Threat Profile: IT Professional and Sysadmin
You manage other people's systems. That makes you an attractive target — not for your own data, but for the access you have. Your personal security is organisational security.
Threat Profile: IT Professional and Sysadmin
This profile is for sysadmins, DevOps engineers, developers, IT managers, and anyone with privileged access to other people’s systems.
The fundamental difference from other profiles: you’re not an endpoint, you’re a link in a chain. Attackers aren’t primarily interested in your personal data — they want the access you have to systems, infrastructure, and other people’s data.
That makes your personal security a professional responsibility.
Threat analysis
Supply chain attacks A compromised sysadmin can provide access to hundreds of systems. Attackers invest more in targeting IT professionals than in directly attacking systems — it’s more efficient.
Social engineering is more sophisticated Attackers know you’re technical. They impersonate vendors, colleagues from IT teams at other organisations, or suppliers. The phishing emails targeting you aren’t the blunt “your package wasn’t delivered” variety — they mimic Terraform Cloud alerts, GitHub security notifications, or tools you specifically use.
Privilege creep Sysadmins receive rights “just for this project” that are never revoked. After a year you have admin access to dozens of systems you can’t remember the purpose of. Every active credential is an attack surface.
Home network as an attack path If you have SSH access to production environments from home, your home network is part of your employer’s attack surface. A compromised home network is a lateral movement path to the infrastructure you manage.
Checklist
Credentials and access
- Unique passwords everywhere — a shared password between personal and work accounts is a direct attack vector
- Hardware 2FA (YubiKey) for all critical systems — phishing-resistant by design
- Manage SSH keys: know which keys are active, always use a passphrase, rotate regularly
- API tokens and secrets: store in a secret manager, never in .env files in repos
- Actively remove access when a project ends — don’t wait for someone else to do it
Separation of work and personal
- Use a separate device for work admin tasks, or at minimum a separate browser profile with separate sessions
- Don’t browse personal content in the same session as work infrastructure management
- Personal password manager not shared with work credentials — if your personal device is compromised, it shouldn’t cascade to work
Home network
- VLAN segmentation at home: IoT devices (smart TV, cameras, thermostat) on a separate segment from work traffic
- Router firmware up to date — you know how to do this, so no excuse
- DNS filtering on home network (AdGuard Home, Pi-hole) — also blocks malware domains
- If you VPN into work infrastructure: the machine you do it from must be clean
Code and repositories
- Scan repos for hardcoded secrets before pushing (truffleHog, git-secrets)
- Signed commits — not just for integrity, also for non-repudiation
- Dependency audits — you’re responsible for what you import
Incident response for yourself
- Know how to quickly revoke credentials if you lose a device
- Have a plan for if you get compromised: who do you call, what do you revoke, in what order
- Document your own accesses — you should be able to list right now which systems you have admin rights to
The principle of least privilege — for yourself too
The tendency to give yourself full access “because it’s easier” is understandable. But it’s also a risk. If your account is compromised, your own privilege level determines how much damage an attacker can do.
- Use root or admin rights only when genuinely necessary — then close the session
- Separate admin accounts for management tasks, daily account for everything else
- Least privilege applies to yourself as strictly as to users you manage
NIS2 and regulatory context
The NIS2 directive (in effect across the EU from October 2024) requires essential and important entities to demonstrate security measures. As an IT professional at an organisation subject to NIS2, you carry direct responsibility for compliance.
Your national cybersecurity centre (NCSC in the Netherlands, CISA in the US, NCSC in the UK) publishes threat analyses and advisories specific to your sector — worth monitoring if you work in critical infrastructure.
Tools
| Purpose | Tool | Note |
|---|---|---|
| Hardware 2FA | YubiKey | For critical systems and SSH |
| Secret management | HashiCorp Vault / 1Password Secrets | Not in .env in repos |
| DNS filtering at home | AdGuard Home / Pi-hole | Also blocks malware domains |
| Secrets scanning | truffleHog / git-secrets | Pre-push hooks |
| Network segmentation at home | GL.iNet + OpenWrt / OPNsense | VLAN for work/personal/IoT |
| Secure communication | Signal | For incident response with colleagues |
See also:
- Threat Profile: High Risk — for the highest threat levels
- YubiKey vs Nitrokey Review — hardware authentication
- Network Segmentation: VLANs at Home — home network hardening
- AdGuard Home Review — DNS filtering at home
- GL.iNet Beryl AX Review — for home network segmentation