An hour long presentation I gave for LYRASIS. It introduces many topics in security and privacy on the internet and computers and any other type of device with an ip address. IOT Internet of things, browsers, portable devices and more. In this hour I focused on things to train in libraries, security awareness training and other things relevant to people in libraries. Librarians and anyone else in a library
Human Factors of XR: Using Human Factors to Design XR Systems
An Introduction To IT Security And Privacy In Libraries
1. IT Security For Librarians:
Outrunning The Bear
@ Your Library
Blake Carver
LYRASIS Systems Administrator
2. Week One
•Passwords: L E N G T H & Unique
•Paranoia: Think Before You Click
•BackuPs: Frequent and Automatic
•Patches: Set to Auto
•Ponder Before Posting
Intro
3. Last Week
• Privacy
Surveillance Is The Business Model Of The
Internet
• Carry A Safe, Not A Suitcase
• Email
• Browsers
• Public Wi-Fi
• Social Media
• Mobile Devices
• Backups
4. This Week
Everything You Need To Know
Lock Things Down
Grant Least Privilege
Whitelisting - Patches – Limit Admins
Build a Defensible Library
Threat Modeling
Everything With An IP Address Matters
Training
New Instincts
Never Without The WHY
5.
6.
7. “An iCloud scam that may be worse than
ransomware”
https://blog.malwarebytes.org/mac/2016/03/an-icloud-scam-that-may-be-worse-than-ransomware/
8.
9. The Danger of Apps that Die
About three years ago there was an iPhone app named Kinotopic.
According to their website, which is still up, “Kinotopic allows you to
create, share, and store short video moments and make them more
expressive – in the form of animated pictures and cinemagraphs.”
Past users of Kinotopic may be interested to learn that there is currently
a MongoDB database that appears to belong to Kinotopic sitting out
on the open internet with no protection whatsoever. This derelict
MongoDB instance contains, among other things, the email addresses,
usernames, and hashed passwords for, what appear to be, over
198,000 previous Kinotopic users.
https://mackeeper.com/blog/post/197-the-danger-of-apps-that-die
10.
11. In Cloquet, email and SmartBoards were affected, along with
phones, school bell and food service systems. The middle
school has a one-to-one device program for students that was
affected.
12. From: Geraldo Spence <SpenceGeraldo89626@powernet.bg>
To: <somone@example.com>
Subject: FW: Order Status #001204
Date: Tue, 22 Mar 2016 07:01:47 +0300
Dear someone,
We would like to thank you for your recent order.
Order Status updated on: 21/03/2016
Your Customer ID: 001204
Your Order ID: 4081F78D45-M-2016
Invoice Number: 5978299
Delivery Note:
We received your order and payment on 17/03/2016
Your order details are attached.
Best regards,
Geraldo Spence
Chief Executive Officer - Food Packaging Company
13. Libraries Live Below
The Security Poverty Line(Wendy Nather)
We simply can't afford to reach a great level of security
Few or no IT People
Few or no Security People
Hard to keep up with technology and security
Maintenance, planning, strategy are 2nd to OMG
Depend on consultants, vendors, family, patrons,
friends, volunteers, etc...
14. This leaves us in a bad place
Defaults
Old and outdated
Workarounds
Not much control
No time to focus
"We'll fix it later"
15. We ain't got
Budget
People
Time
Hardware
Software
Expertise
16. So what can we do?
Budget?
Buy things that are more secure?
Question our vendors and partners on
security?
Use our consortia?
Outsourcing?
17. So what can we do?
Develop a good Threat Model
Set achievable security goals
Learning, Planning & Training
Develop IT- and security-focused
community groups for the exchange of
ideas, information and known security
threats.
http://security4lib.org/
20. Able To Be Defended
• Defensible does not mean secure
• There are more things to defend than there
are resources to defend with
• Defensibility focuses on what, why, how,
when and from whom
21. Attackers are economically rational – they
take scarce resources and apply them
efficiently to achieve a desired outcome. As
a defender, making the target less attractive
or too expensive for that economically
rational actor means they will go after
something else. “It’s like the old saying:
you don’t have to outrun the
bear. You just have to outrun
your friend.”
22. Defensible Libraries
• A change in mindset
• Awareness of limitations & weaknesses
• Awareness of threats
• An admission of inconvenience
• A lot of hard, detailed and
underappreciated work.
23. So Let’s Think About…
• What do we have to secure?
• Who wants it?
• How could they acquire it?
• How could they benefit from its use?
–Can they sell it?
–Can they hold it hostage?
–Can they use & abuse it?
• How damaging would the loss of data be?
• How would this effect library operations?
• How secure do we really need to be?
27. 83% targets of opportunity
92% of attacks were easy
85% were found by a 3rd party
IT Security For Libraries
Verizon Data Breach Investigations Report
28. 84% were found by a 3rd party
Bad guys were in for 175 days before
they were discovered.
Trustwave Global Security Report
IT Security For Libraries
35. Your security software /
hardware is a seat belt – not a
force field.
IT Security For Libraries
36. When we protect our library,
we protect our patrons
• People come to us and want things to be
easy and free and fun
• They don’t think about security (Ever)
• Information Literacy
37. Complexity is the Enemy of Security
• We have no shortage of access points
• We deal with any number of vendors
• Threats come from outside the libraries
• Threats come from inside the libraries
•Our libraries are full of people
IT Security For Libraries
39. So What Can We do?
• Stop Ignoring it
• Prepare – Threat Modeling
• Prepare - Training
IT Security For Libraries
40. Ignoring it and thinking you're safe
“If It Ain’t Broke...”
• The vast majority of attacks…
–Won’t be targeted
–Will Be Easily Avoidable
Do something.... Do Anything!
IT Security For Libraries
42. What Does A Library Need To
Protect?
IT Security For Libraries
Your Employees Homes / Phones / etc...?
OPAC / ILS
Staff Computers
Databases
Printers / Copiers
Website
Servers
Backups
Printers
Cell Phones
Wi-Fi Routers
Routers
Cell Phones
Ipads
Laptops
48. Public Access Computers
Staying Safe On This Computer:
–Make Sure You Log Out
–Don’t Access Sensitive Sites
–Beware of the "remember me" option
–Don't send personal or financial information
via email or insecure websites
IT Security For Libraries
49. Public Access Computers
This Week’s Stay Safe Tips
–Never Trust Email
–Learn About Phishing
–Attend Our Security Class
–Always Check For A Secure Connection
IT Security For Libraries
51. There is no longer a window to
patch when a vulnerability or
exploit is discovered, in public or
private.Brad Arkin, Adobe
52. Locking Down Public Access
Computers
• Patching and Updating
–OS and *ALL* Applications
• Whitelisting
• BIOS passwords
• EMET - microsoft.com/emet
• SteadyState / DeepFreeze / SmartShield
• Check for USB additions
• Don’t use Windows?
• Don’t use IE?
IT Security For Libraries
54. Change your mindset – YOU are
the attacker
• What are you library’s most valuable
assets? Where are these assets? How can
they be accessed?
• If you were the attacker how would you
spread malware? And who are the most
‘vulnerable’ targets in the organization?
• Do you have a view on the ‘normal’
behavior of your organization (people,
behavior, locations and systems)?
58. Library Information Security System
Assessment Model (LISSAM)
Awareness Creation
Administrative Tools and Methods
Procedures and Control
Information Security Policy
Technological Security Foundation
59. CIS and CCS introduced the Cyber
Hygiene Campaign
Count: Know what’s connected to and running on
your network
Configure: Implement key security settings to help
protect your systems
Control: Limit and manage admins
Patch: Regularly update all apps, software, and
operating systems
Repeat: Regularly revisit the Top Priorities
https://www.cisecurity.org/about/CHToolkits.cfm
60. Six Steps to Stronger Security
1. Keep an accurate hardware inventory
2. Keep an accurate software inventory
3. Actively manage configurations
4. Remediate vulnerabilities quickly
5. Automate endpoint defenses
6. Control administrative access
https://www.sans.org/reading-room/whitepapers/awareness/steps-stronger-security-smbs-36037
61. Don’t Forget
• Check the internets for usernames/passwords
for your library (e.g. pastebin)
• HTTPS
• Is your domain name going to expire?
• Is you SSL Cert going to expire?
• Typo Squatters?
IT Security For Libraries
63. IT Security For Libraries
Training
Building Cybersecurity Champions
64. Training does not work
It's not worth it because someone will
still mess up
People already know what to do
This stuff us easy / obvious
65. Training
Train A Security Mindset
Quickly forgotten without practice and
reminders
Regular low level of training and awareness
IT Security For Libraries
66. Good security awareness
programs help all employees
know where to get help
Who they should call when there is trouble
Where they can look for guidance & policies
They should know that they will not be looked
down on for making a mistake
Someone’s job is to help them through
whatever difficulty they are having
67. We can't make everyone
an expert
We do NOT need to train the non-technical
employees about what the deep level geek
employees already know.
68. Building Good Habits
“Being secure” is something that is learned
over time and eventually becomes a habit.
Make the security mindset the default
Consistent reinforcement of the importance of
IT Security
69. What about training UP?
How do we communicate up?
Is your boss/director/board/dean/whatever aware of IT Security? If they
were, would that help make the library more secure? It may be up to you to
help everyone at your library become Security Literate.
So how do you do it?
Start talking & training.
Make sure everyone understands that we are all targets.
If they ask “How secure are we?”…
the answer will most likely scare them.
71. Understanding awareness, training,
and development
What we want is policies that reinforce good
security principles that will foster over time a
new instinct in people, a new way of
looking at things, a new way of acting in
a more secure way.
This will require a huge amount of patience
and buy in from every at your library.
75. Training
• Phishing
• Social Engineering
• Privacy
• Passwords
• Email Attachments
• Virus Alerts
• Social Networking
• Updates
IT Security For Libraries
76. What we want is policies that reinforce good
security principles that will foster over time a
new instinct in people, a new way of
looking at things, a new way of acting in
a more secure way.
77. The goal is to make doing
things the right way become
the default in your library
78. Training…. Patrons?
• Your patrons don't care much for security
• Their habits are inviting malware
• Look for ways to make things safer in ways
that don't interfere with people's everyday
tasks as much as possible.
• Principle of Least Privilege
IT Security For Libraries
80. Library Security Mantra
• Security
• Privacy
• Confidentiality
• Integrity
• Availability
• Access
(based on Net Sec 101 Ayre and Lawthers 2001)
IT Security For Libraries
81. Remember:
This about your library’s security and
protecting your library’s brand and
reputation and your patrons.
The only way this can happen is if security
and risk management become regular
parts of library conversation.
82. Preparation - Practical Resources
• SANS 20 Critical Security Controls
– http://sans.org
• Securing Library Technology: A How-To-Do-It Manual
– Earp & Wright
• Strategies to Mitigate Targeted Cyber Intrusions
– Australian Signals Directorate
• Library Information Security System Assessment Model (LISSAM)
– Malaysian Journal of Library & Information Science, Vol. 16, no. 2
Virtual Privacy Lab from the San José Public Library
https://www.sjpl.org/privacy
Library Freedom Project
https://libraryfreedomproject.org/
IT Security For Libraries
83. Next Week
Week Four: The Web – Sites & Servers
How & why websites get hacked
Web Servers
Servers in general
Some Hacker Tools
Review
84. IT Security For Librarians:
Outrunning The Bear
@ Your Library
Blake Carver
LYRASIS Systems Administrator
Editor's Notes
Email from Walmart, a footprint I left behind and forgot about.
Digital footprints, we leave them behind in the form of old logins, and also in the trackers and cookies that follow us.
This was a phisihing email that WORKED recently. Training would hopefully show that this is clearly a fake.
We’re short staffed and out gunned so it’s important we know that there are things we can do that WILL help.
We can do things that WILL help keep us more secure.
There's something called "Threat Modeling" in IT Security. I like to think of it as just taking a step back and looking at the big picture.
It doesn't necessarily take an expert, but it takes time, and patience and some training.
In libraries, it helps us align our limited resources, work, money, defenses with the threats that pose the greatest risk. That is, those threats that are the most likely to occur and those that could be the hardest to recover from.
Our risks need ranking, and working through some Threat Modeling lets us do that. Sure, we need to lower all risks, but all risks aren't equal. We want to know what our biggest threats are. Those that are likely to be attacked and those that are easy to be exploited. What's most valuable and hardest to recover from. We need to make sure we know what's around and how it can be exploited.
Where do we focus? Where do we even start. It's probably not easy, and looks overwhelming. We need to find ALL the things to defend and decide how to best defend them. Then, take a look at what we have and rank them. All those things on your list are not equal. Start with the highest risks. The things most easily exploited. The most valuable things.
We have limited time/people/money we need to have priorities because there is SO much to worry about, so we need to know our threats RANKED and how we're going to defend them. We want to make sure we're able to focus what we have in the right place, and that's what this is about. Going from overwhelmed, to a starting point, a place to focus. All the many threats we face are not equally dangerous, and our defenses are not all equal. A good starting point is knowing what's been hit before. What caused that breach/exploit/hack (Patches, social engineering, passwords, misconfiguration).
How do we rank all these things?
What do we have to protect?
Everything with an IP
Everything isn't equal
How likely is each thing to be attached?
It's been attacked before?
Common Device?
Attack surface?
Easy to run common tools to test for exploits?
how easy is this thing to find/exploit?
Does it contain PII or CC#s or anything that can be sold?
Has it ALREADY been exploited in this OR another library?
Can people touch this thing?
Work up scenarios.
How hard is this thing to defend?
Replace with another thing?
How much work is involved?
Work up scenarios.
Who is going to attempt to attack it?
Location? Remote / Local?
Capabilities? Talented / Beginner?
Bot / Automated / Human?
Work up scenarios.
What happens when it is compromised?
What do you lose?
How hard to recover?
How much damage?
How many people are impacted?
How important is this thing?
Work up scenarios.
Let's not over look people!
Training / Planning
Can they rank threats?
Do they know the top 5 threats? ANY threats?
So now what?
- Research & Learn
- Collect & count
- Rank
- Plan
- Put defenses in place
- Train
- Review
- Repeat
The bad guys are always one step ahead. They’re always looking for new ways in.
http://www.zdnet.com/article/hand-on-with-kali-linux-rolling/
A nice write up of Kali
http://arxiv.org/ftp/arxiv/papers/1301/1301.5386.pdf
Also worth doing some Google Scholar (or real DB) searches on this, lots of good cites out there.
What’s your library policy on Thumb Drives??They ar likely infected.
Or at least building people who are careful and understand the risks.
People will complain :-D
Make sure people know WHY this matters. How common it is. What will happen.
If we look at something we know, something we’re an expert about, then it looks different. I know bikes, I know all about that bike just by looking at it.
This is how we want everyone to look at a bad site, or a phising email.
So what should we traing? All the things we outline here.