Library Securty Issues

From IT Security For Libraries Wiki
Jump to: navigation, search

Security In Your Library

Understand the threats to devise practical and relevant defense

How does security fit into the mission of your library??

The average Web-based application is hit by a cyberattack once every two minutes, says a report out today by security firm Imperva.

What are the biggest mistakes you can make with your security policies in your library?
Not preparing
Not traiing
Ignoring/thinking your safe
Not having a good understanding of what keeps you safe
Not knowing what your vendors are doing or will do when something goes wrong

Hackers will target your library. Size doesn't matter. Automated tools make it easy for them to find sites, ANY sites, and make trouble, or worse. Maybe someone wants in as a way to get elsewhere.

This is not simple stuff. Even in a small library there are still a million things to worry about. It's only NOT only the fools who are getting hacked -- the ones who reused a password, didn't scan their Web site code, or let their users click on a bad link in an email. Most libraries don't have the money, time, people or resources to secure even the small number of resources they have. Larger libraries may be able to afford more time speant on security, but then they also have more things to secure. Unfortunatly, security doesn't scale up very easily. This doesn't mean give up! We still we need to work on some part of security in our libraries as much as possible. We can talk all day about how we should operationalize security more, and vendors need to simplify, consolidate, and improve functionality. But in the end those problems are every bit as hard as everything else I'm talking about and won't be solved anytime soon. Especially since the economics aren't overly favorable. [citation?]

The answer is to take a realistic view at the assets at risk and protect them as effectively as is reasonable. We can't all hire someone to devote to security full time. The sooner we start seeing information security as something to do well because it adds value, rather than merely as a drain on expenditure which we need to minimize, the better!

Raising security awareness It important the library staff be aware of and incorporate security in their everyday work. They need to understand that what they do has consequences. They need to change certain work practices, they need to become part of the solution, rather than part of the problem.

avoid giving access to sensitive and valuable assets to those who have no need-to-know
monitor access and use by those who do need to know
strictly enforce laws, regulations, policies, and standards with severe negative consequences for those not adhering to the rules as a strong deterrent.

Make sure you're checking the internets for usernames/passwords for your library
Secrutiy needs to be an intergrated process in everything
Build trust and security into your systems.
Are you users assuming a level of competence with your library's security?
Design for uncertainty. You don't know how people will attack.
Information security includes personnel security, privacy, policy and computer security.
Is your domain going to expire?
Do you know where your security holes are? (vulnerability analyzer)
The biggest threat to everything is people downloading stuff they shouldn't
Training - Your staff needs basics
Do they even know what anti-virus program looks like?
Is someone penalized for failure
Do they know to be careful of phone calls from strangers?
You library should have policies and procedures in place
Dedicated staff? At least assign staff to certain areas
Someone needs to have this as a permanent assignment
Training - Stay up to date
User logins and passwords to ezproxy
Are all your computers patched?
Think like a bad guy and try and see what you can do
The public aceess computers - What can be stolen?
What about PHYSICAL security?
IP cameras?
Disaster recovery plan
Penetration Testing
The goals of security in your library?
To protect confidentiality by ensuring private information is kept private.
To ensure data integrity by preventing data from being inappropriately changed or deleted.
To ensure data availability by making sure services are available and uninterrupted,
that data can be accessed whenever it is needed, and that data can be restored quickly.
public access computer security must at least ensure Availability
Library staff and information systems personnel should work together to complete
1.Perform a Risk Assessment, threats vulnerabilities library's computers and networks.
2.Create a Security Policy which includes specific protection strategies.

Do you have a security policy in place?
Do you have a disaster recovery plan in place?
Do you have funing and time for this?
Do you have funding for the trouble this will cause if you do NOTHING?
Bad security policies cost time, money, reputation and trust
Default installations are frequently insecure
Libraries have no shortage of access points.
Libraries deal with multiple vendors
Threats come from within the libraries, and from external sites
Now that everydamnthing sold has a wifi antennae in it does that change things?
Wi-Fi client surge forcing fresh wireless LAN thinking, by John Cox, Network World
Thinking of moving to a SaaS (Cloud, hosted, whatever) model of hosting whatever?
What happens if that gets hacked?
How does that provider handle security?
How often do they do audits?
What the provider considers to be critical service and information security success factors
provider measures its IT service and information security management performance
Do they at least use Open Web Application Security Project (OWASP) list of top 10 vulnerabilities of Web applications.
Do they user any standards or certificantions?
Before signing any SaaS contract, you must be assured company information and data will be protected to the highest reasonable standards, and that the business will not be adversely affected due to application unavailability.

If companies patch the most popular 37 Windows programs, they could cut their risk by 80 percent, according to a report released on Wednesday by vulnerability management and information firm Secunia.

If nothing else you need to be prepared for a crises:
1. Expect to have a crisis event
2. Have a predefined crisis communication plan in place.
3. Acknowledge the problem immediately.
4. Become the News breaker
5. Leverage social media
6. Be accountable
7. Make it right

Security isn't easy. Don't blame the victims for being human.

A web environment has four layers that need protection: the Network level, the Application level, the Operating System level and the Database level. Most people think of these layers as being one within the other, like concentric circles. They reason that if they protect the outermost level, the inner levels are automatically protected.

Security doesn’t have to be all technical, all the time. If you run a small business, or have a family member that struggles with basic security principals, pick a couple of topics from the list to work into a conversation or presentation. The content is already there, and you can start creating awareness by continually using the content and referring people to the site for more information.

So what should you do when you discover your library records or something has been breached?
Admit your mistake
Figure out what happened as soon as possible
Fix anything that needs to be fixed
Be proactive in the future

1.Patch Applications 2.Patch OS vulnerabilities 3.Minimize the number of users with domain or local admin privileges 4.Application whitelisting (e.g. AppLocker, McAdee Application Control

Three stages of an attack 1. Code execution 2. Network propagation 3. Data exfiltration.

Your preparations should address those three things in someway. Designed to Prevent or Detect an Intrusion

1. Designed to prevent or detect an intrusion 2. Helps Mitigate Code execution 3. Helps Mitigate Network propagation 4. Helps Mitigate Data exfiltration.

The three costs of security
User Resistance
Upfront Cost
Maintenance Cost

Your employees don't care much for security, your patrons don't care (or worse, are trying to break it), no one cares. So it's important to also make sure security is built in as much as possible. You can't just add in a new step, people will find ways around it. And traiing and awareness might help with some, but for the most part people don't give darn. That's not to discount training. This type of training should be required for everyone to help them not just at work, but at home and anywhere else. So if possible, in the library, we need to take away rights and decisions and save people frmo themselves, and each other. Of course this will make people angry . users don’t want to be saved. They want to do what they want to do, when they want to do it. So we need to define a set of acceptable behaviors and blocking everything else

Make sure you can atleast answer some of these:

What does it cost us if this system goes down?
Who uses this system
How easy are the assets to replace?

The next step involves evaluating the ease of attacking these critical assets. Like the asset side, you focus relative ease of attack and the associated threat models. You can use categories like: Swiss cheese, home safe, bank vault, and Fort Knox.

Lesson #1: As the defender, your job is at least an order of magnitude harder than the hacker.

That's absolutely correct. As the attacker, you typically have the luxury of time and resources. You can avoid the well-fortified front gate and go around back and jiggle the handles on the doors no one thinks to lock. This is real-life attacking. Attackers have time on their side, and know that it is human nature to over-protect the things we value, but to forget to protect those things that we feel are not-so-important ...even though they are often connected to those super-critical things.

Lesson #2: You have to understand how things are connected together to understand risks, form a defensive strategy.

This year's Black Hat conference, and Defcon 19 reminded me of this quite well. There was no shortage of hacking things such as insulin pumps, automobile remote start/open systems over SMS, and other random stuff that proves that breaking in, is harder than keeping the bad guys out.

Can you do this in your library?

1) Include security responsibilities in all job descriptions. 2) Tie security performance into employee performance reviews. 3) Include disciplinary actions for all security incidents.

When looking at what you have, you need to think like an attacker. You need to think about what they're after, and how easy it will be for them to get anythig from you. If it's going to be quick and easy for them to get in and get what they want, they'll come right after you. They may want usernames and passwords. They may want to sql inject some malware. They may want to deface your site. They may want your ILS. They may want to hide pages on your site to do phishing. They may want to so blackhat seo or search poisoning. They may want your server to send spam. So where do you focus? They'll first look around and see how things work. Focus your engergy on what the easiest/cheapest attacks. The hardest part for them is to figure out what you have, where things are, what OS you're running. deny access to as much as possible, hide things as much as possible. hake sure to use detection methods so at least you'll know when someone gets in. never assume you know what they're after.

What does your library have to lose?

Positive feelings
Angry users
bad publicity
money and time lost

The Security Mantra [Via Oneanta]

• Confidentiality • Integrity • Availability