View
222
Download
1
Embed Size (px)
Citation preview
Everything You Need To Know
Use Good Passwords
Stay Paranoid & Vigilant
Use Routine Backups
Keep Everything Patched / Updated
Think Before You Share Or Connect
Intro
● ● ● ● ● ● ● ●
Security
Cyber Security?IT Security?Safety?Information Security?
Information Literacy?The Digital Divide?
Intro
Why does this keep happening?
The Internet was built for openness and speed
More Things Online – More Targets
Old, out-of-date systems and budget shortfalls
New poorly designed systems
Surveillance is the business of the Internet
Vulnerabilities● ● ● ● ● ● ● ●
Intro
The vulnerability can be exploited remotely
Used without any account credentials
Not easily noticed or repaired
The attack can be used, reused and scaled
Chained and used with other common vulnerabilities
ALL the tools and attacks only ever get bigger better faster stronger cheaper easier and
more common.
Not much of this crime is new
AutomationDistance "Technique Propagation"
(“Only the first attacker has to be skilled; everyone else can use his software.”)
Intro
It's Safe Behind The Keyboard
Hacking is a really safe crime. Comparatively. To other real life crime
Where Are They Working?
• Social Networks• Search Engines• Advertising• Email• Web Sites• Web Servers• Home Computers• Mobile Devices
Intro
What Are They After?
• PINs• Passwords• Credit Cards• Bank Accounts• Usernames• Contact Lists• Emails• Phone Numbers• Your Hardware...
Intro
What's It Worth?Credit Cards: $5-$30 Basic or “Random”$5-$8 With Bank ID# $15 With Date of Birth $15 With Fullzinfo $30
Payment service accounts: $20-$300 containing from US$400 to $1,000 between $20 and $50 containing from $5,000 to $8,000 range from $200 to $300
Bank login credentials: $190-$500 A $2,200 balance account selling for $190. $500 for a $6,000 account balance, to $1,200 for a $20,000 account balance
Online premium content services: $.55-$15 Online video streaming($0.25 to $1) premium cable channel streaming services ($7.50) premium comic book services ($0.55) professional sports streaming ($15)
Loyalty, community accounts: $20-$1400 A major hotel brand loyalty account with 100,000 points for sale for $20 An online auction community account with high reputation marks priced at $1,400
"The Hidden Data Economy" study by MacAfee October 2015
http
://w
ww
.sym
ant
ec.c
om
/con
nect
/blo
gs/n
etfl
ix-m
alw
are-
and
-phi
shin
g-c
amp
aign
s-he
lp-b
uild
-em
erg
ing-
bla
ck-m
ark
et
"None of this is about being "unhackable"; it’s about making
the difficulty of doing so not worth the effort."
Intro
Building a Defensible Library
Lock Things DownGrant Least PrivilegeWhitelisting - Patches – Limit Admins
Threat ModelingEverything With An IP Address Matters
TrainingNew Instincts Never Without The WHY
Libraries Live Below The Security Poverty Line
(Wendy Nather)
We simply can't afford to reach a great level of security
Few or no IT People
Few or no Security People
Hard to keep up with technology and security
Maintenance, planning, strategy are 2nd to OMG
Depend on consultants, vendors, family, patrons, friends, volunteers, etc...
What Does A Library Need To Protect?
OPAC / ILSStaff ComputersDatabasesPrinters / CopiersWebsiteServersBackups
PrintersCamerasWi-Fi RoutersRoutersCell PhonesIpadsLaptops
Things (The IoT)
● Security is an afterthought. ● The lack of security education by most of the
stakeholders ● The lack of security education by consumers● Security is a cost center● Security makes things more expensive● Security makes things hard to use
Locking Down Computers
• Patching and Updating–OS and *ALL* Applications
• Whitelisting • BIOS passwords• SteadyState / DeepFreeze / SmartShield• Check for USB additions• Admin
• Don’t use Windows?• Don’t use IE?
IT Security For Libraries
Don’t Forget
• Check the internet for usernames/passwords for your library (e.g. pastebin.com)
• HTTPS• Is your domain name going to expire?• Is you SSL Cert going to expire? • Typo Squatters?
IT Security For Libraries
http://www.pewinternet.org/files/2015/09/2015-09-15_libraries_FINAL.pdf
Offer Training At Your Library
The correlation between effort & results is questionable
You could have no security and be lucky.
You could have great security and just get really unlucky and have a determined hacker.
Remember:
This about your library’s security and protecting your library’s brand and reputation and your patrons.
The only way this can happen is if security and risk management become regular parts of library conversation.
Everything You Need To Know
Use Great PasswordsStrong (Long, Complex)Unique
Stay Paranoid & Vigilant
Never Trust Anything or AnyoneAlways Double Check
Think Before You Click
Use Routine Backups
Keep Everything Patched / Updated
Think Before You Share
Intro
Building a Defensible Library
Lock Things DownGrant Least PrivilegeWhitelisting - Patches – Limit Admins
Threat ModelingEverything With An IP Address Matters
TrainingNew Instincts Never Without The WHY