Practical IT Security In Libraries

This is part Seven in my many part series on IT Security In Libraries.
Part Six was really the first part of this post. I dealt with security in libraries, mostly theory, while this post is more practical, and is mostly lists.
In part 5 I covered 20 Common Security Myths, and how to defeat them.
Part 4 was a general “How To Stay Safe Online” post that covered topics like patching/updating, watching links and downloads, and using good passwords.
In Part Three I covered passwords.
In part 2 we talked privacy.
In Part One I tried to lay the foundation for security.

Let’s face it, security is tough in libraries. We have no shortage of access points. We deal with any number of vendors, who may or may not be secure. Threats come from within the libraries (patrons), and from external sites anywhere in the world. Our patrons are bringing in all sorts of Wi-Fi enabled things. And any new security stuff we want to add will get push back from our coworkers, and cost money that’s not in the budget. In this post I’ve created a bunch of random, though related, lists that can be used to help get started with security in your library. It’s a follow up and companion to Integrating IT Security In Your Library and should help put some of that theory into practice. You probably won’t need every point from every list, but I’m hoping presenting them in this way will save you time, and start you on the path to increasing security. I hope to expand each list into a full length post in the future.

What are the biggest mistakes you can make in your library?
Not preparing
Not training
Ignoring it and thinking you’re safe
Not having a good understanding of what keeps you safe
Not knowing what your vendors are doing or will do when something goes wrong

In general, your security preparations should…
Help prevent or detect an intrusion
Help stop nefarious code from being executed
Help stop trouble from spreading
Helps stop data from being stolen
Build in accountability (Everyone should have a defined role, and this should include both staff and patrons)
Be specific and practical when presented to help ensure buy in
Clearly explain consequences to help ensure buy in
Cover what to do when things go wrong, how to handle specific troubles, who to call, etc..
Include behavior and acceptable use policies for both staff and patrons
Security training for both staff and patrons should answer WHY
Remember, Bad security policies cost time, money, reputation and trust

Make sure you can at least answer some of these:
What does it cost us if this system goes down?
Who uses this system?
What do you do if the entire thing is stolen?
How easy are the assets to replace?
Do you have a security policy in place?
Do you have a disaster recovery plan in place?
Do you have funding and time for this?
Do you have funding for the trouble this will cause if you do NOTHING?

Library staff and information systems personnel should work together to complete…
A thorough Risk Assessment covering threats & vulnerabilities on the library’s computers and networks
Create a Security Policy which includes specific protection strategies.
— http://www.zdnet.com/news/seven-elements-of-highly-effective-security-policies/297286
— http://www.worldcat.org/title/securing-library-technology-a-how-to-do-it-manual/oclc/221148712
Evault the ease of attacking these critical assets. Like the asset side, you focus relative ease of attack and the associated threat models. You can use categories like: Swiss cheese, home safe, bank vault, and Fort Knox. Defining ‘Risk’

If nothing else you need to be prepared for a crises:
Expect to have a crisis event
Have a predefined crisis communication plan in place
Acknowledge the problem immediately
Go public with serious incidents ASAP
Use social media to communicate with any interested parties
Show full accountability
Get back up as soon as possible
Make right everything that was wrong

Some common policies to have in place.
Strictly enforce laws, regulations, policies, and standards with severe negative consequences for those not adhering to the rules as a strong deterrent.
Avoid giving access to sensitive and valuable assets to those who have no need-to-know
Monitor access and use by those who do need to know
Patching and updates of the OS and applications on a regular basis
Make sure you’re checking the internets for usernames/passwords for your library
Is your domain going to expire? Don’t let squatters get it!
Design for uncertainty. You don’t know how people will attack.
The biggest threat to everything is people downloading stuff they shouldn’t
Default installations are frequently insecure
Backups? Is everything backed up, and do you know how to restore?
Consider application white listing (e.g. AppLocker, McAdee Application Control
Include security responsibilities in all job descriptions. (impossible?)
Tie security performance into employee performance reviews. (impossible?)
Include disciplinary actions for all security incidents. (impossible?)
Dedicated staff? At least assign staff to certain areas (impossible?)
At the very least someone needs to have this as a part-time permanent assignment
If possible to take away rights and decisions and save people from themselves, and each other.
Encrypt you valuable data
Build in training on a regular basis
Separate duties, if you can, to make things more secure
Know as much as you can about who you’re hiring
Don’t share ADMIN or root accounts
Make it clear which staff members have specific privileges and responsibilities
Create and maintain good documentation
Make sure user accounts are gone when employees are gone
Think like a bad guy and try and see what you can do

Your website and OPAC
A web environment has four layers that need protection: the Network level, the Application level, the Operating System level and the Database level. Most people think of these layers as being one within the other, like concentric circles. They reason that if they protect the outermost level, the inner levels are automatically protected.
Enforce good passwords
Keep things patched
Use a good IDS

Training – Your staff needs basics
Do they even know what anti-virus program looks like?
Is someone penalized for failure?
Do they know to be careful of phone calls from strangers?
Be sure staff is regularly trained on common threats they will face

Thinking of moving to a SaaS (Cloud, hosted, whatever) model of hosting whatever? What do you ask?
What happens if that gets hacked?
How does that provider handle security?
How often do they do audits & Updates?
What the provider considers to be critical service and information security success factors
How do they handle security?
Do they at least use Open Web Application Security Project (OWASP) list of top 10 vulnerabilities of Web applications
Do they user any standards or certifications?
Before signing any a contract, your data will be protected as much as possible by that vendor. It’s also important to know what you’ll do when things go wrong.

So what should you do when you discover your library records or something has been breached?
Admit your mistake
Figure out what happened as soon as possible
Fix anything that needs to be fixed
Be proactive in the future
Visa has a nice guide Identifying and Detecting Security Breaches [PDF]. The outline the important points as:
Preparation
Detection
Containment
Eradication
Recovery
Follow-up / Lessons learned

They also list the top challenges:
Failure to report or ask for help
Incomplete / non-existent notes
Mishandling / destroying evidence
Failure to create working backups
Failure to contain or eradicate
Failure to prevent re-infection
Failure to apply lessons learned