Libraries must pay close attention to the security of the technology applications they implement to support their work and provide access to resources for users. Any lapse can bring incredible harm to the library as an organization and to patrons if their personal information becomes compromised or exposed.
Security concerns are more serious than ever. The internet has become increasingly hostile territory, with all systems and services that the library might operate under constant threat. No organization can responsibly operate systems connected to the internet without sophisticated layers of defense against the inevitable barrage of attacks. Libraries are not immune to these attacks. Attackers do not spare organizations with benevolent missions.
The ongoing transition to technology services delivered through cloud computing has changed many aspects of security and privacy. Much of the technical burden has shifted from the library to its technology providers. Libraries must ensure proper security practices through contractual requirements. Unfortunately, individuals and organizations that perpetrate malware attacks have also gained ever more powerful tools deployed through cloud technologies. Libraries must continue to rank security as a top concern when selecting and implementing any technology component.
The likelihood of security incursions is substantially higher than ever before, and the consequences are more severe. For example, ransomware attacks have turned into a profitable activity by attacking all manner of organizations, including governmental entities, nonprofits, and libraries. These attacks take advantage of the same techniques that have been around for years, such as tricking users into opening an email message with a malicious payload. When opened, the malware may be capable of working its way through the data files of the organization and encrypting them with a digital key known only to the attacker. Once encrypted, the associated applications will likely fail, and the data files will be inaccessible. The organization often receives a message from the intruder, demanding financial payment for the digital key needed to decrypt the files. The intruder usually requires that the payment be made in Bitcoin or some other cryptocurrency. Transactions made in cryptocurrencies can take place without revealing the identity of the recipient.
Cryptocurrencies provide the mechanism that makes computer attacks profitable. In previous times, intruders would seek data files or other content that might carry some financial value. The new business model for system intrusions is based on locking organizations out of their own data and demanding payments that may be less costly and disruptive than the alternative of complete system rebuilds and data restorations.
Payments can be received by the attackers with relative safety, due to the anonymity of cryptocurrency platforms. Organizations that make the payment demanded usually receive the correct digital keys needed to restore their systems. If there was a low probability of successfully unlocking the encrypted files, organizations would have little motivation to consider responding to the ransom payment. Some organizations may avoid paying their attackers on principle, even if other means of recovery prove to be more costly and involve extended periods of disruption.
Recovery from a ransomware attack can be exceptionally difficult. Once the malware has been identified and deactivated and its entry point is secured, the encrypted data and program files must be restored. Unless the attack was identified early, even the backup copies of data may be encrypted. A complete rebuild of the systems involved and restoration of data files can take days or weeks. Paying the ransom to receive the digital key to decrypt system files can be a faster path to recovery, but it may perpetuate future attacks.
Ransomware Attackers Proliferating
The development of effective malware requires a high level of technical expertise and a detailed understanding of the many levels of security that protect an organization's network and its internal systems. With previous types of system intrusion, the tools needed to conduct ransomware attacks have proliferated. And once these tools have been developed, they can be shared or sold and used by others with less expertise. Such nefarious scripts and other tools have become widely available to individuals or organizations that want to engage in these attacks.
In the past, the term “script kiddie” designated individuals with little technical knowledge making use of available tools to attack computer systems. The availability of these tools accelerates the volume of attacks since the attackers are no longer just the elite experts, but almost anyone with a computer, time, and a willingness to take risks.
Not only have these tools been created to conduct ransomware attacks, but a new genre of technology— ransomware-as-a-service—has emerged. These platforms remove much of the technical burden for conducting ransomware attacks and charge fees to their customers, who hope to make money by turning these tools against the organizations they want to extort. These ransomware-as-a-service platforms result in a relentless bevy of attacks that are continuously underway. While the effectiveness of such scripts and tools degrades over time as the vulnerabilities that they are designed to exploit are addressed, it is of little comfort in the short term.
Mounting a Defense
The rising level of concerns about ransomware and other types of attacks means that libraries must be extraordinarily vigilant about the security of their systems. Any weaknesses in the organization's technical infrastructure will have a high likelihood of being discovered and exploited. Defenses against attack include technical approaches and efforts to address how individuals behave when using email and other applications on the library's network.
The library's technology infrastructure must be designed and administered to enforce strong security. Most libraries work within networks administered by their parent institution (such as local government, an academic campus, or a corporate or nonprofit organization). In my experience, these institutional networks implement very high standards of security protection. Libraries often find that the security measures enforced by their IT departments are overly restrictive. But given the increasing threat levels, institutional networks must implement strong defensive measures.
Institutional networks will almost always include a firewall that protects its perimeter, scanning all incoming and outgoing traffic to detect and trap any identifiable malware. These firewalls can be extremely effective against malware introduced via email, shared files, or other pathways into the institutional network. Network-based malware protection provides an important layer of defense from malware attacks and other security incursions. Workstation-based malware detection must also be implemented. Both Microsoft Windows and Apple OSs have integrated malware protection that works quite well, provided their automated update features are enabled.
One of the most important defenses against malware involves using the most current version of all software applications and OSs. Software vendors continually apply updates to address any known security issues. Libraries leave themselves unnecessarily vulnerable if they delay installing available updates. It is especially important to keep the OSs on all library computing devices on the current versions, including desktops based on Windows and Apple OSs, as well as any tablets or other mobile devices. Web browsers must be continually updated to current versions, not only to enable security improvements but also to ensure proper display of websites.
Keeping OSs and applications current offers strong protection against almost all malware attacks, except for the dreaded zero-day attacks. These attacks exploit some vulnerability in an application that has not yet been identified by its developer or had a fix created to defeat it. Fortunately, zero-day attacks are relatively rare.
Libraries must pay careful attention to security in the CMSs they use for their websites. Platforms such as WordPress may have vulnerabilities if they are not carefully deployed and updated with security patches. Intruders can easily detect the signature of obsolete or unpatched versions. Permissions and passwords for access to the site must be carefully managed.
Assuring Cloud Security
Cloud computing changes many aspects of how libraries and other organizations manage security and privacy. Libraries have steadily moved toward gaining access to their applications as cloud-based services rather than software that runs on local computers or servers. Applications deployed through cloud services or other vendor-hosted arrangements have no software operating on local computers or servers.
Hosted application will usually reside in large-scale data centers with sophisticated monitoring systems for security events, as well as hardware or security faults. In most cases, hosted services will be more secure than those hosted locally. This generalization must not be taken for granted, and libraries must remain vigilant that their providers implement strict security practices for the applications on which they rely.
Libraries using cloud services depend on the providers to implement proper security precautions and to implement practices that protect privacy. The technical operation of these systems is performed by the vendors, as is full responsibility for ensuring comprehensive security. Although the library may not have a direct role in implementing security measures, it must take a proactive role in monitoring and oversight. It should ensure, for example, that security protections are stipulated in any contract for a hosted service. In addition to standard disaster planning and recovery procedures, contracts should stipulate that all components of the application provided be continuously updated with security patches.
When selecting new technology applications, libraries should require vendors to provide a comprehensive description of the security measures they have implemented. Also consider vendors that have achieved ISO certifications in relevant areas (such as ISO/IEC 27017, which documents conformance to security controls for cloud services). Libraries should also regularly review vendor security practices, privacy policies, and other relevant documentation. Vendors should be asked to disclose any known security breaches related to the products the library has implemented.
When implementing cloud-based services, libraires must also follow good security practices in administering their accounts. Any accounts associated with these services should be secured with strong passwords or other authentication mechanisms. Most services support or require two-factor authentication, which makes it almost impossible for intruders to gain unauthorized access.
Libraries must also ensure that the web browsers used to access cloud services are fully updated and that all sessions are encrypted through HTTPS. Connections that use HTTP are not encrypted and are vulnerable to network eavesdropping, which is a security concern and also compromises the privacy of any information viewed during the session. Not enforcing HTTPS encryption for a web-based services is a red flag that it is insecure and warrants immediate attention.
Libraries must remain ever vigilant. Security and privacy must be a priority when implementing technology systems and not an afterthought. Although the threat levels may be more formidable than ever, effective defensive tools are readily available. With adequate precautions in place, libraries should not be hampered in using technology to support their work and deliver innovative services to their communities.
System Security: Due Diligence Takeaways
The likelihood of a security incursion has never been greater. Follow these tips to keep ahead of bad actors.
Design your library's digital infrastructure around strong security measures.
- Make sure you are using the most current versions of all software.
- Be mindful of your web CMS's vulnerability issues.
- For cloud-based systems, take a proactive role in monitoring and oversight.
- Require vendors to provide a comprehensive description of their security measures.
- Follow good security practices for admin accounts, including strong passwords.
- Assure that web browsers are fully updated.
- Encrypt all web sessions with HTTPS.
- Remain vigilant.