This is part Six in my many part series on IT Security In Libraries.
In part 5 I covered 20 Common Security Myths, and how to defeat them.
Part 4 was a general "How To Stay Safe Online" post that covered topics like patching/updating, watching links and downloads, and using good passwords.
In Part Three I covered passwords.
In part 2 we talked privacy.
In Part One I tried to lay the foundation for security.
Today's post is long on theory. I'll argue that most any library can be a target, and present some ideas on how to make things more secure in your library.
Libraries Are Targets
Chances are your library is now, or will be at some point, a target. Don't think you're safe just because you're just a small library because when it comes to getting hacked, size doesn't matter. The average web-based application (small or large) is hit by some type of attack once every two minutes (says security firm Imperva, but anyone with access to web server logs will agree). Automated tools make it easy for bad guys to target everything and anything regardless of what might be inside. These tools can easily scan thousands of sites looking for anything with a security hole (and we all have them). There's a seemingly infinite number of things they're after. They may want to host cracked software. They may want to send spam. They may be doing blackhat SEO. They may want your patron's personal information. They may want to use your site as a way to get elsewhere. This is just a small fraction of what they can do with little time or effort.
Why Security Is Hard
IT Security isn't always easy. When it comes to securing your IT resources it's very easy to make a mistake, or overlook something small. In every library it feels like there are a million things to worry about. It's NOT only the fools who are getting hacked, it's everyone and anyone. The best of us miss things and make mistakes that can lead to security breaches. Most libraries don't have the money, time, or people to secure even the small number of resources they have. Larger libraries may be able to afford to spend more time/money on security, but then they also have more things to secure. Unfortunately, security doesn't scale up very easily. This doesn't mean you should give up and hope for the best! Everyone in your library has some small part to play in keeping things secure. We can talk all day about how we should integrate security into our daily routine more, and how vendors need to simplify, consolidate, and improve functionality. But in the end those problems are every bit as hard as everything else I'm talking about and won't be solved anytime soon. Especially since the economics or security aren't overly favorable. The costs are very low for the bad guys, and very high for those of us trying make things more secure.
The malware your computers are subject to now is very sophisticated. It's highly evolved and many times will be able to run totally undetected. It has automated installers, updaters, and a sophisticated command and control center that puts every infected machine to good use. It's easy for the writers of these tools to stay one step ahead of those who work to keep us safe. It's very easy for your computers to spy on your users, or become part of a botnet used to cause trouble anywhere in the world.
Understand The Threats To Make Things Safer
You don’t need to be an expert on every aspect of security, but it doesn't hurt to have a good understanding of the threats. Having this knowledge should help you to devise a practical and relevant defense
With so many trouble makers out there we need to have some idea of what we're up against to know how to best formulate our response. Spam, Phishing, Spear Phishing, even Phone Calls! It feels like the bad guys are coming at us from every side. When looking at what you have, you need to think like an attacker. You need to think about what they'll be trying to get, and how easy it will be for them to take things from you. If you make it easy, you'll increase the likelihood of an attack. They may want usernames and passwords. They may want to sql inject some malware. They may want to deface your site. They may want your ILS. They may want to hide pages on your site to do phishing. They may want your server to send spam.
Defending against every possible attack is probably NOT possible, so it's important to know how the most common attacks happen so you can focus on some easily defendable areas. I'll expand on this a bit in another post, but here's a quick summary of how an attacker will likely operate. Once they find a way in, they'll need to know what's around. They'll first look around and see how things work. When choosing your defense, try to focus your energy on what the easiest/cheapest attacks will be. The hardest part for them is to figure out what you have, where things are, what OS you're running. These are all things that make your system unique, and it's the part that will take the most time for the bad guys to figure out. Your best bet is to begin by denying access to as much as possible. You should also hide things as much as possible. I don't mean using "security through obscurity", but rather keep important data off of the network entirely. You should also automate systems to watch for trouble. Make sure to use detection methods so at least you'll know when someone gets in. I'll talk about what to do when you spot an intruder, just keep in mind you should never assume you know what they're after, how they got in, or that you've successfully kicked them out.
It's important we take a realistic view at our assets that are at risk and protect them as effectively as we can. We can't all have someone devoted to security full time. Heck, I don't know that any of us can. The sooner we start seeing information security as something to do well because it adds value, rather than merely as a cost or something that gets in the way which we need to minimize, the better! Your users are assuming some level of competence with security. They're assuming you web sites are safe, and their personal information won't get sold to the highest bidder after its been stolen from your servers.
Make Staff Part Of The Solution
People will always be part of the problem. Most people don't care much for security. They just want to get some work done. It is important all library staff be aware of and incorporate security in their everyday work. It's critical they full accept and are part of any training plans. Without buy-in from everyone any security training will fail. They need to understand that what they do can have consequences. They need to change certain work practices, they need to become part of the solution, rather than part of the problem. They need to know how to recognize malware on a public PC, they need to know common risks, and they should know who to contact when these things come up. Good policies can help, though people will find ways around policies that get in the way. Training and awareness might help with some, but for the most part people don't give darn. And I don't mean to discount the value of training. Security training should be required for everyone to help them not just at work, but at home and anywhere else. 3 Reasons Why Computer Security Fails outlines 3 things to focus on when brining your staff into more secure behaviors. Lack of Awareness, Misunderstanding Computer Security, and Neglecting the Human Factor.
"Just like computers, people must be patched at least every month. Awareness programs (should be on) a continuous life-cycle where employees must constantly be updated, trained and reinforced," he says. "Yet, most awareness programs are nothing more than a onetime event, and then people wonder why nothing happens." - Ericka Chickowski
Security doesn’t have to be all technical, all the time. If your staff (and maybe patrons?) struggles with basic security principles, pick a couple of topics each week to work into an email or meeting. You can start creating awareness by continually using covering small simple topics that will help increase awareness. For years we've been champions of information literacy, now it's time to start pushing security as well.
Integrating Security For Patrons
Your patrons don't care much for security. They just want to get some work done. Or worse, they are actively trying to break it. This is why it's important to build security in, make it a part of everything from the start. Security needs to be an integrated process in everything your library does, and everyone needs to play a part. Sometimes your security policies will get in the way. Of course this will make people angry, Your users don’t want to be saved. They want to do what they want to do, when they want to do it. Somehow you'll need to define a set of acceptable behaviors and then put the hammer down on everything else. Do you allow everyone to install anything on their workstations? Companies are essentially split on whether to allow users to install applications -- 51 percent yes, 49 percent no, according to a survey of 765 professionals by security vendor Bit9. Do you block access to Flash and PDFs (frequently attacked programs)? Probably not, even though they are both a very common attack vector. Do you switch to a different PDF reader with fewer features that may be more secure? Perhaps. This is just one decision, among many, that should be made at the policy level to help make things safer. Look for ways to make things safer in ways that don't interfere with people's everyday tasks as much as possible. People will always find a way around policies if those policies get in the way.
The Best Defense...
As the defender, our job is far far more difficult than those on the other side. The bad guys typically have the luxury of time and resources. They can sit and try different things until they find a way in, they have time on their side. They know that we forgot to protect something, and they will sit and keep trying until they find a hole someplace. And that thing is connected to something else that is connected to something else that contains something critical. It's critical to know what's hooked into what to understand risks, and form a defensive strategy. Nothing on your network is unimportant. With so much random stuff on your network breaking in is easier than keeping the bad guys out. Our job is also tougher because the people we try to protect will fight us. And we can't forget cost, these things are expensive. Your library's security operations need to focus on reducing vulnerabilities. Closing as many holes as possible will close the doors to everyone but the most talented hackers. I liked the view presented in This Post. Richard Bejtlich argues Security consists of three areas of interest:
He says when those three tings line up, then your security policies are working. "Obviously you want to make all three circles overlap as much as possible, such that you plan and defend what the threat intends to attack."
Does your library have a Security Mantra?
I'm a big fan of simple lists, mantras and mission or vision statements. I'm not quite sure they actually make any difference, but I think they're a great way to clearly communicate complex and hard to understand topics. Why not work on developing something for security in your library? Can you write security into your libraries mission statement?
I adapted this a bit from oneonta.edu:
What Should Your Security Goals Be?
To protect confidentiality & privacy by ensuring private information is kept private
To ensure data integrity by preventing data from being inappropriately changed or deleted
To ensure data availability by making sure services are available and uninterrupted
That data can be accessed whenever it is needed, and that data can be restored quickly
All available resources should be safe & secure for every user
What does your library have to lose?
Hopefully this post served as a starting point, a way to get you thinking about security in your library. If security has always been an after though at your library, I hope this will convince you now is the time to start putting better policies and procedures to work. I have a good collection of practical tips and tricks almost finished. I'll be posting those lists very soon, so keep your eyes open!