Practical Solutions for CyberSecurity in the Library

Presented by:

Angie Michelini, The Library Network

Sarah Neidert, Brighton District Library

September 30, 2016

Overview

• Security Assessments• Assessment Types

• Security Methods and Standards

• Choosing a Vendor

• Rationale

• Using Square for Credit Card Payments

Library Security Questions

• How do we keep our library secure in Cyberspace?

• What do we want to achieve?

• How do we get started?

Why Do an Assessment?

• Help confirm that Systems are properly Secured

• Identify Library Security requirements that are not met

• Identify Security Weaknesses that should be addressed

• Not intended to take the place of implementing security controls and maintaining system security

Getting StartedDetermine Type of Assessment Needed

• Audit

• Risk

• Threat

• Vulnerability

• Penetration Test

• Social Engineering

Assessment Types DefinedAudit

• Technical or Documentation Based

• Focuses on how Existing Configuration compares to a Desired Standard

• Does not Prove or Validate Security.

• Validates Conformance with a given Perspective on what Security means

• Best Used When Organizations use Audits to demonstrate compliance to a security standard

Assessment Types DefinedRisk

• Determine Desired Level of Acceptable Risk

• Measures Current Risk Level with Desired Risk Level

• Determines course of action to bring the two levels in line

• Probability, impact, quantitative, qualitative Models Used

Assessment Types DefinedThreat

• Pertains to Physical Attacks not Technology Attacks

• Determine whether a threat is credible (similar to bomb threats)

• Does not apply to Hacking Threats

• Best Used When: someone has made a claim around performing an attack and determining if resources should be used to address it

Assessment Types DefinedVulnerability

• Designed to Yield as many Vulnerabilities as possible

• Defines, Identifies, Classifies Security Holes

• Includes Mitigation Procedures and Recommendations• Eliminate Weaknesses or Reduce them to Acceptable Level of Risk

Assessment Types DefinedPenetration Test

• Designed to Achieve a Specific Goal

• Steal Data

• Gain Domain Administrator Access

• Modify Sensitive Information

Assessment Types DefinedPen & Vulnerability Differences

• Vulnerability Looks for Security Problems• What are our weaknesses and how we do fix them?

• Penetration validates a configuration that is believed to be secure• Can someone break in and what can they attain? (ethical hacking)

• Snapshot of security’s program effectiveness

Assessment Types DefinedSocial Engineering

• Definition• Art of Manipulating People so they give up Confidential Information

• Test Methodology• Tests Security Awareness Level of Staff• Anti-Virus Protection• Intrusion Detection• Spam Filters• Malicious eMails• Phone Calls

Security Standards

• ISO 27000 Series

• National Institute of Standards and Technology (NIST) 800 Series

• Information Systems Audit and Control Association (ISACA)

• Payment Card Industry Data Security Standard (PCI DSS)

Determine which Systems to Assess

• What are your most critical systems?

• Which systems are most vulnerable to attack?

• Which systems crash the most?

Devices, Systems, Applications for Testing

• Routers, firewalls, switches

• Wireless access points

• Email and File Servers (onsite)

• Web Applications

• Physical Security Cameras

• Access Control Systems such as HVAC

Testing Considerations

• Whether the computer or application resides on the network

or in the cloud

• Amount or type of critical information stored on the system

• Assess systems with greatest visibility• Focus on a database or file server that stores patron

or other critical information

Next Steps

• Decide what assessment type(s) are needed

• Determine what devices, systems, applications to test

• Develop and Post RFP

Next StepsChoosing a Vendor

• Trusted Advisor

• Track record of finding vulnerabilities without affecting operations

• Ability to go beyond automated tools

• Expertise in investigating and identifying security gaps

• Qualified Professionals – verify certification

• Ability to gather actionable findings and incorporate them into a road map of strategic and tactical next steps

• Willingness to provide oversight of implementing recommended fixes

Next Steps

• Allow 4-6 weeks for Assessment Completion

• Executive Summary

• Implement Recommended Solutions

TLN Solution

• Opted for• Vulnerability Assessment on Network Equipment (routers, firewalls, servers)

• Social Engineering

• Bid Award• RSM in Southfield

Rationale for doing an Assessment

• Real-world evidence of breaches, malware, physical security, social engineering

• Potential costs from damage caused by hacking• Exposure of Intellectual Property

• Lost Productivity

• Clean-up time and incident response costs

• Security Testing can save money in the long run

• Solid security testing and the appropriate remediation process shows the organization is serious about protecting sensitive information

Angie MicheliniTechnology Services Manager

The Library NetworkAmichelini@tln.lib.mi.us

248.716.5583