Practical Solutions for CyberSecurity in the Library
Transcript of Practical Solutions for CyberSecurity in the Library
Practical Solutions for CyberSecurity in the Library
Presented by:
Angie Michelini, The Library Network
Sarah Neidert, Brighton District Library
September 30, 2016
Overview
• Security Assessments• Assessment Types
• Security Methods and Standards
• Choosing a Vendor
• Rationale
• Using Square for Credit Card Payments
Library Security Questions
• How do we keep our library secure in Cyberspace?
• What do we want to achieve?
• How do we get started?
Why Do an Assessment?
• Help confirm that Systems are properly Secured
• Identify Library Security requirements that are not met
• Identify Security Weaknesses that should be addressed
• Not intended to take the place of implementing security controls and maintaining system security
Getting StartedDetermine Type of Assessment Needed
• Audit
• Risk
• Threat
• Vulnerability
• Penetration Test
• Social Engineering
Assessment Types DefinedAudit
• Technical or Documentation Based
• Focuses on how Existing Configuration compares to a Desired Standard
• Does not Prove or Validate Security.
• Validates Conformance with a given Perspective on what Security means
• Best Used When Organizations use Audits to demonstrate compliance to a security standard
Assessment Types DefinedRisk
• Determine Desired Level of Acceptable Risk
• Measures Current Risk Level with Desired Risk Level
• Determines course of action to bring the two levels in line
• Probability, impact, quantitative, qualitative Models Used
Assessment Types DefinedThreat
• Pertains to Physical Attacks not Technology Attacks
• Determine whether a threat is credible (similar to bomb threats)
• Does not apply to Hacking Threats
• Best Used When: someone has made a claim around performing an attack and determining if resources should be used to address it
Assessment Types DefinedVulnerability
• Designed to Yield as many Vulnerabilities as possible
• Defines, Identifies, Classifies Security Holes
• Includes Mitigation Procedures and Recommendations• Eliminate Weaknesses or Reduce them to Acceptable Level of Risk
Assessment Types DefinedPenetration Test
• Designed to Achieve a Specific Goal
• Steal Data
• Gain Domain Administrator Access
• Modify Sensitive Information
Assessment Types DefinedPen & Vulnerability Differences
• Vulnerability Looks for Security Problems• What are our weaknesses and how we do fix them?
• Penetration validates a configuration that is believed to be secure• Can someone break in and what can they attain? (ethical hacking)
• Snapshot of security’s program effectiveness
Assessment Types DefinedSocial Engineering
• Definition• Art of Manipulating People so they give up Confidential Information
• Test Methodology• Tests Security Awareness Level of Staff• Anti-Virus Protection• Intrusion Detection• Spam Filters• Malicious eMails• Phone Calls
Security Standards
• ISO 27000 Series
• National Institute of Standards and Technology (NIST) 800 Series
• Information Systems Audit and Control Association (ISACA)
• Payment Card Industry Data Security Standard (PCI DSS)
Determine which Systems to Assess
• What are your most critical systems?
• Which systems are most vulnerable to attack?
• Which systems crash the most?
Devices, Systems, Applications for Testing
• Routers, firewalls, switches
• Wireless access points
• Email and File Servers (onsite)
• Web Applications
• Physical Security Cameras
• Access Control Systems such as HVAC
Testing Considerations
• Whether the computer or application resides on the network
or in the cloud
• Amount or type of critical information stored on the system
• Assess systems with greatest visibility• Focus on a database or file server that stores patron
or other critical information
Next Steps
• Decide what assessment type(s) are needed
• Determine what devices, systems, applications to test
• Develop and Post RFP
Next StepsChoosing a Vendor
• Trusted Advisor
• Track record of finding vulnerabilities without affecting operations
• Ability to go beyond automated tools
• Expertise in investigating and identifying security gaps
• Qualified Professionals – verify certification
• Ability to gather actionable findings and incorporate them into a road map of strategic and tactical next steps
• Willingness to provide oversight of implementing recommended fixes
Next Steps
• Allow 4-6 weeks for Assessment Completion
• Executive Summary
• Implement Recommended Solutions
TLN Solution
• Opted for• Vulnerability Assessment on Network Equipment (routers, firewalls, servers)
• Social Engineering
• Bid Award• RSM in Southfield
Rationale for doing an Assessment
• Real-world evidence of breaches, malware, physical security, social engineering
• Potential costs from damage caused by hacking• Exposure of Intellectual Property
• Lost Productivity
• Clean-up time and incident response costs
• Security Testing can save money in the long run
• Solid security testing and the appropriate remediation process shows the organization is serious about protecting sensitive information