IT Security For Librarians

Blake Carver LYRASIS Systems Administrator

Week One: IntroWho and How and WhatPrivacy & Security in generalWhy this is all important5 Basic Things

Week Two: Outrunning The BearPrivacyPasswordsSecuring Devices Web BrowsersEmailStaying Safe On-line (General Tips)

Week Three: Outrunning The Bear @ Your LibraryTraining: Thinking & BehaviorThreat modelingHardware and networks

Week Four: Websites & Everything Else!Web Servers and NetworksBackupsDrupal and Wordpress and JoomlaServers in general

Everything You Need To Know• Use Good Passwords• Stay Paranoid & Vigilant• Use Routine Backups• Keep Everything Patched / Updated• Think Before You Share Or Connect

Intro

Other Thingsl Install Updates NOWl Passwords are Keyl ALL Software Has Flawsl Security Is Complicatedl Everyone Plays A Part

Common Security Myths• You have nothing worth stealing • Patches and updates make things worse and

break them • You can look at a web site and know it's safe • No one will guess this password• Social Media Sites Are Safe• I’m safe! I use Anti-virus / firewall• There’s only malware on Desktops not phones• If I'm compromised I will know it • I'm too smart to get infected

Intro

Common Security Excuses

• But nobody would do that [Exploit Method/Thing]• I can't remember all these passwords.• Firewalls / AV / Security just gets in the way• They won't be able to see that; it's hidden.• It's safe because you have to log in first.

Intro

So What Are We Talking About● ● ● ● ● ● ● ●

Intro

The Way Things Are Vs.The Way Things Oughtta Be

But the state argued that because cell phones constantly reveal their locations to carriers by pinging nearby cell towers, Andrews “voluntarily shared this information with third

parties,” including the police, merely by keeping his phone on.

In other words, if you don't shut off your phone, you're asking to be tracked.

“While cell phones are ubiquitous, they all come with 'off' switches,” the state responded in the brief. “Because Andrews chose to keep his cell phone on, he was voluntarily sharing

the location of his cell phone with third parties.”

“The government has indeed repeatedly argued that there is no [reasonable expectation of privacy] in cell phone location information, in court and

out,” Nathan Wessler, a staff attorney with the ACLU's speech, privacy and technology project, told Motherboard in an email. “In cases involving historical cell site location

information, the government has danced around this argument, arguing that phone users give up their expectation of privacy in their location information merely by making and

receiving calls.”

State of MD Vs Kerron Andrews

If Vs.

When

Somethings are IFs, somethings are WHENs

Perhaps things are Likely and Possible

● ● ● ● ● ● ● ●

Bad Guys? Hackers?Crackers?Criminals?

Intro

● ● ● ● ● ● ● ●

Security

Cyber Security?IT Security?Safety?Information Security?

Information Literacy?The Digital Divide?

Intro

“Security is two different things: It's a feeling &It's a reality ”

Bruce Schneier – TedxPSU

Intro

Security isn’t either/or

Intro

● ● ● ● ● ● ● ●

Privacy

Cyber Privacy?IT Privacy?Online Privacy?

Information Literacy?The Digital Divide?

Intro

What will be the consequences of participation in this data set?

https://github.com/frankmcsherry/blog/blob/master/posts/2016-02-06.md

Are we helping people avoid being added to more and more datasets?

Are we increasing their digital foot prints?

Security & Privacy are, Getting Better, But they're Getting

Worse Faster

Intro

Why does this keep happening?

The Internet was built for openness and speed

More Things Online – More Targets

Old, out-of-date systems and budget shortfalls

New poorly designed systems

Surveillance is the business of the Internet

Why?

Professionals

Intro

And Everyone Else

Good Guys

Bad Guys

SkillFocusToolsTime

Training

Not much of this crime is new

AutomationDistance "Technique Propagation"

(“Only the first attacker has to be skilled; everyone else can use his software.”)

Intro

The technology of the internet makes the bad guys vastly more efficient.

Intro

It's Safe Behind The Keyboard

Hacking is a really safe crime. Comparatively. To other real life crime

Intro

Where Are They Working?

• Social Networks• Search Engines• Advertising• Email• Web Sites• Web Servers• Home Computers• Mobile Devices

Intro

This is the work of a rogue industry, not a roguish teenager

Intro

*Thanks to Brian Krebs for sharing screenshots: krebsonsecurity.com

And to Dr. Mark Vriesenga, BAE systems

Examples

Intro

What Are They After?

• PINs• Passwords• Credit Cards• Bank Accounts• Usernames• Contact Lists• Emails• Phone Numbers• Your Hardware...

Intro

http://krebsonsecurity.com/2012/10/the-scrap-value-of-a-hacked-pc-revisited/?utm_source=feedburn

Personal information is the currency of the underground

economy

Intro

Personal information is the currency of the entire Internet

economy

Intro

What's It Worth?Credit Cards: $5-$30 Basic or “Random” $5-$8 With Bank ID# $15 With Date of Birth $15 With Fullzinfo $30

Payment service accounts: $20-$300 containing from US$400 to $1,000 between $20 and $50 containing from $5,000 to $8,000 range from $200 to $300

Bank login credentials: $190-$500 A $2,200 balance account selling for $190. $500 for a $6,000 account balance, to $1,200 for a $20,000 account balance

Online premium content services: $.55-$15 Online video streaming($0.25 to $1) premium cable channel streaming services ($7.50) premium comic book services ($0.55) professional sports streaming ($15)

Loyalty, community accounts: $20-$1400 A major hotel brand loyalty account with 100,000 points for sale for $20 An online auction community account with high reputation marks priced at $1,400

"The Hidden Data Economy" study by MacAfee October 2015

http

://w

ww

.sym

ante

c.co

m/c

onne

ct/b

logs

/net

flix-

mal

war

e-an

d-ph

ishi

ng-c

ampa

igns

-hel

p-bu

ild-e

mer

ging

-bla

ck-m

arke

t

The Era Of Steal EverythingEverything has some value

Intro

Against a sufficiently motivated and equipped adversary, no

device is impenetrable.

Intro

There is no such thing as a secure computer

Intro

We are making things safER

Intro

"None of this is about being "unhackable"; it’s about making

the difficulty of doing so not worth the effort."

Intro

Intro

https://www.teachprivacy.com/the-health-data-breach-and-id-theft-epidemic/

Think Different…

Have A Hacker Mindset

Have A Security Mindset

Intro

http://www.pewinternet.org/files/2015/09/2015-09-15_libraries_FINAL.pdf

Offer Training At Your Library

Everything You Need To Know

Use Great PasswordsStrong (Long, Complex)Unique

Stay Paranoid & Vigilant

Never Trust Anything or AnyoneAlways Double Check

Intro

http://r20.rs6.net/tn.jsp?f=001jvkK1lqM8L-mnPV6fw1piqSVbRdreWE37hHyBgaBTEokTgb93wOt2pbbtbQeU8ZfnvfAHeCyovnJECU5iJW3x398D3y1CUWJo46vMRcq7SmXgKmSTao6BDOeyWbDL098sbwrd31tthC8vO7UtQTs-Dpvy-FzQNF8eg9jznIRCSheKjBy-NLYkve-ICGa8tQ94XTqTWvGIpCDN4R19rUWnlnGVgKhMnf6ra5h0mxYKyiVl8mVbH5rVzEHGnmC_tqm&c=2qp8OI_b_ky3yXFryCYkU3XkJehYbiMxoRoM7KwW5ZK0JPs92OvKVQ==&ch=o2igILcTd7vZdRH-EcEq6-ka5CvKEHvNx7yRl6qNWfAO-PA3NbzvPA==

Everything You Need To Know

Use Great PasswordsStrong (Long, Complex)Unique

Stay Paranoid & Vigilant

Never Trust Anything or AnyoneAlways Double Check

Think Before You Click

Use Routine Backups

Keep Everything Patched / Updated

Think Before You Share

Intro

Avoid The Worstest Things

• Moving Slow on updates• Thoughtlessness

Surfing/Clicking/Following/Sharing• Over Sharing• Reusing Weak Passwords• Not Backing Up• Thinking It Can’t Happen To You

Week One: IntroWho and How and WhatPrivacy & Security in generalWhy this is all important5 Basic Things

Week Two: Outrunning The BearPasswordsSecuring Devices Browsers & TorEmailStaying Safe On-line (General Tips)

Week Three: Outrunning The Bear @ Your LibraryTraining: Thinking & BehaviorThreat modelingHardware and networks

Week Four: Websites & Everything ElseWeb Servers and NetworksBackupsDrupal and Wordpress and JoomlaServers in general

IT Security For Librarians

Blake CarverLYRASIS Systems Administrator