carver it security for librarians

64
IT Security For Librarians: Outrunning The Bear @ Your Library Blake Carver – [email protected] LYRASIS Systems Administrator

Upload: national-information-standards-organization-niso

Post on 13-Jan-2017

131 views

Category:

Education


1 download

TRANSCRIPT

Page 1: Carver IT Security for Librarians

IT Security For Librarians:Outrunning The Bear@ Your LibraryBlake Carver – [email protected] Systems Administrator

Page 2: Carver IT Security for Librarians

Attackers are economically rational – they take scarce resources and apply them efficiently to achieve a desired outcome. As a defender, making the target less attractive or too expensive for that economically rational actor means they will go after something else. “It’s like the old saying: you don’t have to outrun the bear. You just have to outrun your friend.”

Brad Arkin, Adobe's chief security officer

Page 3: Carver IT Security for Librarians

Everything You Need To KnowBuild a Defensible Library

Lock Everything Down

Assume your secrets are not safe

Threat Modeling

Training

Page 4: Carver IT Security for Librarians

From: Geraldo Spence <[email protected]>To: <[email protected]>Subject: FW: Order Status #001204Date: Tue, 22 Mar 2016 07:01:47 +0300

Dear someone,

We would like to thank you for your recent order.

Order Status updated on: 21/03/2016Your Customer ID: 001204Your Order ID: 4081F78D45-M-2016Invoice Number: 5978299

Delivery Note:We received your order and payment on 17/03/2016

Your order details are attached.

Best regards,Geraldo SpenceChief Executive Officer - Food Packaging Company

Page 5: Carver IT Security for Librarians
Page 6: Carver IT Security for Librarians

Libraries Live Below The Security Poverty Line

(Wendy Nather)

We simply can't afford to reach a great level of security

Few or no IT PeopleFew or no Security PeopleHard to keep up with technology and securityMaintenance, planning, strategy are 2nd to OMGDepend on consultants, vendors, family, patrons, friends, volunteers, etc...

Page 7: Carver IT Security for Librarians

This leaves us in a bad place

Defaults Old and outdated Workarounds Not much control No time to focus "We'll fix it later"

Page 8: Carver IT Security for Librarians

So what can we do?

Budget? Buy things that are more secure. Question our vendors and partners on

security. Use our consortia

Page 9: Carver IT Security for Librarians

So what can we do?

Develop a good Threat Model Set achievable security goals Learning, Planning & Training Develop IT- and security-focused

community groups for the exchange of ideas, information and known security threats. (Associations and Conferences)

Page 10: Carver IT Security for Librarians

Make Your Library Defensible

Page 11: Carver IT Security for Librarians

Able To Be Defended• Defensible does not mean secure

• There are more things to defend than there are resources to defend with

• Defensibility focuses on what, why, how, when and from whom

Page 12: Carver IT Security for Librarians

Defensible Libraries

• A change in mindset• Awareness of limitations & weaknesses• Awareness of threats• An admission of inconvenience • A lot of hard, detailed and underappreciated work.

Page 13: Carver IT Security for Librarians

So Let’s Think About…

• What do we have to secure?• Who wants it?• How could they acquire it?• How could they benefit from its use?

–Can they sell it? –Can they hold it hostage?–Can they use & abuse it?

• How damaging would the loss of data be?• How would this effect library operations?• How secure do we really need to be?

Page 14: Carver IT Security for Librarians

But We’re Just A Library

IT Security For Libraries

Page 15: Carver IT Security for Librarians

We Are All Targets

IT Security For Libraries

Page 16: Carver IT Security for Librarians

Why A Library?

Easy Access to PII

Organizational Rigidity

Limited Resources

Academic Mindset

Target Rich Environment

Page 17: Carver IT Security for Librarians

Krebs on Security.

Hacked Library

Page 18: Carver IT Security for Librarians

Every access point to the internet is potential breach.

Page 19: Carver IT Security for Librarians

83% targets of opportunity92% of attacks were easy85% were found by a 3rd party

IT Security For Libraries

Verizon Data Breach Investigations Report

Page 20: Carver IT Security for Librarians

84% were found by a 3rd party

Bad guys were in for 175 days before they were discovered.

Trustwave 2012 Global Security Report

IT Security For Libraries

Page 21: Carver IT Security for Librarians

It’s Easy Being Bad

IT Security For Libraries

Page 22: Carver IT Security for Librarians

The attacker only needs to succeed once...

IT Security For Libraries

Page 23: Carver IT Security for Librarians

While we need to catch every single thing...

IT Security For Libraries

Page 24: Carver IT Security for Librarians

Staying safe takes more than just a firewall & AV/AM...

IT Security For Libraries

Page 25: Carver IT Security for Librarians

Passwords

Page 26: Carver IT Security for Librarians

Your security software / hardware is a seat belt – not a force field.

IT Security For Libraries

Page 27: Carver IT Security for Librarians

Complexity is the Enemy of Security

• We have no shortage of access points

• We deal with any number of vendors

• Threats come from outside the libraries

• Threats come from inside the libraries

•Our libraries are full of people

IT Security For Libraries

Page 28: Carver IT Security for Librarians

“If It Ain’t Broke...”

• The vast majority of attacks…–Won’t be targeted–Will Be Easily Avoidable–Will be invisible

Do something.... Do Anything!

IT Security For Libraries

Page 29: Carver IT Security for Librarians

Don't Make Things Easy

Page 30: Carver IT Security for Librarians

There are more things to defend than there are resources to defend with

Not every asset in your organization is equally valuable

Page 31: Carver IT Security for Librarians

An attacker will always pick the weakest point of entry…

…but you can't know which point that is

Page 32: Carver IT Security for Librarians

The Weakest Point In A Library?

Page 33: Carver IT Security for Librarians

Public Access Computers

IT Security For Libraries

Page 34: Carver IT Security for Librarians

Public Access Computers

Staying Safe On This Computer:

–Make Sure You Log Out

–Don’t Access Sensitive Sites

–Beware of the "remember me" option

–Don't send personal or financial information via email or insecure websites

IT Security For Libraries

Page 35: Carver IT Security for Librarians

Technical Countermeasures

Page 36: Carver IT Security for Librarians

Most exploits used “old” issues that have been

patched

Page 37: Carver IT Security for Librarians

There is no longer a window to patch when a vulnerability or exploit is discovered, in public or private.Brad Arkin, Adobe

Page 38: Carver IT Security for Librarians

Locking Down Public Access Computers

• Patching and Updating–OS and *ALL* Applications

• Whitelisting• Passwords• SteadyState / DeepFreeze / SmartShield

• Don’t use Windows?

• Don’t use IE?

IT Security For Libraries

Page 39: Carver IT Security for Librarians

35 Strategies to Mitigate Targeted Cyber Intrusions

Page 40: Carver IT Security for Librarians

Library Information Security System Assessment Model (LISSAM)

Awareness CreationAdministrative Tools and MethodsProcedures and Control Information Security PolicyTechnological Security Foundation

Page 41: Carver IT Security for Librarians

Change your mindset YOU are the attacker

• What are you library’s most valuable assets? Where are these assets? How can they be accessed?

• If you were the attacker how would you spread malware? And who are the most ‘vulnerable’ targets in the organization?

• Do you have a view on the ‘normal’ behavior of your organization (people, behavior, locations and systems)?

Page 42: Carver IT Security for Librarians

Level the playing field…

Hack Your library!

Page 43: Carver IT Security for Librarians
Page 44: Carver IT Security for Librarians
Page 45: Carver IT Security for Librarians

Library Information Security System Assessment Model (LISSAM)

Awareness CreationAdministrative Tools and MethodsProcedures and Control Information Security PolicyTechnological Security Foundation

Page 46: Carver IT Security for Librarians

Also...

• Check usernames/passwords for your library -● osint-opsec-tool ● pastebin.com

• HTTPS• Someone needs to stay current• Is your domain name going to expire?• 2FA• Password Managers

IT Security For Libraries

Page 47: Carver IT Security for Librarians

- Training - Non-technical Countermeasures

Train A Security Mindset

Quickly forgotten without practice and reminders

Regular low level of training and awareness

Build Cybersecurity Champions

IT Security For Libraries

Page 48: Carver IT Security for Librarians

Training does not work

It's not worth it because someone will still mess up

People already know what to do

This stuff us easy / obvious

Page 49: Carver IT Security for Librarians

Good security awareness programs help all employees

know where to get help

Who they should call when there is trouble

Where they can look for guidance & policies

They should know that they will not be looked down on for making a mistake

Someone’s job is to help them through whatever difficulty they are having

Page 50: Carver IT Security for Librarians

We can't make everyone an expert

We do NOT need to train the non-technical employees about what the deep level geek

employees already know.

Page 51: Carver IT Security for Librarians

Building Good Habits

“Being secure” is something that is learned over time and eventually becomes a habit.

Make the security mindset the default

Consistent reinforcement of the importance of IT Security

Page 52: Carver IT Security for Librarians
Page 53: Carver IT Security for Librarians

Understanding awareness, training, and development

What we want is policies that reinforce good security principles that will foster over time a new instinct in people, a new way of looking at things, a new way of acting in a more secure way.

This will require a huge amount of patience and buy in from every at your library.

Page 54: Carver IT Security for Librarians
Page 55: Carver IT Security for Librarians

IT Security For Libraries

Page 56: Carver IT Security for Librarians

Carver, Blake Name123456 ID Number00123456 User IDcarver Password05/01/2012 End Date

Page 57: Carver IT Security for Librarians

Training

• Phishing• Social Engineering• Privacy• Passwords• Email Attachments• Virus Alerts• How to practice safe social networking• Keeping things updated

IT Security For Libraries

Page 58: Carver IT Security for Librarians

What we want is policies that reinforce good security principles that will foster over time a new instinct in people, a new way of looking at things, a new way of acting in a more secure way.

Page 59: Carver IT Security for Librarians

The goal is to make doing things the right way become

the default in your library

Page 60: Carver IT Security for Librarians

Training…. Patrons?

• Your patrons don't care much for security• Their habits are inviting malware

• Look for ways to make things safer in ways that don't interfere with people's everyday tasks as much as possible.

• Principle of Least Privilege

IT Security For Libraries

Page 61: Carver IT Security for Librarians

http://www.pewinternet.org/files/2015/09/2015-09-15_libraries_FINAL.pdf

Offer Training At Your Library

Page 62: Carver IT Security for Librarians

Library Security Mantra

• Security• Privacy• Confidentiality• Integrity• Availability• Access

(based on Net Sec 101 Ayre and Lawthers 2001)

IT Security For Libraries

Page 63: Carver IT Security for Librarians

Preparation - Practical Resources

• SANS 20 Critical Security Controls– sans.org

• Securing Library Technology: A How-To-Do-It Manual– Earp & Wright

• Strategies to Mitigate Targeted Cyber Intrusions– Australian Signals Directorate

• Library Information Security System Assessment Model – (LISSAM)– Malaysian Journal of Library & Information Science, Vol. 16, no. 2

Virtual Privacy Lab from the San José Public Library https://www.sjpl.org/privacy

Library Freedom Project https://libraryfreedomproject.org/

IT Security For Libraries

Page 64: Carver IT Security for Librarians

IT Security For Librarians:Outrunning The Bear@ Your LibraryBlake Carver – [email protected] Systems Administrator