Thursday, March 22, 2012

CIL2012: Blake Carver - IT Security for Libraries

His goal is to make us feel insecure in our security!

He has written blog posts on this topic and put other presentations online.  Go to http://lisnews.org/security

Three types of people doing bad things on the Internet
  • Criminals
  • Activists (e.g., Anonymous)
  • Government agents (from countries that see this as a strategy)
There are an infinite number of ways that they use to do their work.  Some tools are open source with user manuals.  Their tools are getting better and better.  This is a real industry.  This industry is mature, diversified, hard to catch.

This is the era of steal everything.  There is no such thing as a secure computer.

Password
Never reuse your passwords
Never use weak passwords
Passwords are like bubblegum

Creating a good password
  • Make them unique, complex, long....
  • Some upper and lower case letters
  • Add some numbers
  • Use some unique characters
  • Do make it as LONG as you can
  • Do NOT REUSE it on multiple sites
Bad password
  • Default
  • Common words
  • Predictable
  • Obvious personal details
How often should you change your password?

The sysadmin should implement policies that help people have strong passwords and that try to block hackers.

http://www.pwnedlist.com - They list accounts that have been compromised.

Staying Safe at Home & Away
  • Keep everything updated on your computer
  • Have trust...be suspicious. Don't trust anything - Links, downloads, emails.
  • Backup your stuff.
  • Windows is less safe because it is so widely used.  It is targeted far more than other OS.
Some of the ways that you know you are affected are also ways that could be just how your computer is operating. 

Most malware is written so it is not "seen."

"Your antivirus software is a seat belt - not a force field."  - Alfred Hugar

Laptops - Do:
  • Use Prey/LoJack
  • Have a password on your laptop
  • Sign out & do NOT save form data
Carry a safe not a suitcase!

Email is easy to fake.
  • Don't trust anything
  • Don't leave yourself logged in
  • 2Factor Authentication
  • Passwords
Email blended threats - email with links
Text from other countries
Attachments
Sales offers
Credit card offers

Web browsers
Firefox, Chrome and IE are the top three browsers
Lesser used browsers likely not used for targeted attacks.
The plug-ins across browsers are common.  Flash is frequently targeted by hackers.
Keep the browsers up-to-date and update

A few recommended plug-ins
  • Something to limit JavaScript
  • Something to force HTTPS
  • Something to Block Ads
Firefox Collusion tracks cookies

Wifi networks
  • Passworded and encrypted
  • MAC & DHCP
  • Firmware updates
  • Turn it off when you are not using it
  • Never trust public wifi
Social media
  • Understand and adjust your privacy settings
  • Use HTTPS
  • Be skeptical of everything
Facebook - .4% are spammed each day (4 million people)
600,000 times a day someone tries to log into a stolen account

Mobile devices
  • Most bad stuff written is for Android
  • What are the apps really doing?
  • What happens if you lose it?
  • What happens on open wifi networks and public hotspots?
  • Carry a safe not a suitcase
But we're just a library
  • 83% of victims were targets of opportunity
  • 92% of attacks were easy
  • 85% of hacks were discovered by a third party
Last year, a library found a password key-logger plugged into the back of one of their computers!

Everything you have can be hacked!

SANS 20 critical security controls

"Security Library Technology: A how to do it manual" - book

Do training for your library staff and patrons.

No comments: