IT Security For Libraries

Social Media Security In Libraries

This is part Eight in my many part series on IT Security In Libraries. In Part 7 I listed many lists full of practical advice that covered just about everything dealing with IT security in libraries. Part Six was really the first part of this post. I dealt with security in libraries, mostly theory, while this post is more practical, and is mostly lists. In part 5 I covered 20 Common Security Myths, and how to defeat them. Part 4 was a general "How To Stay Safe Online" post that covered topics like patching/updating, watching links and downloads, and using good passwords. In Part Three I covered passwords. In part 2 we talked privacy. In Part One I tried to lay the foundation for security. Libraries and librarians are fully embracing social media sites like Twitter, LinkedIN and Facebook. Our libraries use them to connect with and engage our patrons, increase library visibility and communicate information. We each use them to connect with old friends, sell ourselves, stay up to date with the world around us, and keep in touch with family. There are serious security risks involved with most social sites that can be avoided by following some very simple rules. The bad guys are finding it very easy to use these sites to cause trouble. Scammers, stalkers, phishers, spammers, hackers and every other kind of evil doer on the internet are finding new ways to get into our social networks every day. They are using links to spread malware and spam, and they're always one step ahead. They're using it to fill social media sites with evil, e.g. chat bots, captcha crackers, malware, spam, control botnets, blackhat SEO, etc…

Practical IT Security In Libraries

This is part Seven in my many part series on IT Security In Libraries.
Part Six was really the first part of this post. I dealt with security in libraries, mostly theory, while this post is more practical, and is mostly lists.
In part 5 I covered 20 Common Security Myths, and how to defeat them.
Part 4 was a general "How To Stay Safe Online" post that covered topics like patching/updating, watching links and downloads, and using good passwords.
In Part Three I covered passwords.
In part 2 we talked privacy.
In Part One I tried to lay the foundation for security.

Let's face it, security is tough in libraries. We have no shortage of access points. We deal with any number of vendors, who may or may not be secure. Threats come from within the libraries (patrons), and from external sites anywhere in the world. Our patrons are bringing in all sorts of Wi-Fi enabled things. And any new security stuff we want to add will get push back from our coworkers, and cost money that's not in the budget. In this post I've created a bunch of random, though related, lists that can be used to help get started with security in your library. It's a follow up and companion to Integrating IT Security In Your Library and should help put some of that theory into practice. You probably won't need every point from every list, but I'm hoping presenting them in this way will save you time, and start you on the path to increasing security. I hope to expand each list into a full length post in the future.

What are the biggest mistakes you can make in your library?
Not preparing
Not training
Ignoring it and thinking you're safe
Not having a good understanding of what keeps you safe
Not knowing what your vendors are doing or will do when something goes wrong

In general, your security preparations should...
Help prevent or detect an intrusion
Help stop nefarious code from being executed
Help stop trouble from spreading
Helps stop data from being stolen
Build in accountability (Everyone should have a defined role, and this should include both staff and patrons)
Be specific and practical when presented to help ensure buy in
Clearly explain consequences to help ensure buy in
Cover what to do when things go wrong, how to handle specific troubles, who to call, etc..
Include behavior and acceptable use policies for both staff and patrons
Security training for both staff and patrons should answer WHY
Remember, Bad security policies cost time, money, reputation and trust

Integrating IT Security In Your Library

This is part Six in my many part series on IT Security In Libraries. In part 5 I covered 20 Common Security Myths, and how to defeat them. Part 4 was a general "How To Stay Safe Online" post that covered topics like patching/updating, watching links and downloads, and using good passwords. In Part Three I covered passwords. In part 2 we talked privacy. In Part One I tried to lay the foundation for security. Today's post is long on theory. I'll argue that most any library can be a target, and present some ideas on how to make things more secure in your library.

20 Common Security Myths

This is part five in my many part series on IT Security In Libraries. Part 4 was a general "How To Stay Safe Online" post that covered topics like patching/updating, watching links and downloads, and using good passwords. In Part Three I covered passwords. In part 2 we talked privacy. In Part One I tried to lay the foundation for security.

Today's post is short and sweet, 20 myths I've run across while working on the series. I've tried to include a link on most of them that explains why something is wrong.

Staying Safe Online

This is part four in my many part series on IT Security In Libraries. In Part Three I covered passwords. In part 2 we talked privacy. In Part One I tried to lay the foundation for security.

Today's post is a big bunch of tips (in convenient list form) on how to keep yourself safe while surfing the web. A bundle of easy practical tips you can take anywhere to make your computers safer. This is a pretty long list that can be boiled down to three important bullet points:

  • Keep everything patched and updated
  • Never trust anything
  • Use good passwords

On your computer:

Keep that OS patched and updated. Related: Don’t use Windows XP
Disable hidden filename extensions
Make sure ALL those programs are updated. Especially don’t miss anything made by Adobe (e.g. Flash & Acrobat)
Never install things you’re not sure are safe. Especially don’t trust anything from Torrents or P2P sites. Avoid downloading programs from unknown sources
If you're not using something, just remove it. Every program installed on your computer opens a potential new hole.
Make sure your firewall is turned on
Make sure file sharing is turned off
Use a reputable virus & malware protection software program, keep it up to date and run it often
Make sure that the Macro Virus Protection feature is enabled in all Microsoft applications
Never trust any links, attachments, short links, or anything else from anywhere or anyone unless you are SURE what’s inside
Have a recovery plan - Is your stuff backed up?
If it's a laptop, use something like Prey Project
Advanced: Consider changing up your hosts file and/or using something like OPEN DNS.

Your Wi-Fi At Home:

Make sure you set a good password and use WPA or WPA2
Be sure to change the default Administrator Passwords (and Usernames)
Change the Default SSID and also disable SSID Broadcast
Turn off DHCP and set a fixed IP address range instead
Use MAC Address Filtering
When you're not using it, just turn it off
Be sure to keep the firmware upgraded
Change your passwords every so often

Your Email:

Practical Advice On Choosing Good Passwords

This is Part Three in my many part series on IT Security In Libraries. In Part One I tried to lay the foundation for security. Last time we talked privacy, and today it's passwords.

A comment on an LISNews post from last week asked me about passwords. It seems like such simple, obvious topic, but when you stop and think about it, passwords are difficult, and a good answer does indeed take 1,399 words.

Do you always use unique passwords? Are those passwords always "strong"? Does your library's web presence require strong passwords for all users? Do you have password recommendation clearly posted on your web resources for your users? What makes a good password? Are complex passwords the most secure? Is it uniqueness? Is length the most important thing in a password? I'll start by saying the single most important thing is uniqueness, never reuse a password on everything.

Password Reuse

Using the same password for everything is THE WORST thing you can do. If you learn just one thing from this post make sure it's password reuse is dangerous. Doing this will allow anyone who gets your password from an insecure site (and the chances of this happening are probably higher than you'd think) to use it elsewhere. Your password could have been taken from any number of large data breaches and you'd never know it. When these big hacks happen the only thing saving you from becoming an easy target is having a unique password. It's easy for a hacker to use your email address and password taken from a site like Gawker and use it as a starting point to cause some serious trouble.

How Did They Get Those Passwords?
So you probably wonder about how people are going to get your passwords. It's rather easy for a talented hacker, and even easier to use automated tools to scan thousands of sites looking for vulnerabilities that would allow anyone with time to get your password from a site with a hole. Those usernames/passwords can then be sold to the highest bidder.
1. Ask: aka. Social engineering. They'll just call the helpdesk and ask to have it reset.
2. Guess. Have your birthday on Facebook, your pet's first name? That may just be enough.
3. Bruteforce. It's trivial to have something that can guess millions of possible passwords in no time. (Your websites should never allow brute force attacks.)
4. Dictionary. Passwords follow predictable patterns and those are always tried first.
5. SQL Injections and other common vulnerabilities in websites.

Practical Tips For Online Privacy

This is Part Two in my many part series on IT Security In Libraries. In Part One I tried to lay the foundation for security. This week we'll talk privacy, and up next will be a general "Staying Safe Online" that will cover a million and one tips on how to keep you and your computer safe. Privacy is a relative term. That is, the things that I consider important to my privacy, someone else might not care about. As librarians we usually key in on Confidentiality Threats. We want our patrons records safe. We also don't share that information with ANYONE else. In general, we are fierce about protecting our patrons’ privacy. This is something that has always set us apart from everyone else. Amazon won't do it. Google won't do it. Do I even need to say Facebook won't do it? People who come into the library or use our web sites don't worry about what's going to happen with their information (or at least they shouldn't need worry about it). They should know we are doing our best to guard their privacy. Keeping all our IT resources secure should be a large part of guarding that privacy. There are no big events, dead bodies or explosions in privacy violations. It's something that is slowly eroding over time. The troubles are more subtle and are caused by errors, or intential misues and a shocking lack of transparency, accountability and security. We don't think about privacy much, we only think about it when things are going wrong. Most people tend to think privacy isn't very important, and don't give it a second thought. Most companies make money by keeping our information as free as possible so it can be used, shared, and sold. Let’s start this section with some general arguments FOR privacy, some reasons why privacy is so highly valued in our profession:

IT Security For Libraries First In A Series

IT Security In Libraries
8. Social Media Security
7. Practical IT Security
6. Integrating IT Security In Your Library
5. 20 Common Security Myths
4. How To Stay Safe Online
3. Passwords
2. Privacy
1. IT Security Foundations

Today's post is long on theory. I'll argue that most any library can be a target, and present some ideas on how to make things more secure in your library.
My first post will cover privacy, because I think it's closely related to security, and it's something we as librarians take seriously. Then I'll cover a bunch of ways to stay safe online, how to secure your browser, PC and other things you and your patrons use every day. I'll also cover some common security myths. Then we'll talk passwords: everything has a password now, and I want to make sure we all understand what it takes to make your password as secure as possible. Then we'll talk network security for a bit, followed by hardware and PC security. Then I'll focus on security issues that you'll find in your library. And last, but not least, some things I think you'll find interesting that sysadmins do with servers to make things safer for you, and that you'll never see as an end user.

One way to begin thinking about security for your library is by asking yourself few questions:

What do you have to lose?
What does your library & patrons have to lose?
What are the bad guys after?

Coming up with even a few quick answers to these questions can be helpful, I think, because it's important to remember we all have something to lose, and that we all have a part to play in keeping ourselves and our libraries safe.

It's also important to know that, ultimately, there is no such thing as a secure computer. Nothing we do can make things 100% safe. We can just make things safer than they were before. All of the security work we do is about reducing risk. It's about knowing what we're up against. We want to reduce the possible frequency of loss (by securing things as much as possible, given our resources) AND we want to reduce the potential magnitude of loss (by limiting what can be lost as much as possible).

To help set the stage for success we should keep in mind 2 things. "Any lock can be picked", and people are the weakest link in security chain. First, people:

Pages

Subscribe to IT Security For Libraries