Computer Security Amid a Sea of
Not much time passes without hearing
about new malware, hack, or computer vulnerability. It can be overwhelming, and
it often seems impossible to protect against them all. Digital library services
are expanding, so librarians must keep informed about basic information
technology, current threats, and best practices. Doing so will ensure we are
vigilant about security, mindful of patron privacy, and helpful when patrons
inevitably come to us with questions.
BECOME FAMILIAR WITH YOUR IT
Becoming familiar with the
technology employed at your institution will help facilitate identifying threats
and understanding how they work. You do not need to know your complete system
architecture. Just answer some basic questions. Do you run Macs or PCs? Or both?
Does any of your information live on a server? If so, is it in-house or
external? Do you provide services through vendors? Knowing the answers to these
questions will help you more quickly identify and respond to potential threats,
and response time can be critically important. Even if you have a dedicated IT
department, understanding some of the basics can help you ask the right
questions and potentially uncover vulnerabilities that need to be fixed. For
example, at some institutions, librarians are ones petitioning their IT
departments to adopt HTTPS for institution websites to heighten security.
There is no shortage of threats,
but each provides its difficulties. Studying past threats and the solutions, you
can determine practices that will work best to keep your institution safe should
new threats arise. Here are a few that rocked news feeds in the past few years.
Heartbleed, discovered in 2014, allowed
hackers to backdoor secure internet communication and access the memory of data
servers. Attackers could potentially receive user passwords, server codes, and
other sensitive information. Webcomic xkcd provides a great visual of how
. Since it was a vulnerability in an external code,
the only way to fix it was to wait for the update. Despite the notoriety, some
individuals and institutions took a long time to update their software once the
fix was published.
affected computers around the world last year. Unfortunately, flaws in the
software made it impossible for the attackers to see who had and had not paid,
preventing institutions from reclaiming their lost files. For most victims, the
only reliable solution was restoring their files from backups.
can be added to any website. It commandeers the visiting computer’s
processing power to mine cryptocurrency for the benefit of the website owner.
When it first came on the scene, there were not many applications that blocked
it. The initial solution for some was to block the sites that were known to be
running the script. It was also possible to use the NoScript extension, but it
is often too cumbersome an application for most users. Literally, every script a
webpage wants to run would need to be approved, at least initially. However, now
most ad-blockers and anti-virus software automatically prevent the script from
Spectre and Meltdown are large-scale
vulnerabilities that came to light recently. They take advantage of the way CPUs
process information to gain backdoor access to unauthorized information.
Complicating matters is that fixing these vulnerabilities results in the loss of
processing speed. CPU manufacturers are currently scrambling to find a fix that
won’t throttle speed. A true fix will require restructuring how CPUs are
made, so watching how companies adapt will be crucial for future purchase
Are they taking ownership of the
problem and making a promise to prevent the issue in the future? Or are they
pretending a large vulnerability is no big deal? Keep their reactions in mind
when your library begins reviewing technology upgrades and software to adopt.
You want to be sure you are implementing tech by companies with histories of
responsible actions when security is at stake.
FINDING A SECURE
Libraries house a sea of sensitive
information, and librarians have long been staunch defenders of patron privacy.
In the insecure digital landscape, there are many more ways for that same
information to be compromised. Thankfully there are many things librarians can
do to ensure their IT environment is as secure as possible against attacks.
A good place to start is with ALA’s
Privacy Checklist for Public Access Computers and
. The advice includes setting up public access
computers to purge all data from individual sessions and installing security
plugins to the browsers (e.g., privacy badger and HTTPS Everywhere).
Follow technology news outlets (e.g.,
TechCrunch), niche blogs (e.g., TorrentFreak), and digital-focused non-profits
(e.g., EFF), to learn about new threats faster than you might find out by
following general mainstream sources.
implementation of another security measure will likely depend on the
institution’s structure, services, and resources. For example, whether or
not you should use a cloud service vendor will require balancing the desire to
maintain control of information and the ability to keep secure servers. The
vendor will likely have better resources to respond to vulnerabilities like
Spectre. They can recover the lost processing speed by adding additional
hardware or replacing the hardware with restructured CPUs. However, their
privacy policies or lack of transparency in procedure might make them an
undesirable choice. Eff provides a helpful guide
to assessing a vendor’s data security
Closely related is the creation of backups. An
institution should not operate without them, but the method may vary institution
to institution. Some may choose cloud backups. Others may use a back-up to tapes
or servers. Whatever the method, the focus should be redundancy.
With a bit of foresight, preparation, and
research, you can ensure your systems are not easy targets in a sea of cyber
risk. Copyright 2018 by Casandra
Laskowski. About the author:
Casandra Laskowski is a Reference Librarian
and Lecturing Fellow at Duke Law. She received her J.D. from the University of
Maryland School of Law, and her M.L.I.S. from the University of Arizona. Before
pursuing her career as a law librarian, she worked as a geospatial analyst in
the United States Army and served a fifteen-month tour of duty in Iraq. Her
areas of interest include privacy, censorship, and the intersection of national
security and individual liberty.