Whether you're a systems administrator leading a team or a lone librarian in multiple roles, the steps to create effective cybersecurity are available to you. Using ISO27001 as the underlying framework and emphasizing a proactive, 20/80 approach (20% effort for 80% results), this session will cover the fundamental knowledge for ensuring a more secure IT environment.
We will begin with a discussion of recent library ransomware attacks starting with the biggest: the London Public Library. What happened? How did the attacker get in? Exactly what systems were compromised and what could have been done to prevent it?
This will pivot to a more general topic: what does it mean to be hacked? What is access? This will lead to the first action point: the principle of least access. Least access means that all users only get the access they need to do specific tasks, i.e. administrator access should only be provided in a limited way. Had this been followed by the IT staff at the London Public Library, the attack would not have occurred.
From here the discussion will move to the ways in which Identity and access can be stolen and how that can be prevented. What does it mean to have your identity stolen? How does this happen and how do malicious actors obtain stolen identities? I'll talk briefly about the dark web only to make participants aware that large packages of stolen identities can be bought and sold. Knowing this make it easier to recognize common patterns of attacks (such as FIRSTNAME+LASTNAME+NUMBER@GMAIL.com as the sender in email).
By introducing this concept to participants, what I'm trying to point out is that most hacks occur through staff. Most of those are phishing attacks. What is phishing? I'll then point out a few basic phishing attacks--the generic one ('phishing') and the targeted ('whaling'). So, how can you prevent phishing? I'll introduce a few methods and provide supporting documentation: regular staff awareness training and emails, and anti-phishing plugins for email clients.
After this, I will briefly discuss password security. I'll bring up the recent revision to NIST 800-63-3B which attempts to wrangle many of the myths about password security by providing best practices. I'll also mention other practices such as using unique passwords for each service and secure, free ways to store passwords. I'll also introduce a few password generators such as Last Pass.
The remaining portion of the session will discuss more higher-level activities beginning with Data Security. What is data security? What is a good backup? How often does one take backups? And of what? I'll bring up the usefulness of Amazon S3 for this purpose, since it is effective and cheap but will provide other cloud solutions they may already have access to.
To begin a Data Security program, participants will need to conduct an Audit. Because there is so much data, it's important to sit down with various stakeholders in your institution and find out what data is truly essential to their activities. I'll show a simple worksheet to help manage this discussion with stakeholders and help rank which data and services are essential. I will also give participants a very simple email template they can send to their vendors to ask them what steps are being taken to secure their data. These responses from vendors can be used to fill in the worksheet.
The last topic is the Disaster Response planning meeting: a simple sitdown meeting with various stakeholders to discuss possible responses. I will use the worksheet from the previous section to show how participants can guide this discussion and get a useful outcome.
