Keeping you and your library safe and secure

Intro

Keeping You And Your Library Safe and Secure

Blake Carver – [email protected]://lisnews.org/security/

http://security4lib.org/http://lyrasis.org

“ Security is two different things: It's a feeling &It's a reality ”

Bruce Schneier – TedxPSU

Security Frequently Gets In Our Way

Have A Hacker MindsetThink Like A Bad Guy

Have A Security MindsetThink Defensively

"None of this is about being "unhackable"; it’s about making

the difficulty of doing so not worth the effort."

Secure, here, doesn't mean impenetrable

Competent and determined bad guys armed with the right tools can always find a way in

Less talented folks, and many automated tools, however, experience great effort as a deterrent

Criminals

Activists

Government Agents

Intro

Where Are They Working?

• Social Networks• Search Engines• Advertising• Email

• Web Sites• Web Servers• Home Computers• Mobile Devices

Malware Inc.

These are the work of a rogue industry, not a roguish teenager

Malware Inc.

Fully Automated24/7

What Are They After?

• PINs• Passwords• Credit Cards• Bank Accounts• Social Media

• Computers• Usernames• Contact Lists• Emails• Phone Numbers

These all have value to someone

Personal information is the currency of the underground

economy

Personal information is the currency of the Entire Internet

economy

We don’t know how our information is used,

stored or shared and for how long.

We don’t know who has access

We don’t know if it’s safe

On the InterWebs, the companies entrusted to keep our personal

data safe are invariably the ones who have the most to gain from

not doing so.

Robert X. Cringely

Nobody – nobody – is immune from getting hacked

http://krebsonsecurity.com/2012/10/the-scrap-value-of-a-hacked-pc-revisited/?utm_source=feedburn

How Do You Know If You Are Infected?

• Fans Spinning Wildly• Programs start

unexpectedly• Your firewall yells at you• Odd emails FROM you• Freezes• Your browser behaves

funny• Sudden slowness

• Change in behavior• Odd sounds or beeps • Random Popups• Unwelcome images • Disappearing files • Random error messages

How Do You Know If You Are Infected?

You Don’t

Your antivirus software is a seat belt – not a force field.

- Alfred Huger

• Keep everything patched / updated

• Don’t Trust anything–Links / Downloads / Emails

• Backups are critical

Laptops

• Prey / LoJack• Passwords• Sign Out & Do NOT Save Form Data

Laptops

Carry A SafeNot A Suitcase

Never Trust Public Wi-Fi

Which of your accounts is most valuable?

• Email• Bank• Social Network• Shopping• Gaming• Blogs• Library Account

Own the Email, Own the Person

Email

• Don’t trust anything• Don’t leave yourself logged in• 2 Factor Authentication• Passwords

– Unique, Obscure and Looooonnnnnggggg

Web Browser

The Single Most Important [Online] Security Decision You Make

Staying Safe Online

Browsers

• Use Two & Keep Updated• Know Your Settings

– Phishing & Malware Detection - Turned ON– Software Security & Auto / Silent Patching -

Turned ON• A Few Security Plugins:

– Something to Limit JavaScript – Something to Force HTTPS– Something to Block Ads

But The Internet Is Free Because Of Ads...

• Online ads were 182 times more likely to deliver malware than “adult” sites

• Google blocked 524 million 'bad ads' 250,000

• Up 50 percent in 1 year

Let’s Talk Libraries

But We’re Just A Library

83% targets of opportunity

92% of attacks were easy

85% were found by a 3rd party

Verizon Data Breach Investigations Report – Fall 2011

It’s Easy Being Bad

Being Good IsHard

Never EndingOverwhelming

Exhausting

The attacker only needs to succeed once...

Perfect is not the enemy of good ‘nuff

Complexity is the Enemy of Security(Bruce Schneier)

• Libraries have no shortage of access points

• We deal with any number of vendors

• Threats come from outside the libraries

• Threats come from inside the libraries

• Our libraries are full of people

Staying safe takes more than just a firewall...

Your firewall is a seat belt – not a force field.

Library Security Requires Layers

• Firewall• VPN• Intrusion Monitoring• Antimalware & Antispam & Antivirus• Planning & Training

How Can We Make Our Library Secure

• Don’t ignore it

• Prepare

• Train

Preparation- Practical Policies

• Patching and updates of the OS and applications on a regular basis

• Regular automated checks of public PCs & network

• Check the internets for usernames/passwords for your library (e.g. pastebin)

• Dedicated staff? Someone needs to stay current• Lost USB Drives?• Is your domain name going to expire?

Training

• Phishing• Privacy• Passwords• Email Attachments• Virus Alerts• How to practice safe social networking• Keeping things updated

Public Access PCs

Your security software is a seat belt – not a force field.

Assume the bad thing has happened

Change your mindset – YOU are the attacker

• What are you library’s most valuable assets?– Where are these assets? – How can they be accessed?

• If you were the attacker how would you spread malware?

• Who are the most ‘vulnerable’ targets in the organization?

Go on the offensive…

"think evil, do good"

Turn Your Focus Outside

Library Security Mantra

• Security• Privacy• Confidentiality• Integrity• Availability• Access

(based on Net Sec 101 Ayre and Lawthers 2001)

What websites can you trust?

Can you trust your own website?

Any Good Web Site Can Go BadAt Any Time

Less that half of website traffic is human

About 30% of all traffic is actively tying to cause trouble

“ Security is two different things: It's a feeling &It's a reality ”

Bruce Schneier – TedxPSU

• Keep everything patched & updated always

• Carry A Safe• Don’t Trust anything or anyone

–Links / Downloads / Emails Patrons / Vendors

• Backup your stuff• Prepare And Train

This IS worth the time, effort and expense.

Done!!

Stay Safe

Blake Carver – [email protected]://lisnews.org/security/

http://security4lib.org/http://lyrasis.org