - User account deleted
4732 - User added to security group
4756 - User added to universal group
7045 - New service installed (malware indicator)
PowerShell to Check for Suspicious Logins
# Failed logins last 24h grouped by username
Get-WinEvent -FilterHashtable @{
LogName='Security'; Id=4625; StartTime=(Get-Date).AddHours(-24)
} | Group-Object {$_.Properties[5].Value} |
Sort-Object Count -Descending | Select-Object -First 10
Zero Trust Architecture
The old model: "Trust everything inside the network."
The problem: Once an attacker gets inside, they move freely.
Zero Trust principle: "Never trust, always verify."
Key components:
- Identity verification — Every access request authenticated, MFA required
- Device health — Only compliant, managed devices get access
- Least privilege — Just-in-time access, not permanent
- Microsegmentation — Even inside the network, systems can't freely communicate
- Continuous monitoring — Log everything, alert on anomalies
Microsoft Entra ID (formerly Azure AD) with Conditional Access policies is the most practical way to implement Zero Trust for M365 environments.
Quick Security Wins for This Week
- Enable MFA on all admin accounts today
- Review who has Domain Admin rights — remove anyone who doesn't need it
- Check your backup — when did you last test a restore?
- Verify antivirus/EDR is running on all servers and workstations
- Block legacy authentication protocols (Basic Auth) in M365
Security doesn't require a huge budget. It requires discipline, consistency, and the right fundamentals.