IT Security for You and Your Library
by Blake Carver
We are all targets. Scores of automated programs (bots) are crawling the internet 24/7 looking for easy targets. They want access to our resources because almost everything on our computers has some value. We all have something a hacker is interested in stealing or just borrowing without our knowledge. And to make things even worse, barriers to this particular type of theft are lower than ever.
|It doesn’t take all that much to make the bad guy’s job just a little bit harder, and that may be all it takes to make you safe.
One way to begin thinking about security for you and your library is by asking yourself a few questions:
- What do you have to lose?
- What does your library and its patrons have to lose?
- What are the bad guys after?
Coming up with even a few quick answers to these questions can help you realize we all have something to lose, and we all have a part to play in keeping ourselves and our libraries safe.
It’s also important to know that, ultimately, there is no such thing as a secure computer and, sadly, nothing we do can make these things 100% safe and secure. We can do our best to make things safer than they were before. All of the security work we do is about reducing risk. It’s about knowing what we’re up against. We want to reduce the possible frequency of loss (by securing things as much as possible, given our resources), and we want to reduce the potential magnitude of loss (by limiting what can be lost as much as possible).
To help set the stage for success, we should keep in mind two things: any lock can be picked, and people are the weakest link in security chain. First, let’s address people:
- People choose bad passwords. We write them down, share them, and reuse them.
- People email things they shouldn’t.
- People post things on Twitter or Facebook.
- People click on links without knowing what’s behind them.
- People don’t update their computers and programs.
- People plug in USB drives without knowing where the drive came from.
Of course, we all want our computers to work. We don’t want to worry about all this security. We just want things to be safe. We do insecure things because we’re tired and busy. We write down passwords because our brains are full. We have better things to do than update our computers and programs. It’s not (only) because people are lazy. It’s because every layer of security we in IT add causes more work for them. Much of this advice, many of these things we want them to do, just costs too much in terms of a daily burden when so few of them will really be harmed by evil doers. There is generally low motivation and poor understanding of why this could be important. People choose the easiest and quickest way to get things done and hope for the best.
Frequently, hacking requires little training, knowledge, or investment of time. Hackers have moved beyond banks and are now stealing more mundane things that normal people have. These are all worth money or can be used to cause trouble and spread malware. There are bad guys who will pay for email passwords, Facebook logins, trojaned PCs, and game logins—nearly anything you have. Libraries become targets because of what we have inside our ILSs, our public access machines, OPACs, databases, and more.
The bad guys we’re up against have many goals. Some are simply common criminals, others are spammers or doing black hat SEO. They could be advanced persistent threat (APT) agents, corporate spies, or just hactivists. Most of them are just mindless bots looking for old common exploits that are easily breached in just a few lines of code. They are all over the world, and they are hard to find because they hide behind proxies and botnets. In a recent survey of 583 U.S. companies conducted by Ponemon Institute on behalf of Juniper Networks, 90% of the respondents said their organizations’ computers had been breached at least once by hackers over the past 12 months. Now, remember that first question I asked? About what you had to lose? Security is a real issue, for all of us.
Securing Your Library’s Systems
Chances are your library is now, or will be at some point, a target. Don’t think you’re safe just because you’re only a small library, because when it comes to getting hacked, size doesn’t matter. The average web-based application (small or large) is hit by some type of attack once every 2 minutes (says security firm Imperva, but anyone with access to web server logs will agree). Automated tools make it easy for bad guys to target everything and anything regardless of what might be inside. These tools can easily scan thousands of connected devices (websites, printers, OPACs, PCs, servers, and anything else with an IP address) looking for anything with a security hole (and we all have them). There’s a seemingly infinite number of things they’re after. They may want to host cracked software. They may want to send spam. They may be doing black hat SEO. They may want your patrons’ personal information. They may want to use your site as a way to get elsewhere. This is just a small fraction of what they can do with little time or effort.
Why Security Is Hard
Getting IT security right isn’t exactly easy. When it comes to securing your IT resources, it’s very easy to make a mistake or overlook something small. In every library, it feels as if there are a million things to worry about. It’s not only the fools who are getting hacked—it’s everyone and anyone. The best of us miss things and make mistakes that can lead to security breaches. Most libraries don’t have the money, time, or people to secure even the small number of resources they have. Larger libraries may be able to afford to spend more time and money on security, but then they also have more things to secure. Unfortunately, security doesn’t scale up very easily. This doesn’t mean you should give up and hope for the best!
Everyone in your library has some small part to play in keeping things secure. The costs are very low for the bad guys and very high for those of us trying make things more secure. The malware your computers are subject to now is very sophisticated. It’s highly evolved and many times will be able to run totally undetected. It has automated installers, updaters, and a sophisticated command and control center that puts every infected machine to good use. It’s easy for the writers of these tools to stay one step ahead of those who work to keep us safe. It’s very easy for your computers to spy on your users or to become part of a botnet used to cause trouble anywhere in the world.
Understand the Threats to Make Things Safer
You don’t need to be an expert on every aspect of security, but it doesn’t hurt to have a good understanding of the threats. Take a look around your library, and think about all the things that have an IP address. When looking at what you have, you need to think like an attacker. You need to think about what they’ll be trying to get and how easy it will be for them to take things from you. If you make it easy, you’ll increase the likelihood of an attack. They may want usernames and passwords. They may want to SQL inject some malware. They may want to deface your website.
Defending against every possible attack is probably not possible, so it’s important to know how the most common attacks happen in order to focus on some easily defendable areas. Once they find a way in, they’ll need to know what’s around. They’ll first look around and see how things work. When choosing your defense, try to focus your energy on what the easiest/cheapest attacks will be. The hardest part for them is to figure out what you have, where things are, and what OS you’re running. These are all things that make your system unique, and it’s the part that will take the most time for the bad guys to figure out. Your best bet is to begin by denying access to as much as possible. You should also hide things as much as possible. I don’t mean using “security through obscurity,” but, rather, keep important data off the network entirely. You should also automate systems to watch for trouble. Make sure to use detection methods so at least you’ll know when someone gets in.
The sooner we start seeing information security as something to do well because it adds value, rather than merely as a cost or something that gets in the way which we need to minimize, the better! Your users are assuming some level of competence with security. They’re assuming your websites are safe and their personal information won’t get sold to the highest bidder after it has been stolen from your servers.
Make Staff Part of the Solution
People will always be part of the problem. Most people don’t care much about security. They just want to get some work done. It is important that all library staff be aware of and incorporate security in their everyday work. It’s critical they fully accept and are part of any training plans. Without buy-in from everyone, any security training will fail. They need to understand that what they do can have consequences. They need to change certain work practices, and they need to become part of the solution, rather than part of the problem. They need to know how to recognize malware on a public PC; they need to know common risks; and they should know who to contact when these things come up. Good policies can help, though people will find ways around policies that get in the way. Training and awareness might help with some, but for the most part, people don’t give a darn. And I don’t mean to discount the value of training. Security training should be required for everyone to help them not just at work, but at home and anywhere else.
Security doesn’t have to be all technical, all the time. If your staff (and maybe patrons?) struggles with basic security principles, pick a couple of topics each week to work into an email or meeting. You can start creating awareness by continually covering small, simple topics that will help increase awareness. For years, we’ve been champions of information literacy. Now, it’s time to start pushing security literacy as well.
If security has always been an afterthought for you and your library, I hope this will convince you that now is the time to start putting better policies and procedures to work. It doesn’t take all that much to make the bad guy’s job just a little bit harder, and that may be all it takes to make you safe.
Passwords! Passwords! Passwords!
Passwords seem to be such a simple, obvious topic, but when you stop and think about it, passwords can be tricky. They’re hard to remember and hard to choose. You may be limited by a password policy that makes little sense and actually makes your password weaker.
Do you always use unique passwords? Are those passwords always “strong?” Does your library’s web presence require strong passwords for all users? Do you have password recommendations clearly posted on your web resources for your users? What makes a good password? Are complex passwords the most secure? Is it uniqueness? Is length the most important thing in a password? I’ll start by saying the two most important things are length and uniqueness. Make your passwords as long as possible, and never reuse a password on more than one thing.
Using the same password for everything is the worst thing you can do. Simply put, password reuse is dangerous. Doing this will allow anyone who gets your password from an insecure site (and the chances of this happening are probably higher than you’d think) to use it anywhere else. Your password could have been taken from any number of large data breaches, and you’d never know it.
What Makes a Good Password?
So what makes a good password? Two simple things: length and complexity. If you think about it, a password is really weak security. If you’re in charge of setting the password policy for your library, you have decisions to make. Should you force people to use complex and unique passwords? Anytime you change up security policies, people will look for ways around it. Enforcing strong passwords is no exception. Even when your users are forced to use “good” passwords, they’ll do something such as choose all the characters on the left side of the keyboard. They will turn the seemingly secure restrictions into easy passwords and make your network even less secure. Somehow, your new security policy just made everyone’s password easier to guess. Those passwords are not strong and can be easily bruteforced/rainbowed/dictionaried, because they are commonly used and will be guessed first in an automated attack. A truly strong password is darn hard to remember, and that’s the problem for all of us with more than a few passwords. Don’t use any part of your username in your password. Don’t use any members of your family’s names. Avoid keyboard sequences, any real words, any real words with just a number tacked on either end, or any real word just reversed.
Are complex passwords better? Well, maybe. Longer passwords are better, no doubt.