Friday, August 26, 2011

LISNews: IT Security For Libraries First In A Series



This is part one in my many part series on IT Security In Libraries.In Part Three I covered passwords In Part One I tried to lay the foundation for security. In part 2 we talked privacy.

My first post will cover privacy, because I think it's closely related to security, and it's something we as librarians take seriously. Then I'll cover a bunch of ways to stay safe online, how to secure your browser, PC and other things you and your patrons use every day. I'll also cover some common security myths. Then we'll talk passwords: everything has a password now, and I want to make sure we all understand what it takes to make your password as secure as possible. Then we'll talk network security for a bit, followed by hardware and PC security. Then I'll focus on security issues that you'll find in your library. And last, but not least, some things I think you'll find interesting that sysadmins do with servers to make things safer for you, and that you'll never see as an end user.

One way to begin thinking about security for your library is by asking yourself few questions:
What do you have to lose?
What does your library & patrons have to lose?
What are the bad guys after?


Coming up with even a few quick answers to these questions can be helpful, I think, because it's important to remember we all have something to lose, and that we all have a part to play in keeping ourselves and our libraries safe.
It's also important to know that, ultimately, there is no such thing as a secure computer. Nothing we do can make things 100% safe. We can just make things safer than they were before. All of the security work we do is about reducing risk. It's about knowing what we're up against. We want to reduce the possible frequency of loss (by securing things as much as possible, given our resources) AND we want to reduce the potential magnitude of loss (by limiting what can be lost as much as possible).

To help set the stage for success we should keep in mind 2 things. "Any lock can be picked", and people are the weakest link in security chain. First, people:
People choose bad passwords, we write them down, we share them, we reuse them,
People email things we shouldn't
People post things on twitter or Facebook.
People click on links without knowing what's behind them.
People don't update our computers and programs.
People plug in USB drives w/o knowing where they came from.


Of course, we all want our computers to work. We don't want to worry about all this security. We just want things to be safe. We have better things to do. We do insecure things because we're tired and busy. We write down passwords because our brains are full. We have better things to do than update our computers and programs. It's not (only) because people are lazy. It's because every layer of security we add causes more work for them. Much of this advice, many of these things we want them to do just costs too much in terms of a daily burden when so few of them will really be harmed by evil doers. There is generally low motivation and poor understanding of why this could be important. People choose the easiest and quickest way to get things and hope for the best.

So even though we have better security than ever before, there are also more ways to defeat it than ever before. To make matters worse, we are now in the era of "steal everything." We all have something a hacker is interested in stealing. And to make things even worse, barriers to this particular type of theft are lower than ever.
Frequently, hacking requires little training or knowledge or investment of time. Hackers have moved beyond banks and are now stealing more mundane things that you have. These are all worth money, or can be used to cause trouble and spread malware. There are bad guys who will pay for email passwords, Facebook logins, trojaned PCs, game logins, nearly anything you have. Our libraries are no exception. They become targets because of what we have inside our ILSs, our public access machines, the OPAC, the databases and more.

What I'm hoping to do is in this series highlight ways to help reduce your exposure. That, in itself, could help make you safer because many hackers are just looking for easy targets, and they will move on if the common security holes are closed. To beat them you need to be proactive and know how the bad guys think.

The bad guys we're up against have many goals. Some are simply common criminals, others are spammers or doing blackhat SEO, they could be APT agents, corporate spies, or just hactivists. They are all over the world, and they are hard to find because they hide behind proxies and botnets. In a recent survey of 583 U.S companies conducted by Ponemon Research on behalf of Juniper Networks, 90 percent of the respondents said their organizations' computers had been breached at least once by hackers over the past 12 months. Now, remember that first question I asked? About what you had to lose? Security is a real issue, and hopefully this series of posts will help you reduce your risks.

The posts will be broken up into these main topics:
-Privacy
-Staying Safe Online
-Passwords
-Network Security
-Hardware Security / PC Security
-Security In Your Library
-Server Side Security

No comments:

Post a Comment