carver it security for librarians
Post on 13-Jan-2017
132 Views
Preview:
TRANSCRIPT
IT Security For Librarians:Outrunning The Bear@ Your LibraryBlake Carver – blake.carver@lyrasis.orgLYRASIS Systems Administrator
Attackers are economically rational – they take scarce resources and apply them efficiently to achieve a desired outcome. As a defender, making the target less attractive or too expensive for that economically rational actor means they will go after something else. “It’s like the old saying: you don’t have to outrun the bear. You just have to outrun your friend.”
Brad Arkin, Adobe's chief security officer
Everything You Need To KnowBuild a Defensible Library
Lock Everything Down
Assume your secrets are not safe
Threat Modeling
Training
From: Geraldo Spence <email@example.com>To: <somone@example.com>Subject: FW: Order Status #001204Date: Tue, 22 Mar 2016 07:01:47 +0300
Dear someone,
We would like to thank you for your recent order.
Order Status updated on: 21/03/2016Your Customer ID: 001204Your Order ID: 4081F78D45-M-2016Invoice Number: 5978299
Delivery Note:We received your order and payment on 17/03/2016
Your order details are attached.
Best regards,Geraldo SpenceChief Executive Officer - Food Packaging Company
Libraries Live Below The Security Poverty Line
(Wendy Nather)
We simply can't afford to reach a great level of security
Few or no IT PeopleFew or no Security PeopleHard to keep up with technology and securityMaintenance, planning, strategy are 2nd to OMGDepend on consultants, vendors, family, patrons, friends, volunteers, etc...
This leaves us in a bad place
Defaults Old and outdated Workarounds Not much control No time to focus "We'll fix it later"
So what can we do?
Budget? Buy things that are more secure. Question our vendors and partners on
security. Use our consortia
So what can we do?
Develop a good Threat Model Set achievable security goals Learning, Planning & Training Develop IT- and security-focused
community groups for the exchange of ideas, information and known security threats. (Associations and Conferences)
Make Your Library Defensible
Able To Be Defended• Defensible does not mean secure
• There are more things to defend than there are resources to defend with
• Defensibility focuses on what, why, how, when and from whom
Defensible Libraries
• A change in mindset• Awareness of limitations & weaknesses• Awareness of threats• An admission of inconvenience • A lot of hard, detailed and underappreciated work.
So Let’s Think About…
• What do we have to secure?• Who wants it?• How could they acquire it?• How could they benefit from its use?
–Can they sell it? –Can they hold it hostage?–Can they use & abuse it?
• How damaging would the loss of data be?• How would this effect library operations?• How secure do we really need to be?
But We’re Just A Library
IT Security For Libraries
We Are All Targets
IT Security For Libraries
Why A Library?
Easy Access to PII
Organizational Rigidity
Limited Resources
Academic Mindset
Target Rich Environment
Krebs on Security.
Hacked Library
Every access point to the internet is potential breach.
83% targets of opportunity92% of attacks were easy85% were found by a 3rd party
IT Security For Libraries
Verizon Data Breach Investigations Report
84% were found by a 3rd party
Bad guys were in for 175 days before they were discovered.
Trustwave 2012 Global Security Report
IT Security For Libraries
It’s Easy Being Bad
IT Security For Libraries
The attacker only needs to succeed once...
IT Security For Libraries
While we need to catch every single thing...
IT Security For Libraries
Staying safe takes more than just a firewall & AV/AM...
IT Security For Libraries
Passwords
Your security software / hardware is a seat belt – not a force field.
IT Security For Libraries
Complexity is the Enemy of Security
• We have no shortage of access points
• We deal with any number of vendors
• Threats come from outside the libraries
• Threats come from inside the libraries
•Our libraries are full of people
IT Security For Libraries
“If It Ain’t Broke...”
• The vast majority of attacks…–Won’t be targeted–Will Be Easily Avoidable–Will be invisible
Do something.... Do Anything!
IT Security For Libraries
Don't Make Things Easy
There are more things to defend than there are resources to defend with
Not every asset in your organization is equally valuable
An attacker will always pick the weakest point of entry…
…but you can't know which point that is
The Weakest Point In A Library?
Public Access Computers
IT Security For Libraries
Public Access Computers
Staying Safe On This Computer:
–Make Sure You Log Out
–Don’t Access Sensitive Sites
–Beware of the "remember me" option
–Don't send personal or financial information via email or insecure websites
IT Security For Libraries
Technical Countermeasures
Most exploits used “old” issues that have been
patched
There is no longer a window to patch when a vulnerability or exploit is discovered, in public or private.Brad Arkin, Adobe
Locking Down Public Access Computers
• Patching and Updating–OS and *ALL* Applications
• Whitelisting• Passwords• SteadyState / DeepFreeze / SmartShield
• Don’t use Windows?
• Don’t use IE?
IT Security For Libraries
35 Strategies to Mitigate Targeted Cyber Intrusions
Library Information Security System Assessment Model (LISSAM)
Awareness CreationAdministrative Tools and MethodsProcedures and Control Information Security PolicyTechnological Security Foundation
Change your mindset YOU are the attacker
• What are you library’s most valuable assets? Where are these assets? How can they be accessed?
• If you were the attacker how would you spread malware? And who are the most ‘vulnerable’ targets in the organization?
• Do you have a view on the ‘normal’ behavior of your organization (people, behavior, locations and systems)?
Level the playing field…
Hack Your library!
Library Information Security System Assessment Model (LISSAM)
Awareness CreationAdministrative Tools and MethodsProcedures and Control Information Security PolicyTechnological Security Foundation
Also...
• Check usernames/passwords for your library -● osint-opsec-tool ● pastebin.com
• HTTPS• Someone needs to stay current• Is your domain name going to expire?• 2FA• Password Managers
IT Security For Libraries
- Training - Non-technical Countermeasures
Train A Security Mindset
Quickly forgotten without practice and reminders
Regular low level of training and awareness
Build Cybersecurity Champions
IT Security For Libraries
Training does not work
It's not worth it because someone will still mess up
People already know what to do
This stuff us easy / obvious
Good security awareness programs help all employees
know where to get help
Who they should call when there is trouble
Where they can look for guidance & policies
They should know that they will not be looked down on for making a mistake
Someone’s job is to help them through whatever difficulty they are having
We can't make everyone an expert
We do NOT need to train the non-technical employees about what the deep level geek
employees already know.
Building Good Habits
“Being secure” is something that is learned over time and eventually becomes a habit.
Make the security mindset the default
Consistent reinforcement of the importance of IT Security
Understanding awareness, training, and development
What we want is policies that reinforce good security principles that will foster over time a new instinct in people, a new way of looking at things, a new way of acting in a more secure way.
This will require a huge amount of patience and buy in from every at your library.
IT Security For Libraries
Carver, Blake Name123456 ID Number00123456 User IDcarver Password05/01/2012 End Date
Training
• Phishing• Social Engineering• Privacy• Passwords• Email Attachments• Virus Alerts• How to practice safe social networking• Keeping things updated
IT Security For Libraries
What we want is policies that reinforce good security principles that will foster over time a new instinct in people, a new way of looking at things, a new way of acting in a more secure way.
The goal is to make doing things the right way become
the default in your library
Training…. Patrons?
• Your patrons don't care much for security• Their habits are inviting malware
• Look for ways to make things safer in ways that don't interfere with people's everyday tasks as much as possible.
• Principle of Least Privilege
IT Security For Libraries
http://www.pewinternet.org/files/2015/09/2015-09-15_libraries_FINAL.pdf
Offer Training At Your Library
Library Security Mantra
• Security• Privacy• Confidentiality• Integrity• Availability• Access
(based on Net Sec 101 Ayre and Lawthers 2001)
IT Security For Libraries
Preparation - Practical Resources
• SANS 20 Critical Security Controls– sans.org
• Securing Library Technology: A How-To-Do-It Manual– Earp & Wright
• Strategies to Mitigate Targeted Cyber Intrusions– Australian Signals Directorate
• Library Information Security System Assessment Model – (LISSAM)– Malaysian Journal of Library & Information Science, Vol. 16, no. 2
Virtual Privacy Lab from the San José Public Library https://www.sjpl.org/privacy
Library Freedom Project https://libraryfreedomproject.org/
IT Security For Libraries
IT Security For Librarians:Outrunning The Bear@ Your LibraryBlake Carver – blake.carver@lyrasis.orgLYRASIS Systems Administrator
top related