it security for libraries part 1 securing your library
play

IT SECURITY FOR LIBRARIES PART 1: SECURING YOUR LIBRARY BRIAN - PowerPoint PPT Presentation

Nov 28, 2022 •520 likes •1.03k views

IT SECURITY FOR LIBRARIES PART 1: SECURING YOUR LIBRARY BRIAN PICHMAN | EVOLVE PROJECT AGENDA A high level overview of what to implement in your library to make it secure. With the rise of data breaches, identity theft, malicious hacking,

  1. IT SECURITY FOR LIBRARIES PART 1: SECURING YOUR LIBRARY BRIAN PICHMAN | EVOLVE PROJECT

  2. AGENDA • A high level overview of what to implement in your library to make it secure. With the rise of data breaches, identity theft, malicious hacking, it is important to implement measures to protect your patrons and staff. • Topics/Agenda: * Learn the "technical jargon" of IT Security * Understand a typical network environment (infrastructure) and the tools needed to help with security * Identify components of building a Security Plan * Learn how to teach others to provide greater data and asset security in your library

  3. http://breachlevelindex.com/assets/Breach-Level-Index-Infographic-H1-2016-1500.jpg

  4. http://breachlevelindex.com/assets/Breach-Level-Index-Infographic-H1-2016-1500.jpg

  5. THE COSTS OF BREACHES • This year’s study found the average consolidated total cost of a data breach grew from $3.8 million to $4 million. The study also reports that the average cost incurred for each lost or stolen record containing sensitive and confidential information increased from $154 to $158 [IBM 2016 http://www-03.ibm.com/security/data-breach/] • Data Breached Companies Experience… • People loose faith in your brand • Loss in patrons • Financial Costs • Government Requirements, Penalties, Fees, etc. • Sending of Notifications • Payment of Identity Protection or repercussions. https://betanews.com/2016/02/10/the-economic-cost-of-being-hacked/ • Business Continuity

  6. WHY DO PEOPLE ATTACK? • Financial Gain • Stocks • Getting Paid • Selling of information • Data Theft • For a single person • For a bundle of people • Just Because • Malicious

  7. YOU CAN ONLY MITIGATE RISK…NEVER PREVENT ALL RISK Understanding your network and evaluating their risks; allows you to build plans around mitigating risk. You can never remove all risk. You aren’t “un hackable”

  8. SO WHAT DO YOU NEED TO PROTECT? • Website(s) • ILS • Staff Computers • And what they do on them • Patron Computers • And what they do on them • Network • And what people do on them • Stored Data, Files, etc. • Business Assets • Personal Assets • ….anything and everything that is plugged in…

  9. Outside Switches End User • Modem • Servers • Phones Router Firewall • Computers • Laptops

  10. OUTER DEFENSES (ROUTERS/FIREWALLS) • Site to Site Protection (Router to Router or Firewall to Firewall) • Encrypted over a VPN Connection • Protection With: • IDS • IPS • Web filtering • Antivirus at Web Level • Protecting INBOUND and OUTBOUND

  11. UNIFIED THREAT MANAGEMENT • Single Device Security • All traffic is routed through a unified threat management device.

  12. AREAS OF ATTACK ON OUTER DEFENSE External Facing Applications Internal Applications • • Anything with an “External IP” File Shares • • NAT, ONE to ONE, etc. Active Directory (usernames / passwords) • Website • Patron Records • EZProxy Connection • DNS Routing • Custom Built Web Applications or Services • Outbound Network Traffic • Who is going where

  13. ATTACKS • Man in the Middle • Sitting between a conversation and either listening or altering the data as its sent across. • DNS Spoofing (https://null-byte.wonderhowto.com/how-to/hack-like-pro-spoof-dns-lan-redirect-traffic-your- fake-website-0151620/) set up a fake website and let people login to it. • D/DoS Attack (Distributed/Denial of Service Attack) • Directing a large amount of traffic to disrupt service to a particular box or an entire network. • Could be done via sending bad traffic or data • That device can be brought down to an unrecoverable state to disrupt business operations. • Sniffing Attacks • Monitoring of data and traffic to determine what people are doing.

  15. INNER DEFENSES (SWITCHES/SERVER CONFIGS) • Protecting Internal Traffic, Outbound Traffic, and Inbound Traffic • Internal Traffic = device to device • Servers • Printers • Computers • Protected By: • Software Configurations • Group Policy • Password Policy • Hardware Configurations • Routing Rules

  17. COMPUTER SECURITY AND POLICY Why We Love It Why It Is A Barrier • • Protects the computers from accidental changes You need something done to improve your job (efficiency /performance) • Protects Data • Patrons! • Lots of things depend on the running operation • of the network. Filtering limits access. • Filtering helps with network efficiency

  19. UPDATES, PATCHES, FIRMWARE • Keeping your system updated is important. • Being on the latest and greatest [software/update/firmware] isn’t always good. • Need to test and vet all updates before implementation • If you can – build a dev environment to test and validate.

  20. Casper Suite - https://www.jamf.com/products/jamf-pro/

  21. SCCM tools

  22. SWITCH CONFIGURATIONS • • Routing Rules Access Restrictions • • Split networks into Limit devices connecting to LAN • • Public: 10.0.10.X MAC Address Filtering • Staff: 10.0.20.X / :: Wireless Staff • Limit Port Scanning, IP Scanning, etc on • network. Servers: 10.0.30.X • • Wireless Public Limit which networks have access to which • ports. Route traffic so Public LAN cannot see Staff LAN

  23. PROTECTING END DEVICES • Protecting Assets • Business Assets • Thefts • Hacking • Personal Devices • Security Risk • Usually pose an INBOUND threat to your network

  25. PASSWORDS • Let’s talk about Passwords • Length of Password • Complexity of password requirements • DO NOT USE POST IT NOTES • A person’s “every day account” should never have admin rights to machines. • That includes your IT Folks!

  26. TOOLS TO HELP

  27. CRYPTO LOCKERS

  31. TRAINING Staff and ?Patrons? Should all be required to attend Training

  32. MYTHS • I’m not worth being attacked. • Hackers won’t guess my password. • I have anti-virus software. • I’ll know if I been compromised.

  33. BEST KIND OF TRAINING • Awareness • Reporting Issues Immediately • Precautions • Being smart about links, emails, and phone calls. • Don’t know the person – probably not legit. • Site doesn’t look familiar – probably not legit • Checking Others • Seeing someone doing something “suspicious?” • Seeing someone not following the “security training?” • Acting as “owners” to data and assets.

  34. FAKE EMAILS

  35. SSL

  36. CALL SPOOFERS • Phone calls from “Microsoft” • Wanting to remote in and fix your computer. • Phone calls from your “Bank” • Wanting to talk to you about your credit card • Rule: • Just. Hang. Up. Then call the number on the back of the card or directly off their actual website.

  37. GOOGLE ISN’T ALWAYS YOUR FRIEND

  38. DUAL FACTOR AUTHENTICATION • After logging in; verify login via Email, SMS, or an app with a code.

  39. AD BLOCKING

  41. SITES TO HELP • Haveibeenpwnd.com • Sign up and check to see if your data appears after a hack is released • https://krebsonsecurity.com/ • Great blog to stay informed of what is happening with IT Security • LifeLock, Identify Guard • Monitoring Your Data and Privacy

  42. RECAPPING • Protect Outer Perimeter with Hardware • Filtering, IPS/IDS, Antivirus • Protect Inner Perimeter with Configurations • Group Policy, Switch Configurations, Routing • Protect End Devices with Software • Antivirus, Firewalls • Protect Users with Training • Passwords

  43. COMPLIANCE STANDARDS • CIPA • The Children’s Internet Protection Act (CIPA) is a federal law enacted by Congress to address concerns about access to offensive content over the Internet on school and library computers • FERPA • The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C 123g: 34 CFR Part 99) is a Federal Law that protects the privacy of student educational records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. • PCI • The Payment Card Industry Data Security Standard ( PCI DSS) applies to companies of any size that accept credit card payments. If your company intends to accept card payment, and store, process and transmit cardholder data, you need to host your data securely with a PCI compliant hosting provider. • SOX / Sarbanes Oxley Act • This act requires companies to maintain financial records for seven years. • SOC / Service Organization Controls • The SOC 2 report focuses on a business's non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system, as opposed to SOC 1/SSAE 16 which is focused on the financial reporting controls

  44. BUILDING A PLAN • Risk Assessments • Training Plans • Policies, Policies, Policies! • Training • Breaches • Asset • Computer Use • Back Up Plans • Data Recovery from Threats • System Recovery from Threats

Recommend

Securing Existing Software using Formally Verified Libraries Tobias Reiher FOSDEM, Brussels,

Securing Existing Software using Formally Verified Libraries Tobias Reiher FOSDEM, Brussels,

Securing Existing Software using Formally Verified Libraries Tobias Reiher FOSDEM, Brussels, 2020-02-01 Software Security Security Vulnerabilities CVE-1999-0015 5.0 MEDIUM HP-UX, CVE-2017-14315 7.5 HIGH iOS Windows,

538 views • 22 slides
Arrowhead Library System 26 Public Libraries 20 School Libraries/Media Centers

Arrowhead Library System 26 Public Libraries 20 School Libraries/Media Centers

Lost in the Library Tales of Inventory Adventures and Lessons Learned! Mollie Stanford, Regional Librarian, Arrowhead Library System Chris Magnusson, Automation Librarian, Arrowhead Library System Arrowhead Library System 26 Public Libraries

647 views • 19 slides
Public Libraries Ann Melaerts, VP Public Library / Education Public libraries why are we

Public Libraries Ann Melaerts, VP Public Library / Education Public libraries why are we

Public Libraries Ann Melaerts, VP Public Library / Education Public libraries why are we investing? Public libraries have a critical role in todays communities with a positive impact on democracy CENTRAL ACCESS TO INCREASED MEETING

465 views • 7 slides
Welcome to the Radcliffe Science Library. There are over 100 libraries at Oxford - College

Welcome to the Radcliffe Science Library. There are over 100 libraries at Oxford - College

Slide 1 Welcome to the Radcliffe Science Library. There are over 100 libraries at Oxford - College Libraries, Departmental Libraries, Central Libraries all different! Today we focus on RSL. This will be a brief introduction to the RSL and

376 views • 13 slides
YCL Session 7 Bookmark these libraries! Libraries A library is a collection of code for

YCL Session 7 Bookmark these libraries! Libraries A library is a collection of code for

YCL Session 7 Bookmark these libraries! Libraries A library is a collection of code for functions and classes. Module(s) Another term used to describe a library of code is module. The Random Library Random numbers are heavily used in

121 views • 10 slides
IoT Security Image: xkcd How is securing IoT different from securing any other system? IoT

IoT Security Image: xkcd How is securing IoT different from securing any other system? IoT

IoT Security Image: xkcd How is securing IoT different from securing any other system? IoT is a system of systems, with A great deal of heterogeneity (sensing, computation, communication, energy) New types of devices appearing all

1.35k views • 65 slides
Libraries In C++ its possible to create static libraries and shared libraries Static

Libraries In C++ its possible to create static libraries and shared libraries Static

Libraries In C++ its possible to create static libraries and shared libraries Static libraries (end in .a) are combined/linked into an executable Executables are large. If library is updated in a binary compatible way, programs

297 views • 8 slides
SUPPORT SMALL Laura Metzler Small Business BUSINESS DEVELOPMENT Librarian AT YOUR LIBRARY

SUPPORT SMALL Laura Metzler Small Business BUSINESS DEVELOPMENT Librarian AT YOUR LIBRARY

SUPPORT SMALL Laura Metzler Small Business BUSINESS DEVELOPMENT Librarian AT YOUR LIBRARY Cecil County Public Library ALA OITP REPORT THE PEOPLES INCUBATOR: LIBRARIES PROPEL ENTREPRENEURSHIP Libraries of all kinds, in every part of

561 views • 35 slides
Mobile Networks Module I Part 2 Securing Vehicular Networks Prof. J.-P. Hubaux 1 Outline

Mobile Networks Module I Part 2 Securing Vehicular Networks Prof. J.-P. Hubaux 1 Outline

Mobile Networks Module I Part 2 Securing Vehicular Networks Prof. J.-P. Hubaux 1 Outline Motivation Threat model and specific attacks Security architecture Security analysis Certificate revocation

751 views • 43 slides
state of public library data. Part Two: June 13 Todays Presenters Vailey Oehlke Director of

state of public library data. Part Two: June 13 Todays Presenters Vailey Oehlke Director of

Three-part series on the Measures that Matter initiative, a field-wide discussion of the current state of public library data. Part Two: June 13 Todays Presenters Vailey Oehlke Director of Libraries, Multnomah County Library (OR) Linda

737 views • 49 slides
Serverless security: attack & defense www.securing.pl #whoami Senior Security Consultant in

Serverless security: attack & defense www.securing.pl #whoami Senior Security Consultant in

www.securing.pl Pawel Rzepa Serverless security: attack & defense www.securing.pl #whoami Senior Security Consultant in - Pentesting - Cloud security assessment Blog: https://medium.com/@rzepsky @Rzepsky

1.1k views • 63 slides
Leitrim County Library Service Presentation to Elected Members Manorhamilton Municipal District

Leitrim County Library Service Presentation to Elected Members Manorhamilton Municipal District

Leitrim County Library Service Presentation to Elected Members Manorhamilton Municipal District January 2016 Library Service Points Leitrim County Library Service operates a network of 5 full-time libraries and 4 part-time libraries. Support

238 views • 22 slides
MAKING CONNECTIONS THAT COUNT Manitoba Libraries Conference, 2016 I strongly believe every

MAKING CONNECTIONS THAT COUNT Manitoba Libraries Conference, 2016 I strongly believe every

MAKING CONNECTIONS THAT COUNT Manitoba Libraries Conference, 2016 I strongly believe every library should have a Friends group. Throughout Canada and the United States, Friends groups are generally formed out of a desire on the part of library

316 views • 10 slides
THE NEW ADULT IN THE LIBRARY What They Want, and What Libraries Can Offer Presented by : Kyla

THE NEW ADULT IN THE LIBRARY What They Want, and What Libraries Can Offer Presented by : Kyla

THE NEW ADULT IN THE LIBRARY What They Want, and What Libraries Can Offer Presented by : Kyla Hunt khunt@tsl.texas.gov 512-936-4449 Who am I? Kyla Hunt Library Management Consultant with the Texas State Library Author of Library

736 views • 50 slides
California Digital Library Co-Library with University of California campus libraries at

California Digital Library Co-Library with University of California campus libraries at

7/23/13 California Digital Library Co-Library with University of California campus libraries at Office of the President CDL Access & Publishing Digital Special Collections Online Archive of California (EAD) Calisphere

355 views • 8 slides
Securing PHP Applications By: Ilia Alshanetsky What is Security? Security is a measurement, not

Securing PHP Applications By: Ilia Alshanetsky What is Security? Security is a measurement, not

Securing PHP Applications By: Ilia Alshanetsky What is Security? Security is a measurement, not a characteristic. It s is also an growing problem that requires an continually evolving solution. A good measure of secure application is it

782 views • 74 slides
At At Yo Your ur Li Libr brary ry We are not your average ge li library! Libraries

At At Yo Your ur Li Libr brary ry We are not your average ge li library! Libraries

At At Yo Your ur Li Libr brary ry We are not your average ge li library! Libraries ries are more than just books Downloadin ding g of e-books ks and e e-magazines es makes up about 15% of our loans to public The library

364 views • 9 slides
Let's build the future of libraries together: The strategic move of the Complutense Library

Let's build the future of libraries together: The strategic move of the Complutense Library

Let's build the future of libraries together: The strategic move of the Complutense Library towards global cooperation. JAVIER GARCA GARCA DEPUTY DIRECTOR OF LIBRARY PROCESSES AND SERVICES UNIVERSIDAD COMPLUTENSE MADRID (UCM) The library

1.19k views • 26 slides
The PCB Library Expert Solution PCB Libraries, Inc. Updated 2015.05.24 Library Expert FPX File

The PCB Library Expert Solution PCB Libraries, Inc. Updated 2015.05.24 Library Expert FPX File

The PCB Library Expert Solution PCB Libraries, Inc. Updated 2015.05.24 Library Expert FPX File Library Expert FPX file contains: Component Dimensions Necessary for Mfr. Recommended Pattern Footprint & 3D STEP creation

637 views • 16 slides
Libraries Jonathan Platt Head of Libraries and Heritage 22 nd July 2014 Libraries 1.

Libraries Jonathan Platt Head of Libraries and Heritage 22 nd July 2014 Libraries 1.

RSN Seminar Libraries Jonathan Platt Head of Libraries and Heritage 22 nd July 2014 Libraries 1. Background 2. Library Needs Assessment 3. Statutory - Universal 4. Statutory - Core Libraries 5. Statutory - Targeted Provision 6.

249 views • 20 slides
FINDING RESOURCES Yiwen Gu Hao Yu Meghna Sengupta Part 1: BU Libraries How much do you know

FINDING RESOURCES Yiwen Gu Hao Yu Meghna Sengupta Part 1: BU Libraries How much do you know

FINDING RESOURCES Yiwen Gu Hao Yu Meghna Sengupta Part 1: BU Libraries How much do you know about BU libraries? POP QUIZ: How many libraries do you know? All photo credits to Boston University Libraries Hours:

809 views • 27 slides
Quick Intro to Computer Security What is computer security? Securing communication

Quick Intro to Computer Security What is computer security? Securing communication

Carnegie Mellon Quick Intro to Computer Security What is computer security? Securing communication Cryptographic tools Access control User authentication Computer security and usability Thanks to Mike Reiter for the

413 views • 38 slides
Securing the connected world Security acceleration for cloud computing/data centers Company

Securing the connected world Security acceleration for cloud computing/data centers Company

Securing the connected world Security acceleration for cloud computing/data centers Company history 1991: Founded as ASIC design house in Louvain-la-Neuve, Belgium 1995: Becomes part of the Barco group. 1999: 1st SoC development for

189 views • 14 slides
Security Awareness Rick Whitmore Information Technology Security Office security.ku.edu

Security Awareness Rick Whitmore Information Technology Security Office security.ku.edu

Security Awareness Rick Whitmore Information Technology Security Office security.ku.edu Everyone has a role in securing their part of cyberspace, including the devices and networks they use. Todays Topics Impact on Universities

936 views • 59 slides

More recommend