IT Security For Librarians

Blake Carver LYRASIS Systems Administrator

Everything You Need To Know

Use Good Passwords

Stay Paranoid & Vigilant

Use Routine Backups

Keep Everything Patched / Updated

Think Before You Share Or Connect

Intro

Other Things

Passwords are KeyALL Software Has FlawsSecurity Is ComplicatedEveryone Plays A Part

If Vs.

When

Somethings are IFs, somethings are WHENs

Some things are Likely Some things Possible

● ● ● ● ● ● ● ●

Bad Guys? Hackers?Crackers?Criminals?

Intro

● ● ● ● ● ● ● ●

Security

Cyber Security?IT Security?Safety?Information Security?

Information Literacy?The Digital Divide?

Intro

“Security is two different things: It's a feeling &It's a reality ”

Bruce Schneier – TedxPSU

Intro

Security isn’t either/or

SecureOr

Vulnerable

Intro

Security & Privacy are, Getting Better, But they're Getting

Worse Faster

Intro

Why does this keep happening?

The Internet was built for openness and speed

More Things Online – More Targets

Old, out-of-date systems and budget shortfalls

New poorly designed systems

Surveillance is the business of the Internet

Vulnerabilities● ● ● ● ● ● ● ●

Intro

The vulnerability can be exploited remotely

Used without any account credentials

Not easily noticed or repaired

The attack can be used, reused and scaled

Chained and used with other common vulnerabilities

Why?

Professionals

Intro

And Everyone Else

Bad Guys

SkillFocusToolsTime

Training

ALL the tools and attacks only ever get bigger better faster stronger cheaper easier and

more common.

Not much of this crime is new

AutomationDistance "Technique Propagation"

(“Only the first attacker has to be skilled; everyone else can use his software.”)

Intro

The technology of the internet makes the bad guys vastly more efficient.

Intro

It's Safe Behind The Keyboard

Hacking is a really safe crime. Comparatively. To other real life crime

Intro

Where Are They Working?

• Social Networks• Search Engines• Advertising• Email• Web Sites• Web Servers• Home Computers• Mobile Devices

Intro

This is the work of a rogue industry, not a roguish teenager

Intro

What Are They After?

• PINs• Passwords• Credit Cards• Bank Accounts• Usernames• Contact Lists• Emails• Phone Numbers• Your Hardware...

Intro

http://krebsonsecurity.com/2012/10/the-scrap-value-of-a-hacked-pc-revisited/?utm_source=feedburn

Personal information is the currency of the underground

economy

Intro

Personal information is the currency of the entire Internet

economy

Intro

What's It Worth?Credit Cards: $5-$30 Basic or “Random”$5-$8 With Bank ID# $15 With Date of Birth $15 With Fullzinfo $30

Payment service accounts: $20-$300 containing from US$400 to $1,000 between $20 and $50 containing from $5,000 to $8,000 range from $200 to $300

Bank login credentials: $190-$500 A $2,200 balance account selling for $190. $500 for a $6,000 account balance, to $1,200 for a $20,000 account balance

Online premium content services: $.55-$15 Online video streaming($0.25 to $1) premium cable channel streaming services ($7.50) premium comic book services ($0.55) professional sports streaming ($15)

Loyalty, community accounts: $20-$1400 A major hotel brand loyalty account with 100,000 points for sale for $20 An online auction community account with high reputation marks priced at $1,400

"The Hidden Data Economy" study by MacAfee October 2015

http

://w

ww

.sym

ant

ec.c

om

/con

nect

/blo

gs/n

etfl

ix-m

alw

are-

and

-phi

shin

g-c

amp

aign

s-he

lp-b

uild

-em

erg

ing-

bla

ck-m

ark

et

"None of this is about being "unhackable"; it’s about making

the difficulty of doing so not worth the effort."

Intro

Intro

https://www.teachprivacy.com/the-health-data-breach-and-id-theft-epidemic/

Think Different…

Have A Hacker Mindset

Have A Security Mindset

Intro

Building a Defensible Library

Lock Things DownGrant Least PrivilegeWhitelisting - Patches – Limit Admins

Threat ModelingEverything With An IP Address Matters

TrainingNew Instincts Never Without The WHY

Libraries Live Below The Security Poverty Line

(Wendy Nather)

We simply can't afford to reach a great level of security

Few or no IT People

Few or no Security People

Hard to keep up with technology and security

Maintenance, planning, strategy are 2nd to OMG

Depend on consultants, vendors, family, patrons, friends, volunteers, etc...

What Does A Library Need To Protect?

OPAC / ILSStaff ComputersDatabasesPrinters / CopiersWebsiteServersBackups

PrintersCamerasWi-Fi RoutersRoutersCell PhonesIpadsLaptops

Things (The IoT)

● Security is an afterthought. ● The lack of security education by most of the

stakeholders ● The lack of security education by consumers● Security is a cost center● Security makes things more expensive● Security makes things hard to use

Locking Down Computers

• Patching and Updating–OS and *ALL* Applications

• Whitelisting • BIOS passwords• SteadyState / DeepFreeze / SmartShield• Check for USB additions• Admin

• Don’t use Windows?• Don’t use IE?

IT Security For Libraries

Don’t Forget

• Check the internet for usernames/passwords for your library (e.g. pastebin.com)

• HTTPS• Is your domain name going to expire?• Is you SSL Cert going to expire? • Typo Squatters?

IT Security For Libraries

Thumb Drives

http://www.pewinternet.org/files/2015/09/2015-09-15_libraries_FINAL.pdf

Offer Training At Your Library

The correlation between effort & results is questionable

You could have no security and be lucky.

You could have great security and just get really unlucky and have a determined hacker.

Do something to make the bad guys job harder

Perfect is the enemy of the Good

Remember:

This about your library’s security and protecting your library’s brand and reputation and your patrons.

The only way this can happen is if security and risk management become regular parts of library conversation.

Everything You Need To Know

Use Great PasswordsStrong (Long, Complex)Unique

Stay Paranoid & Vigilant

Never Trust Anything or AnyoneAlways Double Check

Think Before You Click

Use Routine Backups

Keep Everything Patched / Updated

Think Before You Share

Intro

Building a Defensible Library

Lock Things DownGrant Least PrivilegeWhitelisting - Patches – Limit Admins

Threat ModelingEverything With An IP Address Matters

TrainingNew Instincts Never Without The WHY

IT Security For Librarians

Blake Carver LYRASIS Systems Administrator