Informed Librarian Online -- A Bit of Bytes -- www.informedlibrarian.com

Computer Security Amid a Sea of Risks

by Casandra Laskowski

Not much time passes without hearing about new malware, hack, or computer vulnerability. It can be overwhelming, and it often seems impossible to protect against them all. Digital library services are expanding, so librarians must keep informed about basic information technology, current threats, and best practices. Doing so will ensure we are vigilant about security, mindful of patron privacy, and helpful when patrons inevitably come to us with questions.

BECOME FAMILIAR WITH YOUR IT ENVIRONMENT

Becoming familiar with the technology employed at your institution will help facilitate identifying threats and understanding how they work. You do not need to know your complete system architecture. Just answer some basic questions. Do you run Macs or PCs? Or both? Does any of your information live on a server? If so, is it in-house or external? Do you provide services through vendors? Knowing the answers to these questions will help you more quickly identify and respond to potential threats, and response time can be critically important. Even if you have a dedicated IT department, understanding some of the basics can help you ask the right questions and potentially uncover vulnerabilities that need to be fixed. For example, at some institutions, librarians are ones petitioning their IT departments to adopt HTTPS for institution websites to heighten security.

UNDERSTAND THE THREATS

There is no shortage of threats, but each provides its difficulties. Studying past threats and the solutions, you can determine practices that will work best to keep your institution safe should new threats arise. Here are a few that rocked news feeds in the past few years.

Heartbleed, discovered in 2014, allowed hackers to backdoor secure internet communication and access the memory of data servers. Attackers could potentially receive user passwords, server codes, and other sensitive information. Webcomic xkcd provides a great visual of how Heartbleed worked. Since it was a vulnerability in an external code, the only way to fix it was to wait for the update. Despite the notoriety, some individuals and institutions took a long time to update their software once the fix was published.

WannaCry ransomware affected computers around the world last year. Unfortunately, flaws in the software made it impossible for the attackers to see who had and had not paid, preventing institutions from reclaiming their lost files. For most victims, the only reliable solution was restoring their files from backups.

CoinHive is a piece of Javascript code that can be added to any website. It commandeers the visiting computer’s processing power to mine cryptocurrency for the benefit of the website owner. When it first came on the scene, there were not many applications that blocked it. The initial solution for some was to block the sites that were known to be running the script. It was also possible to use the NoScript extension, but it is often too cumbersome an application for most users. Literally, every script a webpage wants to run would need to be approved, at least initially. However, now most ad-blockers and anti-virus software automatically prevent the script from running.

Spectre and Meltdown are large-scale vulnerabilities that came to light recently. They take advantage of the way CPUs process information to gain backdoor access to unauthorized information. Complicating matters is that fixing these vulnerabilities results in the loss of processing speed. CPU manufacturers are currently scrambling to find a fix that won’t throttle speed. A true fix will require restructuring how CPUs are made, so watching how companies adapt will be crucial for future purchase decisions.

Are they taking ownership of the problem and making a promise to prevent the issue in the future? Or are they pretending a large vulnerability is no big deal? Keep their reactions in mind when your library begins reviewing technology upgrades and software to adopt. You want to be sure you are implementing tech by companies with histories of responsible actions when security is at stake.

FINDING A SECURE BALANCE

Libraries house a sea of sensitive information, and librarians have long been staunch defenders of patron privacy. In the insecure digital landscape, there are many more ways for that same information to be compromised. Thankfully there are many things librarians can do to ensure their IT environment is as secure as possible against attacks.

A good place to start is with ALA’s Library Privacy Checklist for Public Access Computers and Networks. The advice includes setting up public access computers to purge all data from individual sessions and installing security plugins to the browsers (e.g., privacy badger and HTTPS Everywhere).

Follow technology news outlets (e.g., TechCrunch), niche blogs (e.g., TorrentFreak), and digital-focused non-profits (e.g., EFF), to learn about new threats faster than you might find out by following general mainstream sources.

The implementation of another security measure will likely depend on the institution’s structure, services, and resources. For example, whether or not you should use a cloud service vendor will require balancing the desire to maintain control of information and the ability to keep secure servers. The vendor will likely have better resources to respond to vulnerabilities like Spectre. They can recover the lost processing speed by adding additional hardware or replacing the hardware with restructured CPUs. However, their privacy policies or lack of transparency in procedure might make them an undesirable choice. Eff provides a helpful guide to assessing a vendor’s data security.

Closely related is the creation of backups. An institution should not operate without them, but the method may vary institution to institution. Some may choose cloud backups. Others may use a back-up to tapes or servers. Whatever the method, the focus should be redundancy.

With a bit of foresight, preparation, and research, you can ensure your systems are not easy targets in a sea of cyber risk.


Copyright 2018 by Casandra Laskowski.

About the author:
Casandra Laskowski is a Reference Librarian and Lecturing Fellow at Duke Law. She received her J.D. from the University of Maryland School of Law, and her M.L.I.S. from the University of Arizona. Before pursuing her career as a law librarian, she worked as a geospatial analyst in the United States Army and served a fifteen-month tour of duty in Iraq. Her areas of interest include privacy, censorship, and the intersection of national security and individual liberty.