This presentation was provided by Blake Carver of Lyrasis during the NISO webinar, DIgital Security: Protecting Library Resources against Piracy, held on November 16, 2016.
2. Attackers are economically rational – they
take scarce resources and apply them
efficiently to achieve a desired outcome. As
a defender, making the target less attractive
or too expensive for that economically
rational actor means they will go after
something else. “It’s like the old saying:
you don’t have to outrun the
bear. You just have to outrun
your friend.”
Brad Arkin, Adobe's chief security officer
3. Everything You Need To Know
Build a Defensible Library
Lock Everything Down
Assume your secrets are not safe
Threat Modeling
Training
4. From: Geraldo Spence <email@example.com>
To: <somone@example.com>
Subject: FW: Order Status #001204
Date: Tue, 22 Mar 2016 07:01:47 +0300
Dear someone,
We would like to thank you for your recent order.
Order Status updated on: 21/03/2016
Your Customer ID: 001204
Your Order ID: 4081F78D45-M-2016
Invoice Number: 5978299
Delivery Note:
We received your order and payment on 17/03/2016
Your order details are attached.
Best regards,
Geraldo Spence
Chief Executive Officer - Food Packaging Company
5.
6. Libraries Live Below
The Security Poverty Line(Wendy Nather)
We simply can't afford to reach a great level of security
Few or no IT People
Few or no Security People
Hard to keep up with technology and security
Maintenance, planning, strategy are 2nd to OMG
Depend on consultants, vendors, family, patrons,
friends, volunteers, etc...
7. This leaves us in a bad place
Defaults
Old and outdated
Workarounds
Not much control
No time to focus
"We'll fix it later"
8. So what can we do?
Budget?
Buy things that are more secure.
Question our vendors and partners on
security.
Use our consortia
9. So what can we do?
Develop a good Threat Model
Set achievable security goals
Learning, Planning & Training
Develop IT- and security-focused
community groups for the exchange of
ideas, information and known security
threats. (Associations and Conferences)
11. Able To Be Defended
• Defensible does not mean secure
• There are more things to defend than there
are resources to defend with
• Defensibility focuses on what, why, how,
when and from whom
12. Defensible Libraries
• A change in mindset
• Awareness of limitations & weaknesses
• Awareness of threats
• An admission of inconvenience
• A lot of hard, detailed and
underappreciated work.
13. So Let’s Think About…
• What do we have to secure?
• Who wants it?
• How could they acquire it?
• How could they benefit from its use?
–Can they sell it?
–Can they hold it hostage?
–Can they use & abuse it?
• How damaging would the loss of data be?
• How would this effect library operations?
• How secure do we really need to be?
19. 83% targets of opportunity
92% of attacks were easy
85% were found by a 3rd party
IT Security For Libraries
Verizon Data Breach Investigations Report
20. 84% were found by a 3rd
party
Bad guys were in for 175 days before
they were discovered.
Trustwave 2012 Global Security Report
IT Security For Libraries
26. Your security software /
hardware is a seat belt – not a
force field.
IT Security For Libraries
27. Complexity is the Enemy of
Security
• We have no shortage of access points
• We deal with any number of vendors
• Threats come from outside the libraries
• Threats come from inside the libraries
•Our libraries are full of people
IT Security For Libraries
28. “If It Ain’t Broke...”
• The vast majority of attacks…
–Won’t be targeted
–Will Be Easily Avoidable
–Will be invisible
Do something.... Do Anything!
IT Security For Libraries
34. Public Access Computers
Staying Safe On This Computer:
–Make Sure You Log Out
–Don’t Access Sensitive Sites
–Beware of the "remember me" option
–Don't send personal or financial information
via email or insecure websites
IT Security For Libraries
37. There is no longer a
window to patch when a
vulnerability or exploit is
discovered, in public or
private.Brad Arkin, Adobe
38. Locking Down Public Access
Computers
• Patching and Updating
–OS and *ALL* Applications
• Whitelisting
• Passwords
• SteadyState / DeepFreeze / SmartShield
• Don’t use Windows?
• Don’t use IE?
IT Security For Libraries
40. Library Information Security System
Assessment Model (LISSAM)
Awareness Creation
Administrative Tools and Methods
Procedures and Control
Information Security Policy
Technological Security Foundation
41. Change your mindset
YOU are the attacker
• What are you library’s most valuable
assets? Where are these assets? How can
they be accessed?
• If you were the attacker how would you
spread malware? And who are the most
‘vulnerable’ targets in the organization?
• Do you have a view on the ‘normal’
behavior of your organization (people,
behavior, locations and systems)?
45. Library Information Security System
Assessment Model (LISSAM)
Awareness Creation
Administrative Tools and Methods
Procedures and Control
Information Security Policy
Technological Security Foundation
46. Also...
• Check usernames/passwords for your library -
●
osint-opsec-tool
●
pastebin.com
• HTTPS
• Someone needs to stay current
• Is your domain name going to expire?
• 2FA
• Password Managers
IT Security For Libraries
47. - Training -
Non-technical Countermeasures
Train A Security Mindset
Quickly forgotten without practice and
reminders
Regular low level of training and awareness
Build Cybersecurity Champions
IT Security For Libraries
48. Training does not work
It's not worth it because someone will
still mess up
People already know what to do
This stuff us easy / obvious
49. Good security awareness
programs help all employees
know where to get help
Who they should call when there is trouble
Where they can look for guidance & policies
They should know that they will not be looked
down on for making a mistake
Someone’s job is to help them through
whatever difficulty they are having
50. We can't make everyone
an expert
We do NOT need to train the non-technical
employees about what the deep level geek
employees already know.
51. Building Good Habits
“Being secure” is something that is learned
over time and eventually becomes a habit.
Make the security mindset the default
Consistent reinforcement of the importance
of IT Security
52.
53. Understanding awareness, training,
and development
What we want is policies that reinforce good
security principles that will foster over time a
new instinct in people, a new way of
looking at things, a new way of acting in
a more secure way.
This will require a huge amount of patience
and buy in from every at your library.
57. Training
• Phishing
• Social Engineering
• Privacy
• Passwords
• Email Attachments
• Virus Alerts
• How to practice safe social networking
• Keeping things updated
IT Security For Libraries
58. What we want is policies that reinforce good
security principles that will foster over time a
new instinct in people, a new way of
looking at things, a new way of acting in
a more secure way.
59. The goal is to make doing
things the right way become
the default in your library
60. Training…. Patrons?
• Your patrons don't care much for security
• Their habits are inviting malware
• Look for ways to make things safer in ways
that don't interfere with people's everyday
tasks as much as possible.
• Principle of Least Privilege
IT Security For Libraries
62. Library Security Mantra
• Security
• Privacy
• Confidentiality
• Integrity
• Availability
• Access
(based on Net Sec 101 Ayre and Lawthers 2001)
IT Security For Libraries
63. Preparation - Practical Resources
• SANS 20 Critical Security Controls
– sans.org
• Securing Library Technology: A How-To-Do-It Manual
– Earp & Wright
• Strategies to Mitigate Targeted Cyber Intrusions
– Australian Signals Directorate
• Library Information Security System Assessment Model
– (LISSAM)
– Malaysian Journal of Library & Information Science, Vol. 16, no. 2
Virtual Privacy Lab from the San José Public Library
https://www.sjpl.org/privacy
Library Freedom Project
https://libraryfreedomproject.org/
IT Security For Libraries