Download to read offline
![Web Browser
The Single Most Important [Online] Security
Decision You Make](https://image.slidesharecdn.com/keepingyouandyourlibrarysafeandsecure-150713153826-lva1-app6892/75/Keeping-you-and-your-library-safe-and-secure-29-2048.jpg)
Uploaded byLYRASIS
Keeping you and your library safe and secure
This document discusses the importance of library security and provides tips for keeping libraries secure. It begins by noting that security is both a feeling and a reality. It then discusses how libraries are targets and how easy it is for attackers to succeed. The document provides tips for securing laptops, email, web browsers, and public access computers. It emphasizes updating software, using strong and unique passwords, backing up data, and preparing security policies and training staff and patrons. The overall message is that libraries must take security seriously and apply layers of protection through preparation and an ongoing commitment to maintaining security.
More Related Content
Similar to Keeping you and your library safe and secure
![Cyber-Security]shhsjjsjsjdjdjjddjjdjh.ppt](https://cdn.slidesharecdn.com/ss_thumbnails/cyber-security-20211013105857-240507130621-7a440293-thumbnail.jpg?width=640&height=640&fit=bounds)
Keeping you and your library safe and secure
- 1. Keeping You AndYour Library Safe and Secure Blake Carver – blake.carver@lyrasis.org http://lisnews.org/security/ http://security4lib.org/ http://lyrasis.org Intro
- 3. “ Security istwo different things: It's a feeling & It's a reality ” Bruce Schneier – TedxPSU
- 4. Security Frequently GetsIn Our Way
- 5. Have A HackerMindset Think Like A Bad Guy Have A Security Mindset Think Defensively
- 6. "None of thisis about being "unhackable"; it’s about making the difficulty of doing so not worth the effort."
- 7. Secure, here, doesn'tmean impenetrable Competent and determined bad guys armed with the right tools can always find a way in Less talented folks, and many automated tools, however, experience great effort as a deterrent
- 8.
- 9. Where Are TheyWorking? • Social Networks • Search Engines • Advertising • Email • Web Sites • Web Servers • Home Computers • Mobile Devices Intro
- 10. Malware Inc. These arethe work of a rogue industry, not a roguish teenager
- 11.
- 12. What Are TheyAfter? • PINs • Passwords • Credit Cards • Bank Accounts • Social Media • Computers • Usernames • Contact Lists • Emails • Phone Numbers These all have value to someone
- 13. Personal information isthe currency of the underground economy
- 14. Personal information isthe currency of the Entire Internet economy
- 15. We don’t knowhow our information is used, stored or shared and for how long. We don’t know who has access We don’t know if it’s safe
- 16. On the InterWebs,the companies entrusted to keep our personal data safe are invariably the ones who have the most to gain from not doing so. Robert X. Cringely
- 17. Nobody – nobody– is immune from getting hacked
- 18.
- 19. How Do YouKnow If You Are Infected? • Fans Spinning Wildly • Programs start unexpectedly • Your firewall yells at you • Odd emails FROM you • Freezes • Your browser behaves funny • Sudden slowness • Change in behavior • Odd sounds or beeps • Random Popups • Unwelcome images • Disappearing files • Random error messages
- 20. How Do YouKnow If You Are Infected? You Don’t
- 21. Your antivirus softwareis a seat belt – not a force field. - Alfred Huger
- 22. • Keep everythingpatched / updated • Don’t Trust anything –Links / Downloads / Emails • Backups are critical
- 23. Laptops • Prey /LoJack • Passwords • Sign Out & Do NOT Save Form Data
- 24. Laptops Carry A Safe NotA Suitcase
- 25. Never Trust PublicWi-Fi
- 26. Which of youraccounts is most valuable? • Email • Bank • Social Network • Shopping • Gaming • Blogs • Library Account
- 27. Own the Email,Own the Person
- 28. Email • Don’t trustanything • Don’t leave yourself logged in • 2 Factor Authentication • Passwords – Unique, Obscure and Looooonnnnnggggg
- 29. Web Browser The SingleMost Important [Online] Security Decision You Make
- 30. Browsers • Use Two& Keep Updated • Know Your Settings – Phishing & Malware Detection - Turned ON – Software Security & Auto / Silent Patching - Turned ON • A Few Security Plugins: – Something to Limit JavaScript – Something to Force HTTPS – Something to Block Ads Staying Safe Online
- 31. But The InternetIs Free Because Of Ads... • Online ads were 182 times more likely to deliver malware than “adult” sites • Google blocked 524 million 'bad ads' 250,000 • Up 50 percent in 1 year
- 32.
- 33. But We’re JustA Library
- 34. 83% targets ofopportunity 92% of attacks were easy 85% were found by a 3rd party Verizon Data Breach Investigations Report – Fall 2011
- 35.
- 36. Being Good Is Hard NeverEnding Overwhelming Exhausting
- 37. The attacker onlyneeds to succeed once...
- 38. Perfect is notthe enemy of good ‘nuff
- 39. Complexity is theEnemy of Security (Bruce Schneier) • Libraries have no shortage of access points • We deal with any number of vendors • Threats come from outside the libraries • Threats come from inside the libraries • Our libraries are full of people
- 40. Staying safe takesmore than just a firewall...
- 41. Your firewall isa seat belt – not a force field.
- 42. Library Security RequiresLayers • Firewall • VPN • Intrusion Monitoring • Antimalware & Antispam & Antivirus • Planning & Training
- 43. How Can WeMake Our Library Secure • Don’t ignore it • Prepare • Train
- 44. Preparation- Practical Policies •Patching and updates of the OS and applications on a regular basis • Regular automated checks of public PCs & network • Check the internets for usernames/passwords for your library (e.g. pastebin) • Dedicated staff? Someone needs to stay current • Lost USB Drives? • Is your domain name going to expire?
- 45. Training • Phishing • Privacy •Passwords • Email Attachments • Virus Alerts • How to practice safe social networking • Keeping things updated
- 46. Public Access PCs Yoursecurity software is a seat belt – not a force field.
- 47. Assume the badthing has happened
- 48. Change your mindset– YOU are the attacker • What are you library’s most valuable assets? – Where are these assets? – How can they be accessed? • If you were the attacker how would you spread malware? • Who are the most ‘vulnerable’ targets in the organization?
- 49. Go on theoffensive… "think evil, do good"
- 50. Turn Your FocusOutside
- 51. Library Security Mantra •Security • Privacy • Confidentiality • Integrity • Availability • Access (based on Net Sec 101 Ayre and Lawthers 2001)
- 52. What websites canyou trust?
- 53. Can you trustyour own website?
- 54. Any Good WebSite Can Go Bad At Any Time Less that half of website traffic is human About 30% of all traffic is actively tying to cause trouble
- 55. “ Security istwo different things: It's a feeling & It's a reality ” Bruce Schneier – TedxPSU
- 56. • Keep everythingpatched & updated always • Carry A Safe • Don’t Trust anything or anyone –Links / Downloads / Emails Patrons / Vendors • Backup your stuff • Prepare And Train
- 57. This IS worththe time, effort and expense.
- 58. Stay Safe Blake Carver– blake.carver@lyrasis.org http://lisnews.org/security/ http://security4lib.org/ http://lyrasis.org Done!!
Editor's Notes
- #2 Blake Carver, Systems Administrator, LYRASIS
- #3 We host these things
- #4 They are different, you can feel secure if you’re not, and you can be secure even if you don’t feel it.
- #6 I want people to walk away from this with a hacker mindset, and with a security mindset. I want them to look at things, at things on the internet, differently. I want them to see how secure, or insecure things are. How secure, or insecure, their habits are.
- #7 http://www.troyhunt.com/2012/06/our-password-hashing-has-no-clothes.html A quick hashing recap Let’s take a quick step back before talking about what’s wrong with the hashing algorithms of today. The problem that cryptographic storage of passwords is trying to address is to limit the potential damage of unintended disclosure of passwords in storage. Now of course all the good upstream security practices such as mitigating against SQL injection vulnerabilities and protecting your backups still apply, this is about what happens once things go really, really wrong. We were reminded of this just the other day when WHMCS was breached and thousands of account details were leaked. In this case it appears that some basic social engineering was used to circumvent the host’s security thus allowing access to the database of user accounts. It was a similar story with LinkedIn just a little bit later when 6 million passwords were exposed through (as yet) unknown or undisclosed means. Disclosure of passwords in storage happens. Lots. So this is really the whole point of hashing – once you get owned to the extent that WHMCS and LinkedIn were, secure cryptographic storage of the passwords is the only thing saving your customer’s credentials. And remember, a large percentage of these credentials will be reused across other services so secure storage is about protecting a lot more than just the site that was breached. The trick is to ensure the effort to “break” the hashing exceeds the value that the perpetrators will gain by doing so. None of this is about being “unhackable”; it’s about making the difficulty of doing so not worth the effort. In this case when I say “break” or “crack”, I’m talking about re-computing hashes rather than finding weaknesses in the algorithms themselves. I’m literally talking about taking a plain text string, hashing it then comparing it to a password already in storage. If they match, then I’ve just discovered the plain text password.
- #9 It boils down to 3 types of bad guys. http://www.ted.com/talks/mikko_hypponen_three_types_of_online_attack.html
- #10 They are everywhere. They are where you are.
- #11 http://blog.eset.com/2012/03/06/changing-perceptions-of-malware-threat-images-make-a-difference
- #12 http://blog.eset.com/2012/03/06/changing-perceptions-of-malware-threat-images-make-a-difference
- #13 They are after most of the things you’d expect, and some you might not...
- #14 Personal information is the currency of the underground economy. It's literally what cybercriminals trade in. Hackers who obtain this data can sell it to a variety of buyers, including identity thieves, organized crime rings, spammers and botnet operators, who use the data to make even more money. A name or email address is worth anywhere from fractions of a cent to $1 per record, depending on the quality and freshness of the data, information security experts say. That may not sound like a windfall, but when you multiply it by millions of records, it quickly adds up. Take the Zappos breach as an example: If hackers in fact obtained data on 24 million customers, even if they sell only 5 million email addresses at five cents a pop—cha-ching—they've just made $250,000 off of one hack. Botnet operators make even more money. Say you own a botnet that consists of 100,000 computers. You may rent it out to spammers for $1,000 per hour, says Stu Sjouwerman, founder and CEO of KnowB4, a provider of Internet security awareness training based in Clearwater, Fla. If you rent or buy the 24 million records from Zappos' so that you can then send malware to those email addresses, even if only 20 percent of recipients get infected with your malware that takes control of their computer, you've still grown your botnet by about 5 million computers with very little work, he adds. "Now you can charge $5,000 an hour instead of $1,000 per hour for 5 million bots that start sending spam," says Sjouwerman. "These guys make money hand over fist." Of course, their illegal activity also means criminal charges, jail time and financial restitution. http://www.cio.com/article/698820/Are_You_at_Risk_What_Cybercriminals_Do_With_Your_Personal_Data_ Print Article Close Window From: www.cio.com Are You at Risk? What Cybercriminals Do With Your Personal Data – Meridith Levinson, CIO
- #15 Personal information is the currency of the underground economy. It's literally what cybercriminals trade in. Hackers who obtain this data can sell it to a variety of buyers, including identity thieves, organized crime rings, spammers and botnet operators, who use the data to make even more money. A name or email address is worth anywhere from fractions of a cent to $1 per record, depending on the quality and freshness of the data, information security experts say. That may not sound like a windfall, but when you multiply it by millions of records, it quickly adds up. Take the Zappos breach as an example: If hackers in fact obtained data on 24 million customers, even if they sell only 5 million email addresses at five cents a pop—cha-ching—they've just made $250,000 off of one hack. Botnet operators make even more money. Say you own a botnet that consists of 100,000 computers. You may rent it out to spammers for $1,000 per hour, says Stu Sjouwerman, founder and CEO of KnowB4, a provider of Internet security awareness training based in Clearwater, Fla. If you rent or buy the 24 million records from Zappos' so that you can then send malware to those email addresses, even if only 20 percent of recipients get infected with your malware that takes control of their computer, you've still grown your botnet by about 5 million computers with very little work, he adds. "Now you can charge $5,000 an hour instead of $1,000 per hour for 5 million bots that start sending spam," says Sjouwerman. "These guys make money hand over fist." Of course, their illegal activity also means criminal charges, jail time and financial restitution. http://www.cio.com/article/698820/Are_You_at_Risk_What_Cybercriminals_Do_With_Your_Personal_Data_ Print Article Close Window From: www.cio.com Are You at Risk? What Cybercriminals Do With Your Personal Data – Meridith Levinson, CIO
- #20 Here’s a big list of Common computer troubles Common symptoms of malware infections You don’t know which one it is!
- #21 Here’s a big list of Common computer troubles Common symptoms of malware infections You don’t know which one it is!
- #22 Symantec reports they have seen the technique in malicious Droid apps hosted on Russian websites. Polymorphism has long been used to evade signature-based detection on PCs, with no little success. Server-side polymorphic techniques create a new version of the malware each time it is downloaded. The combination of these mechanisms, sophisticated obfuscation and the sheer volume of unique malware samples — tens millions annually — have rendered client-based antimalware far less effective that it was just a few years ago.
- #23 On your computer: Keep that OS patched and updated. Related: Don’t use Windows XP Disable hidden filename extensions Make sure ALL those programs are updated. Especially don’t miss anything made by Adobe (e.g. Flash & Acrobat) Never install things you’re not sure are safe. Especially don’t trust anything from Torrents or P2P sites. Avoid downloading programs from unknown sources If you're not using something, just remove it. Every program installed on your computer opens a potential new hole. Make sure your firewall is turned on Make sure file sharing is turned off Use a reputable virus & malware protection software program, keep it up to date and run it often Make sure that the Macro Virus Protection feature is enabled in all Microsoft applications Never trust any links, attachments, short links, or anything else from anywhere or anyone unless you are SURE what’s inside Have a recovery plan - Is your stuff backed up? If it's a laptop, use something like Prey Project Advanced: Consider changing up your hosts file and/or using something like OPEN DNS.
- #26 Yet Another Reason to Secure Your Wi-Fi Network: Child Porn Charges Published by Jay Rivera on April 28, 2011 in Criminal Law . 0 Comments Tags: internet, password, police, privacy, search, unsecured, warrant, wi-fi. By now we all know that privacy and the internet mix just about as well as water and BP. Previously we have blogged about privacy concerns and technology, specifically how police need a warrant to search e-mails. But did you know that you could get accused for internet activity that you didn’t even do, or weren’t even aware of? That’s exactly what happened in a recent New York case regarding unsecured wi-fi internet connections and privacy rights. In Buffalo, New York, police raided the house of a man because they suspected he was downloading child pornography. After viewing the man’s wi-fi internet activity, they believed that he might be responsible for the downloads, which were traceable to the user screen name “Doldrum”. It turns out he wasn’t “Doldrum” at all- after further investigation, the police discovered that Doldrum was actually a neighbor who had been mooching download time off of the man’s unsecured wireless wi-fi. In this case, the man was found to be innocent. However, the police stated that the unfortunate situation might have been avoided if he had protected his internet connection with a password (which of course he didn’t). On a much broader note, the Buffalo case does raise some very relevant issues regarding wi-fi usage and citizen’s privacy rights. That is, do the police have the right to obtain information from unsecured wi-fi internet activities? If you are using a neighbor’s unsecured internet connection (which is completely commonplace nowadays), who is responsible for activities such as illegal downloads? As this case illustrates, it can initially be difficult to tell who is responsible for what when it comes to openly shared and unsecured wireless wi-fi connections. Copyright lawsuit targets owners of non-secure wireless networks Failure to secure routers may let others download copyrighted content, Liberty Media contends By Jaikumar Vijayan, Computerworld February 06, 2012 04:35 PM ET Sponsored by: A federal lawsuit filed in Massachusetts could test the question of whether individuals who leave their wireless networks unsecured can be held liable if someone uses the network to illegally download copyrighted content. The lawsuit was filed by Liberty Media Holdings LLC, a San Diego producer of adult content. The company has accused more than 50 Massachusetts people, both named and unnamed, of using BitTorrent file-sharing technology to illegally download and share a gay porn movie. According to the compliant, the illegal downloads and sharing were traced to IP addresses belonging to the individuals named in the compliant and to several John Does. The complaint alleges that each of the defendants either was directly responsible for downloading and sharing the movie or contributed to the piracy through their negligence. To continue reading, register here to become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in. A federal lawsuit filed in Massachusetts could test the question of whether individuals who leave their wireless networks unsecured can be held liable if someone uses the network to illegally download copyrighted content. The lawsuit was filed by Liberty Media Holdings LLC, a San Diego producer of adult content. The company has accused more than 50 Massachusetts people, both named and unnamed, of using BitTorrent file-sharing technology to illegally download and share a gay porn movie. Your Wi-Fi At Home: Make sure you set a good password and use WPA or WPA2 Be sure to change the default Administrator Passwords (and Usernames) Change the Default SSID and also disable SSID Broadcast Turn off DHCP and set a fixed IP address range instead Use MAC Address Filtering When you're not using it, just turn it off Be sure to keep the firmware upgraded Change your passwords every so often
- #28 For many people, their personal email account is where they store their lives. Bank statements, bills, personal correspondence, work files, anything you can get in electronic form can often be found in a given target's email inbox. And a large number of email systems protect users' inboxes with nothing more complicated than a simple password. http://threatpost.com/en_us/blogs/own-email-own-person-082012
- #29 Your Email: Never open email attachments unless you know for sure what that file contains Never click a link unless you know for sure where it leads is safe Check your mail filters and forwards for things you didn’t add Use good passwords Sign out when you're done Use two factor authentication when possible (e.g. Google Authenticator for Gmail) Be sure to use https when on public Wi-Fi Consider using 2 separate email accounts to keep important things separate from everyday stuff Watch out for short links, it's hard to know where they'll lead you
- #30 Web Browser — The Single Most Important [Online] Security Decision You Make from WhiteHat Security Blog by Jeremiah Grossman If you are reading this post chances are good that you are doing so with a Web browser. And if you are like most people, you use that very same Web browser to bank, shop, book airline tickets, find directions, read news, keep up with friends and family, and so on. These online activities are extremely important to everyday life and the reason why the Web browser you choose may be the single most important [online] security decision you make. If you are using anything except the one latest browsers, you are putting your computer at risk, and by extension the most intimate details of your life, to viruses and the criminals who author them. Microsoft understands this better than most, and is launching a program encouraging people to upgrade their Web browser and protect themselves. The next important thing to understand is not all Web browsers are created equal and how safe they keep you online is difficult to compare, even for the experts. For consumers making a good Web browser choice can be even more daunting, even after becoming aware at just how exposed they may be on an outdated platform. To address this predicament, Microsoft is releasing a scoring methodology to assist people in selecting a Web browser that’s right for them. Microsoft’s approach to this problem is interesting and novel. The score hinges on the presence of browser security features, comparing everything from URL filters to additional security functionality that web application developers can enable. Such a methodology is useful because it allows people to distinguish between Web browsers by which security features are available and most important to them. Packaging up the enhancements into an easy-to-understand score also helps demonstrate why upgrading makes sense — if nothing else it becomes obvious that newer browsers have better security features. This effort by Microsoft’s is a huge step in the right direction and will serve to help make the Web just that much safer for everyone. For those curious, head over to YourBrowserMatters.org and see how the Web browser you are currently using scores.
- #31 http://searchenginewatch.com/article/2237541/Google-224-Million-Bad-Ads-Disabled-in-2012 Once again, the Google AdWords team has reported on its continued efforts to eliminate bad AdWords ads. This year, they've released an infographic (see below) that recounts all they have done over the past year to reduce the number of bad ads that appeared in the AdWords network. Citing that Google's business "depends on keeping people safe and secure," the infographic identifies how the search giant defines "bad ads", how they discover them, and what they do once they find them. By the numbers: 224 million: The number of banned ads. 889,000: The number of advertisers banned. 223: The number of countries and territories where bad advertisers originated from – the U.S., China, Japan, and India were the biggest offenders. 78: The number of languages used by abused in bad ad attempts Scots Gaelic, Kyrgyz, Tatar, and Esperanto were particularly troublesome. The rest of the infographic contains horn-tooting numbers to give law-abiding advertisers and consumers the warm-and-fuzzies. Their AdWords blog post closes stating Google's "zero-tolerance" policy for bad ads and reiterates commitment to do "whatever it takes" to keep the web – and Google users and advertisers – as safe as possible. Google's commitment to reducing "bad ads" isn't a new resolution for 2013. In previous years, the AdWords team has gone through what they call "bad ads" to weed them out in an effort to protect consumers and "legitimate businesses in harm's way." Google's ad team has gone through multiple iterations of taking extra procautions to keep ads safe. "In 2011, advertisers submitted billions of ads to Google, and of those, we disabled more than 130 million ads. And our systems continue to improve—in fact, in 2011 we reduced the percentage of bad ads by more than 50% compared with 2010. That means that our methods are working. We’re also catching the vast majority of these scam ads before they ever appear on Google or on any of our partner networks. For example, in 2011, we shut down approximately 150,000 accounts for attempting to advertise counterfeit goods, and more than 95% of these accounts were discovered through our own detection efforts and risk models." Your Browser: Keep your browsers updated to the latest secure releases Keep ALL Plugins updated to the latest secure releases, especially anything from Adobe Don’t install things from sources you don't trust Block cookies, flash, and JavaScript (use with caution, will cause you trouble) Use a password manager to store all your many passwords Watch out for short links
- #32 Original URL: http://www.theregister.co.uk/2013/01/30/cisco_security_report/ Web smut sites are SAFER than search engines, declares Cisco Network giant: Perimeters are porous, get used to it By Joe Fay Posted in Security, 30th January 2013 17:03 GMT Free whitepaper – A private Cloud-based approach Cisco proclaimed that it is more dangerous to click on a web ad than a porn site these days as it unveiled the latest version of its security threat report. The vendor also expanded its security offering, pulling in mobile management support for its ISE platform and announcing it had hoovered up Czech-based real-time security intelligence firm Cognitive Security. Chris Young, senior veep for Cisco's Security and Government Group, said the nature of IT security threats were changing in the same way as the industry as a whole, meaning "the cloud" and "mobility" are trends for the cybercrime community too. This means that security managers should worry less about securing the perimeter and consider the "any-to-any" problem (any user, on any device, on any connection). Cyber criminals and other miscreants were hitting their targets where they were most likely to gather, he said, and were increasingly launching "combinational" attacks. This throws up some, arguably counterintuitive, conclusions. Malicious content is 27 times more likely to be encountered via search engines than counterfeit software, the vendor's 2012 Annual Security Report claims. On the upside, perhaps, online adverts were 182 times more likely to deliver malware than a porno site, the survey said. "We've been led to believe you have to go to an unsavoury place [to encounter malware]," he said. "That's not the case." The report also said that mobile malware accounted for barely a half a per cent of malware encounters, though it also showed a whopping 2,577 per cent jump on Android-based malware last year. The report also noted a spike in malware encounters in the Nordics, something which was ascribed to fans of Julian Assange hitting sites in Sweden to show their displeasure at extradition proceedings against the WikiLeaker-in-chief. Young said that with the change in computing models, including the shift to the cloud, old attacks had become "new" again. For example, a DDoS attack becomes a bigger threat to a company when it relies on the cloud for its enterprise applications or data. Unsurprisingly, Cisco has answers to these threats, or at least for those whose preferred solution is not to spend all their web time browsing for porn. While continuing to focus on access control, companies should "expect the perimeter is porous," he said. With threats lingering and propagating within organisations, this means discovery and remediation - cleansing devices - was more important. "This is a cycle," he declared. Young said that scalability is also becoming increasingly important for security tools. The vendor has just announced an upgrade to its Identity Services Engine, 1.2, which sees it partnering with device management partners, including SAP, Citrix and Good. The firm has also bolstered the intelligence part of its proposition with the acquisition of Prague-based firm Cognitive Security. The 30-strong company offers a machine learning service that analyses security threats. Cisco plans to integrate Cognitive's tech into its own cloud-based security offering by the end of the calendar year, and will retire its standalone product. While the Czech firm's customer base is pretty minuscule, Cisco VP of engineering Mike Furhman promised no one would be left high and dry. ®
- #33 You might say to yourself, oh, we’re just a library, no one will come after us, we have nothing worth taking.
- #34 You might say to yourself, oh, we’re just a library, no one will come after us, we have nothing worth taking.
- #35 A conclusion reinforced by evidence accrued in the aforementioned Verizon report and the following summation by Marc Spitler, a Verizon security analyst: "Very often, the companies breached had no firewalls, had ports open to the Internet or used default or easily guessable passwords." In other words, easy-to-find, easy-to-learn and easy-to-exploit weak passwords. Victims were not ‘chosen’ because they were large, important or had financial data. They were simply the easiest targets. “Every year that we study threat actions leading to data breaches, the story is the same; most victims aren’t overpowered by unknowable and unstoppable attacks. For the most part, we know them well enough and we also know how to stop them.” And here’s the same thing in different wording: “The latest round of evidence leads us to the same conclusion as before: your security woes are not caused by the lack of something new. They almost surely have more to do with not using, under using, or misusing something old.” And of course, I like this one because it highlights Automated Vulnerability Assessment: “SQL injection attacks, cross-site scripting, authentication bypass, and exploitation of session variables contributed to nearly half of breaches attributed to hacking or network intrusion. It is no secret that attackers are moving up the stack and targeting the application layer. Why don’t our defenses follow suit? As with everything else, put out the fires first: even lightweight web application scanning and testing would have found many of the problems that led to major breaches in the past year.” Basically, your organization already has the security solution that it needs; you’re just not using it.
- #36 As you’ve now seen, it takes very very little skill to be a bad guy now.
- #37 Why Security Is Hard Though it is easy, that is, so man of the holes we miss are easy to fill, it’s hard to get it all right. IT Security isn't always easy. When it comes to securing your IT resources it's very easy to make a mistake, or overlook something small. In every library it feels like there are a million things to worry about. It's NOT only the fools who are getting hacked, it's everyone and anyone. The best of us miss things and make mistakes that can lead to security breaches. Most libraries don't have the money, time, or people to secure even the small number of resources they have. Larger libraries may be able to afford to spend more time/money on security, but then they also have more things to secure. Unfortunately, security doesn't scale up very easily. This doesn't mean you should give up and hope for the best! Everyone in your library has some small part to play in keeping things secure. We can talk all day about how we should integrate security into our daily routine more, and how vendors need to simplify, consolidate, and improve functionality. But in the end those problems are every bit as hard as everything else I'm talking about and won't be solved anytime soon. Especially since the economics or security aren't overly favorable. The costs are very low for the bad guys, and very high for those of us trying make things more secure. The malware your computers are subject to now is very sophisticated. It's highly evolved and many times will be able to run totally undetected. It has automated installers, updaters, and a sophisticated command and control center that puts every infected machine to good use. It's easy for the writers of these tools to stay one step ahead of those who work to keep us safe. It's very easy for your computers to spy on your users, or become part of a botnet used to cause trouble anywhere in the world.
- #38 Force Attacker Perfection I will fully admit that I sometimes finding myself parroting standard industry tropes. For example, I can’t recall how many times I’ve said in presentations and interviews: The defender needs to be perfect all the time. The attacker only needs to succeed once. And yes, it’s totally true. But we spend so much time harping on it that we forget how we can turn that same dynamic to our advantage. If all the attacker cares about is getting in once, that’s true. If we only focus on stopping that first attack, it’s still true. But what if we shift our goal to detection and containment? Then we open up some opportunities. As defenders, the more barriers and monitors we put in place, the more we demand perfection from attackers. Look at all those great heist movies like Ocean’s 11 – the thieves have to pass all sorts of hurdles on the way in, while inside, and on the way out to get away with the loot. We can do the same thing with compartmentalization and extensive alert-based monitoring. More monitored internal barriers are more things an attacker needs to slip past to win. Technically it’s defense in depth, but we all know that term has turned into an excuse to buy more useless crap, mostly on the perimeter, as opposed to increasing internal barriers. I am not saying it’s easy. Especially since you need alert-based monitors so you aren’t looking at everything by hand. And let’s be honest – although a SIEM is supposed to fill this role (at least the alerting one) almost no one can get SIEM to work that way without spending more than they wasted on their 7-year ERP project. But I’m an analyst so I get to spout out general philosophical stuff from time to time in hopes of inspiring new ideas. (Or annoy you with my mendacity). Stop wishing for new black boxes. Just drop more barriers, with more monitoring, creating more places for attackers to trip up. —Rich
- #40 Our patrons are bringing in all sorts of Wi-Fi enabled things And any new security stuff we want to add will get push back from our coworkers, and cost money that's not in the budget
- #41 If firewalls worked that list of the major data breaches wouldn’t exsist.
- #42 http://www.wired.com/wiredenterprise/2012/03/antivirus/ Jeremiah Grossman is the kind of guy you’d expect to be super paranoid when it comes to computer security. He was on the front lines at Yahoo more than a decade ago when a hacker named MafiaBoy was abusing the site with DDoS attacks. Now Chief Technology Officer at security consultancy White Hat Security, Grossman spends his time fighting web intruders for his company’s clients. When it comes to computer security, he’s paranoid — and for good reason. He’s seen what the bad guys can do. But when he met with Wired at the RSA Conference in San Francisco this week, he said something surprising: He doesn’t use antivirus software. As it turns out, many of his security-minded peers don’t use it either. The reason: If someone is going to try and attack them, they’re likely to use a new technique, one that most antivirus products will miss. “If you asked the average security expert whether they use antivirus or not,” Grossman says “a significant proportion of them do not.” Dan Guido, the CEO of security startup Trail of Bits also doesn’t use AV. Some security pros use it because they’re in regulated industries, or because they work with customers who require it. “If it weren’t for that,” he says, “almost nobody in the security industry would run it.” It’s a story we heard again and again at RSA this week. The pros are generally smart enough to avoid the things that will get them hacked — visiting malicious websites or opening documents from untrusted sources. But even if they get fooled, the odds are their antivirus software catching it are pretty low. But many of these pros also believe that antivirus isn’t always that useful to the average business either. “Ten years ago if you were to ask someone the question, ‘Do you need antivirus?’ the overwhelming response would be, ‘Absolutely, my entire security strategy is based on endpoint antivirus,’” says Paul Carugati, a security architect with Motorola Solutions. “Today … I don’t want to downplay the need for it, but it has certainly lost its effectiveness.” The problem is that most criminals are smart enough to test their attacks against popular antivirus products. There’s even a free website called Virus Total that lets you see whether any of the most popular malware scanning engines will spot your Trojan program or virus. So when new attacks pop up on the internet, it’s common for them to completely evade antivirus detection. Consumers and small businesses can get good antivirus software for free, but do businesses even need antivirus software? You Do and You Don’t The short answer is: yes they do. Most companies can’t just drop AV. First of all, it’s a line of defense protecting employees who do the stupid things that the security experts tell us to avoid: clicking on dubious attachments, visiting untrustworthy websites. Second, companies often must have desktop security software to meet industry regulations, such as the Payment Card Industry (PCI) Data Security Standard. Those folks simply have no choice but to pay the Symantecs and McAfees of the world. But according to some, businesses should probably spend less on antivirus and other security software. Much of the money they’re spending is better spent somewhere else, such as analyzing the mountains of data logged by software on computer networks for signs of attack. “Save that money,” says Andy Ellis, Chief Security Officer with Akamai, a company that helps websites deliver content on the internet. “Do your own log analysis because that is what’s going to catch the problems.” White Hat’s Grossman agrees. “I think we overspend on the wrong security products,” he says. “Particularly antivirus. I think we overspend on firewalls and antivirus.” Corporations do spend a lot of money on antivirus and firewalls. Research firm Gartner pegs the corporate desktop security software market at $3.4 billion worldwide. Consumers will spend even more — nearly $5 billion — on antivirus this year. Biggest of all, though, is the $6.5 billion firewall market. Gartner Analyst Ruggero Contu doesn’t quite buy the argument that companies are spending too much money on antivirus. According to him, the antivirus vendors have been doing a good job lately of beefing up their products and delivering new features beyond basic malware protection adding new features to encrypt files on disk and prevent data from leaking out. “Not to have malware protection would be foolish,” he says. But spending money on learning how attackers are working, and changing your business to thwart common attack techniques may be a better investment. “We need to be smart, we need to be more agile,” says Motorola’s Carugati. “My biggest concern right now and one of the things we’re focusing on is information sharing.” That means figuring out from his peers what attacks are really happening, and working out ways to stop them. Dan Guido describes it as going “offensive on security.” Figure out who is likely to attack you — hacktivists, online banking thieves, so-called advanced persistent threat groups — and make sure that you can stop the known attacks that these people use. “You need to attack the system that they have developed to take advantage of your flaws,” he says. “That’s the name of the game.” Mark Patterson learned that lesson the hard way back in 2009. That’s when hackers managed to install a variant of the widely used Zeus Trojan horse program on his construction company’s computers and steal the username and password to his corporate bank account. Over the next eight days, the criminals moved more than half a million dollars out of his account. Some of that cash was recovered, but at the end of the day, about $345,000 went overseas and is gone forever. To make matters worse, Patterson’s bank, Ocean Bank, says he’s responsible for the theft. (Patterson sued; last year, a court sided with the bank, but the case is being appealed.) Patterson said his company, Patco, had “good AV” at the time of the attack, but nevertheless it missed the password-stealing Trojan. Now, two years later, he’s taken an inexpensive step that every small business should take to prevent his company from becoming victim to this type of fraud: He’s told his bank give him a call before it authorizes any big money transfers. Patco still uses antivirus, but as Patterson puts it: “I think an AV is worth the investment,” he says. “I just would not rely on it as my protection for those transactions.”
- #43 http://www.networkworld.com/cgi-bin/mailto/x.cgi?pagetosend=/news/2012/022312-how-to-build-multiple-layers-256488.html&pagename=/news/2012/022312-how-to-build-multiple-layers-256488.html&pageurl=http://www.networkworld.com/news/2012/022312-how-to-build-multiple-layers-256488.html&site=printpage&nsdr=n How to Build Multiple Layers of Security for Your Small Business By Paul Mah, CIO February 23, 2012 10:20 AM ET Sponsored by: Most of us have heard about the concept of building a defense in depth in order to protect computer resources from black hat hackers. The idea revolves around the use of multiple defenses to thwart, or at least limit, the damage arising from a potential security breach. RELATED: The data breach quiz Given the rapid pace of change in the security sector, some executives may have difficulty naming the specific safeguards that their companies deploy. This guide aims to shed some light on some of the more common aspects of computer security, and also serve as a checklist to identify potential areas upon which to improve. To continue reading, register here to become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in. Most of us have heard about the concept of building a defense in depth in order to protect computer resources from black hat hackers. The idea revolves around the use of multiple defenses to thwart, or at least limit, the damage arising from a potential security breach. RELATED: The data breach quiz Given the rapid pace of change in the security sector, some executives may have difficulty naming the specific safeguards that their companies deploy. This guide aims to shed some light on some of the more common aspects of computer security, and also serve as a checklist to identify potential areas upon which to improve. 1. Network firewall The first line of defense against unwelcomed visitors would surely be the firewall. At one point, the use of dual firewalls from different vendors was all the rage, though the creation of a DMZ (Demilitarized zone) appears to be more popular these days. Internet-facing servers are typically placed within the DMZ, where they are encumbered by fewer restrictions and lesser monitoring than the internal corporate network. There are actually a few different types of firewall implementations. For example, consumer-grade routers typically make use of Network Address Translation (NAT), which was originally created to address the problem of limited IPv4 routable addresses. Because the identity of hosts is obfuscated, NAT is often said to offer firewall capabilities. At a minimum, a proper firewall typically offers packet filter technology, which allows or denies data packets based on established rules relating to the type of data packet and its source and destination address. Stateful packet filter firewalls conduct what is known as stateful packet inspection (SPI), which tracks active connections to sieve out spoofed packets, a superior approach to the stateless packet filtering firewall. Finally, a firewall operating on the application layer understands application-level protocols to identify sophisticated intrusion attempts. A heightened security awareness and an increase in ecommerce have led more users than ever to use encryption to protect against third-party snooping. Paradoxically, this has resulted in lower visibility of network traffic at a time when more sophisticated malware varieties are resorting to encryption in order to conceal themselves from a casual inspection. 2. Virtual Private Network Employees who need to access company resources from unsecured locations such as public Wi-Fi hotspots are a particularly vulnerable group. Such workers will be well served by a virtual private network (VPN) connection in order to protect the confidentiality of their network access. A VPN channels all network traffic through an encrypted tunnel back to the trusted corporate network. As a downside, a VPN can be complex for a small business to deploy, and is costly to support due to the overheads of authentication, processing and bandwidth. Moreover, it is also vulnerable to the theft of physical authentication tokens -- or authentication technology, as was the case with the compromise of RSA's SecurID technology last year. Finally, stolen and lost company laptops with preconfigured VPN settings can become potential gateways for unauthorized access. 3. IDS and IPS An intrusion detection system (IDS) is a network-centric strategy that involves monitoring traffic for suspicious activities that may indicate that the corporate network has been compromised. On its simplest level, this may entail the detection of port scans originating from within the network or excessive attempts to log into a server. The former could be indicative of a compromised host being used to perform initial reconnaissance, while the latter could well be a brute-force attempt in progress. On more advanced network switches, IDS monitoring of network traffic may be enabled by port mirroring, or via the use of passive network taps. Then an intrusion prevention system (IPS) is usually deployed in-line in order to actively prevent or block intrusions as they are detected. A specific IP address could be automatically blocked off, with an alarm sent to an administrator. 4. Malware Detection The cat-and-mouse game of malware detection is very much a linchpin of the $22.9 billion enterprise security software market projected for 2012. Malware scanning performed on client devices relies on the processing capabilities of individual devices to check for threats. Business-centric versions typically include some form of central management used to push out new definition updates and implement simple security policies. Malware products specifically optimized for servers are also available, though they are not particularly popular, as businesses are understandably loathe to deploy anything that saps the processing cycles of expensive server hardware. Given that most malware infestations are a direct result of a user action, the typical anti-malware package has also evolved into comprehensive suites that attempt to offer protection against multiple threat vectors. This may include a component to scrutinize a URL link prior to launching it, or email and browser plug-ins that do the same to file attachments. In addition, anti-malware suites are increasingly bundled with a software-based firewall, spyware detection and even spam filtering. 5. Whitelisting Whitelisting is an anti-malware defense implemented on client devices much like traditional antivirus software. Instead of attempting to identify known malware, however, whitelisting only allows known files to be executed. This necessitates an initial baseline scan to construct a database of whitelisted applications, to which new applications can be added over time as they are installed. Though promising, whitelisting has been plagued by various practical problems that have hindered its adoption in businesses. Situations may arise, for example, in which critical file dependencies were not properly identified, resulting in application crashes or an improper installation, as they were prevented from loading. Also, whitelisting may be less useful against exploits that leverage the use of specially created documents or other non-executable files. Finally, employees who are in a hurry may simply disregard warnings and opt to add everything, including malware, into their whitelist. To be fair, whitelisting software has seen tremendous improvements over the years. Today, most whitelisting software applications will recognize commonly used applications upon installation and are hence capable of building an initial whitelist very quickly and with minimum interaction from users. It is important to ask question whether whitelisting software can coexist with traditional antivirus software. The answer varies, though some whitelisting products do advertise their compatibility with antivirus applications. 6. Spam Filtering Though spam is not traditionally considered within the domain of computer security, the lines are getting blurred given the increasing number of spear phishing attacks used by hackers to sneak Trojan or zero-day malware into corporate workstations. In addition, there is also evidence to suggest that users who deal with a high volume of emails are more susceptible to being taken in by a phishing attempt. It is clearly in the interest of the IT department to filter out as many bogus email messages as possible. There are many ways to deal with spam, which may entail channeling all incoming email messages through a specialized cloud service provider, a server-based spam filtering software, or dedicated anti-spam appliances deployed within the DMZ. 7. Keeping Software up to Date Ensuring that software updates and security patches are kept up to date is widely acknowledged to be an important defense against security breaches. The reason is simple. Though vendors do not typically release the full details of new security flaws, the proffered guidelines and the release of the security patches are often sufficient for black hats to reverse engineer a particular vulnerability. Depending on the nature of the security flaw that is identified, an exploit could potentially be written in days. This becomes a problem in larger SMBs, which may make use of wide range of software applications or in-house tools that depend on various third-party tools or codebases. It is hence not uncommon for new software updates or security patches to be overlooked, thus opening up a window of vulnerability. The increasing variety of software that is capable of updating itself over the Internet may somewhat alleviate this problem. However, it should be noted that automatic updating may not be a desirable behavior in mission-critical production environments. To that end, businesses need to implement appropriate processes to identify and test new updates in a timely manner. 8. Physical security Physical security is a crucial factor that cannot be overstated. After all, given physical access, practically every security or network appliance can be reset to its factory default. In addition, unsecured Ethernet ports may also offer a direct line past the firewall and other perimeter defenses, though that access can be mitigated to an extent with managed switches configured to deny access to unrecognized MAC addresses. Another concern within server rooms is the theft of hard disk drives from hot-swappable bays of storage appliances or servers. Given how passwords files can be deciphered relatively easily from stolen storage devices, server closets or server rooms should be kept locked at all times, and access granted only to authorized staffers. We have only touched on some of the most common aspects of security deployments. There are obviously many others, such as the importance of user education, independent security audits and the value of a good IT policy. The presence of comprehensive logging and auditing will also help greatly in identifying sources of a breach. The important point here is that security is a multi-faceted topic that is constantly evolving. Small and mid-sized businesses need to ensure that they do not rely on a single mechanism to stay secure, and that they stay up to date on the latest security offerings available. Paul Mah is a freelance writer and blogger who lives in Singapore. You can reach Paul at paul@mah.sg and follow him on Twitter at @paulmah
- #47 There are ways around ANYTHING and EVERYTHING you have installed on your PACs
- #49 http://blogs.rsa.com/change-your-mindset-you-are-the-attacker/ It seems that for many years , actually probably forever, security professionals have behaved in a totally reactive way when it come to data breaches. For example, if a breach was identified and it was determined that it was an issue with user education then the team would try to educate the user. This whole model is flawed as we are behaving and acting like victims because we really can’t see the who, what, when, where and why of attacks that we are going to be targeted with. We need to move from defense to offence when it comes to protecting ourselves. To be in the mindset of an attacker you need to have answers to the following fundamental questions: What are you most valuable assets? Where are these assets? How can they be accessed? If you were the attacker how would you spread malware? And who are the most ‘vulnerable’ targets in the organization? Do you have a view on the ‘normal’ behavior of your organization (people, behavior, locations and systems)? As outlined in my previous blogs these questions aren’t new questions, they are the absolute basics of any sound security program yet we seem to get them wrong all the time and fall victim to attacks. So, it’s time to get on the offensive…. Here’s a quote from Sun Tzu, the ancient Chinese warrior general who even in those days understood really sound security strategies: ‘It has been said before that he who has known both sides has nothing to fear in a hundred fights; he who is ignorant of the enemy, and fixes his eyes only on his own side, conquers, and the next time is defeated, he who not only is ignorant of the enemy, but also of his own resources, is invariably defeated.’
- #50 http://eandt.theiet.org/news/2013/jan/embedded-world.cfm Embedded-systems designers must pay more attention to how their systems can be compromised, and should "think evil, do good" in implementing security by design, says industry insider Stuary McClure.
- #52 Can you use something like this in your library?
- #53 Our patrons are bringing in all sorts of Wi-Fi enabled things And any new security stuff we want to add will get push back from our coworkers, and cost money that's not in the budget
- #54 Our patrons are bringing in all sorts of Wi-Fi enabled things And any new security stuff we want to add will get push back from our coworkers, and cost money that's not in the budget
- #55 May 2, 2012, 1:59PM Nine Percent of Websites May be Malicious Share on twitterShare on facebookShare on redditShare on google_plusoneShare 2 Comments by Brian Donohue Just fewer than 10 percent of websites serve some sort of malicious purpose, with an additional nine percent of sites being characterized as “suspicious” by Zscaler in a new research report. Zscaler ran 27,000 website URLs through a tool they developed to assess the security of websites and give them a score from zero to 100. Nearly 81 percent of sites scored between zero and 49 (benign). 9.5 percent scored between 50 and 74 percent (suspicious) and another 9.5 percent scored somewhere between 75 and 100 (malicious), according to the company's State of the Web Report. The report also indicates that outdated plug-ins and the users that refuse to update them continue to be a serious but improving problem in the enterprise. Zscaler cites the Flashback outbreak, which exploited known java vulnerabilities, as anecdotal evidence of this. The report shows that more than 60 percent of Adobe Reader users are running an outdated version of that software. Adobe Shockwave came in second, with 35 percent of users running an outdated version. Java came in fourth, with a only five percent of users running an outdated version. Editor's Pick Celebrity Ashton Kutcher Firesheep'd at TED Conference Network Of 7K Typo Squatting Domains Drives Huge Traffic To Spam Web Sites New Clickjacking Scam Uses Facebook, Javascript, Our Primate Brain To Spread Threatpost Newsletter Sign-up It appears also that enterprises are increasing their efforts to block employees from visiting social networking sites. When the quarter opened, social networks only accounted for 2.5 percent of policy blocks; by the end of the quarter, that statistic had increased to four percent. Some other interesting info-morsels include Zscaler’s findings that Apple devices are becoming more prevalent in the work place as Android and BlackBerry devices become less prevalent. Facebook’s share of Web 2.0 traffic is down slightly from 43 percent in Q4 2011 to 41 percent in Q1 2012. On the other side, Twitter saw its share of such traffic increase over the same period from five percent to seven percent. Zscaler claims that the drop in Facebook’s traffic share is due to corporate policies that are increasingly blocking employee access to that social network while remaining noticeably less concerned about employee access to Twitter. Zscaler also believes that Twitter’s traffic-share increase may suggest that the service is being more widely adopted for use in the enterprise. Sports and gambling sites generally see a spike in traffic in Q1 that can very likely be attributed to events like the NFL playoffs, Super Bowl, and March Madness in America and the International Cricket Council's Cricket World Cup in places like India and Australia. This year, those sites’ traffic increased a dramatic 74 percent. Commenting on this Article will be automatically closed on August 2, 2012.
- #56 They are different, you can feel secure if you’re not, and you can be secure even if you don’t feel it.
- #57 On your computer: Keep that OS patched and updated. Related: Don’t use Windows XP Disable hidden filename extensions Make sure ALL those programs are updated. Especially don’t miss anything made by Adobe (e.g. Flash & Acrobat) Never install things you’re not sure are safe. Especially don’t trust anything from Torrents or P2P sites. Avoid downloading programs from unknown sources If you're not using something, just remove it. Every program installed on your computer opens a potential new hole. Make sure your firewall is turned on Make sure file sharing is turned off Use a reputable virus & malware protection software program, keep it up to date and run it often Make sure that the Macro Virus Protection feature is enabled in all Microsoft applications Never trust any links, attachments, short links, or anything else from anywhere or anyone unless you are SURE what’s inside Have a recovery plan - Is your stuff backed up? If it's a laptop, use something like Prey Project Advanced: Consider changing up your hosts file and/or using something like OPEN DNS.