Embed Size (px)
Citation preview
Intro
Keeping You And Your Library Safe and Secure
Blake Carver – [email protected]://lisnews.org/security/
http://security4lib.org/http://lyrasis.org
“ Security is two different things: It's a feeling &It's a reality ”
Bruce Schneier – TedxPSU
Security Frequently Gets In Our Way
Have A Hacker MindsetThink Like A Bad Guy
Have A Security MindsetThink Defensively
"None of this is about being "unhackable"; it’s about making
the difficulty of doing so not worth the effort."
Secure, here, doesn't mean impenetrable
Competent and determined bad guys armed with the right tools can always find a way in
Less talented folks, and many automated tools, however, experience great effort as a deterrent
Criminals
Activists
Government Agents
Intro
Where Are They Working?
• Social Networks• Search Engines• Advertising• Email
• Web Sites• Web Servers• Home Computers• Mobile Devices
Malware Inc.
These are the work of a rogue industry, not a roguish teenager
Malware Inc.
Fully Automated24/7
What Are They After?
• PINs• Passwords• Credit Cards• Bank Accounts• Social Media
• Computers• Usernames• Contact Lists• Emails• Phone Numbers
These all have value to someone
Personal information is the currency of the underground
economy
Personal information is the currency of the Entire Internet
economy
We don’t know how our information is used,
stored or shared and for how long.
We don’t know who has access
We don’t know if it’s safe
On the InterWebs, the companies entrusted to keep our personal
data safe are invariably the ones who have the most to gain from
not doing so.
Robert X. Cringely
Nobody – nobody – is immune from getting hacked
http://krebsonsecurity.com/2012/10/the-scrap-value-of-a-hacked-pc-revisited/?utm_source=feedburn
How Do You Know If You Are Infected?
• Fans Spinning Wildly• Programs start
unexpectedly• Your firewall yells at you• Odd emails FROM you• Freezes• Your browser behaves
funny• Sudden slowness
• Change in behavior• Odd sounds or beeps • Random Popups• Unwelcome images • Disappearing files • Random error messages
How Do You Know If You Are Infected?
You Don’t
Your antivirus software is a seat belt – not a force field.
- Alfred Huger
• Keep everything patched / updated
• Don’t Trust anything–Links / Downloads / Emails
• Backups are critical
Laptops
• Prey / LoJack• Passwords• Sign Out & Do NOT Save Form Data
Laptops
Carry A SafeNot A Suitcase
Never Trust Public Wi-Fi
Which of your accounts is most valuable?
• Email• Bank• Social Network• Shopping• Gaming• Blogs• Library Account
Own the Email, Own the Person
• Don’t trust anything• Don’t leave yourself logged in• 2 Factor Authentication• Passwords
– Unique, Obscure and Looooonnnnnggggg
Web Browser
The Single Most Important [Online] Security Decision You Make
Staying Safe Online
Browsers
• Use Two & Keep Updated• Know Your Settings
– Phishing & Malware Detection - Turned ON– Software Security & Auto / Silent Patching -
Turned ON• A Few Security Plugins:
– Something to Limit JavaScript – Something to Force HTTPS– Something to Block Ads
But The Internet Is Free Because Of Ads...
• Online ads were 182 times more likely to deliver malware than “adult” sites
• Google blocked 524 million 'bad ads' 250,000
• Up 50 percent in 1 year
Let’s Talk Libraries
But We’re Just A Library
83% targets of opportunity
92% of attacks were easy
85% were found by a 3rd party
Verizon Data Breach Investigations Report – Fall 2011
It’s Easy Being Bad
Being Good IsHard
Never EndingOverwhelming
Exhausting
The attacker only needs to succeed once...
Perfect is not the enemy of good ‘nuff
Complexity is the Enemy of Security(Bruce Schneier)
• Libraries have no shortage of access points
• We deal with any number of vendors
• Threats come from outside the libraries
• Threats come from inside the libraries
• Our libraries are full of people
Staying safe takes more than just a firewall...
Your firewall is a seat belt – not a force field.
Library Security Requires Layers
• Firewall• VPN• Intrusion Monitoring• Antimalware & Antispam & Antivirus• Planning & Training
How Can We Make Our Library Secure
• Don’t ignore it
• Prepare
• Train
Preparation- Practical Policies
• Patching and updates of the OS and applications on a regular basis
• Regular automated checks of public PCs & network
• Check the internets for usernames/passwords for your library (e.g. pastebin)
• Dedicated staff? Someone needs to stay current• Lost USB Drives?• Is your domain name going to expire?
Training
• Phishing• Privacy• Passwords• Email Attachments• Virus Alerts• How to practice safe social networking• Keeping things updated
Public Access PCs
Your security software is a seat belt – not a force field.
Assume the bad thing has happened
Change your mindset – YOU are the attacker
• What are you library’s most valuable assets?– Where are these assets? – How can they be accessed?
• If you were the attacker how would you spread malware?
• Who are the most ‘vulnerable’ targets in the organization?
Go on the offensive…
"think evil, do good"
Turn Your Focus Outside
Library Security Mantra
• Security• Privacy• Confidentiality• Integrity• Availability• Access
(based on Net Sec 101 Ayre and Lawthers 2001)
What websites can you trust?
Can you trust your own website?
Any Good Web Site Can Go BadAt Any Time
Less that half of website traffic is human
About 30% of all traffic is actively tying to cause trouble
“ Security is two different things: It's a feeling &It's a reality ”
Bruce Schneier – TedxPSU
• Keep everything patched & updated always
• Carry A Safe• Don’t Trust anything or anyone
–Links / Downloads / Emails Patrons / Vendors
• Backup your stuff• Prepare And Train
This IS worth the time, effort and expense.
Done!!
Stay Safe
Blake Carver – [email protected]://lisnews.org/security/
http://security4lib.org/http://lyrasis.org
