#cildc E202: IT Security for Libraries

E202: IT Security for Libraries
Blake Carver (owner of LISHost.org)
http://lisnews.org/security/

getting security right is really hard, especially if you have a good web presence

security is two different things:
-it’s a feeling
-it’s a reality
(Bruce Schneider [?])

goal today is to make you feel as insecure as possible

3 groups of evildoers on the internet
-criminals
-activists [included Anonymous here]
-government agents
they’re everywhere you are: social networks, search engines, advertising, email, websites, web servers…
seemingly infinite number of exploits out there
many of the tools they use are open source, have tutorials with screenshots…

Malware Incorporated
-there’s an app for that!
-matured, diversified, and dangerous
-hard to reach
-conduct business anonymously

they’re after what you’d expect: PINs, passwords, emails, phone numbers, social media logins (and contacts)

personal information is the currency of the underground economy
-the era of steal everything
there is no such thing as a secure computer

passwords
-never reuse your passwords
-never use weak passwords
passwords are like bubblegum

what have we learned from breaches?
1. passwords are reused
2. passwords are weak
good password:
-unique
-complex
-long
-strong
-memorable
simple things make a strong password
-some letters, UPPER and lower
-maybe some numbers
-maybe something else (@*$&)
-do make it as LONG as you can
-do not reuse it on multiple sites

should you change all your passwords every X number of months?
-maybe, but maybe not

what can sysadmins do?
-don’t allow bruteforcing
-encrypt and salt passwords
-allow large passwords
-allow large character sets

assume your password will be stolen
nobody is immune from being hacked

have your accounts been compromised?
https://www.pwnedlist.com (collects info from breaches so you can find out if your info is out there)

Staying Safe Online at Home (and Away)
-patches
-trust
-passwords

windows is targeted more than other OSs simply because of proliferation
how do you know if you are infected? you don’t—most malware written not to be seen

your antivirus software is a seat belt - NOT a force field (Alfred Huger)

desktops & laptops
-keep everything patched/updated
-don’t trust anything (links/downloads/emails)
-backup your stuff!

if I took your laptop/iPad right now… what would I have access to?

laptops:
-prey/lojack
-passwords (when you open the laptop, there should be a password on it)
-sign out & do NOT save form data

email
-don’t trust anything
-don’t leave yourself logged in
-2 factor authentication [I’ve tried the gmail and facebook 2-factor auth… rather annoying, actually]
-passwords

email blended threats
-look like emails from legit sources, but links take you to a different site or have an infected attachment

browsers
firefox, IE, chrome are the big three (opera and safari are small players)
-what these have in common are the plugins behind them (esp. flash, which is targeted all the time)
-keep your plugins updated, especially anything from Adobe
keep everything updated (browser itself too)
know your settings
few recommended plugins
-something to limit javascript
-something to force https [I use https everywhere, but some sites have to be excepted or they don’t work]
-something to block ads [I use AdBlockPlus]

Firefox Collusion
-maps out where your cookies are coming from, where they call back to

Wi-Fi
-passworded & encrypted
-MAC (enabled) & DHCP (off)
-Firmware updates
-off when not using it
never trust public wi-fi —really easy to start collecting data from these (FireSheep collects unencrypted traffic so you can log in as someone else)

Social Media
understand and adjust your privacy settings (Facebook has a ton)
use https
be skeptical of everything (especially anyone asking you for money)
common threats
—YOU HAVE TO SEE THIS
—free iPhone5!
—new apps
—celebrity/current event
—Twitter @s hidden behind shortened URLs
facebook: <4% of all posts were spam (spam hits less than 0.5% of facebook users, but that translates to 4 million people)
-600,000 times a day, someone tries to log in to a stole account (1.2 billion logins per day)—and these are the ones they catch
twitter: 1.5% of all tweets were spam

Mobile Devices
Windows OS vs Andriod vs iOS
threats
-trojans, viruses & malware (mostly for android)
-lost/stolen
-opaque apps data access
-open wi-fi networks and public hotspots

Security in Libraries
-but we’re just a library
-you should worry, we’re all targets
Verizon Data Breach Investigation Report
-83% of victims were targets of opportunity
-92% of attacks were easy
-85% of hacks were discovered by a third party

it’s easy being bad
security is hard
the attacker only needs to succeed once
staying safe takes more than just a firewall

what are the biggest mistakes you can make in the library?
1. ignoring it and thinking you’re safe
—do something… do anything!
—what does a library need to protect? (OPAC, staff computers, network, databases, printers…)
—public access computers
—your security software is a seat belt, not a force field
preparation-practical policies
-patching and updates of the OS and applications on a regular basis
-regular automated checks of public PCs and network
-check the internets for usernames/passwords for your library (e.g. pastebin)
-dedicated staff? someone needs to stay current
resources
http://www.sans.org/critical-security-controls/
Securing Library Technology: A How-To-Do-It Manual
2. not training
employees should know what the real A/V messages look like
train the security mindset like the parenting mindset
phishing, privacy, passwords, attachments, keeping things updated
what about patrons? keep things locked down as much as possible
3. server security
keep things updated, passwords, limit logins, logs, watch for file changes, firewall, kill unneeded processes

any good website can go bad at any time