News from the SWANpond
How SWAN protects library networks and
servers from security threats
In light of recent ransomware attacks around the world, Steven Schlewitt, the SWAN IT Manager, took some time to answer questions about library security and the methods employed by SWAN to prevent attacks and maintain a secure library network.
What are the biggest security issues facing SWAN’s servers and network today?
If you were to ask just about any IT folks in the library industry, I think they’d agree that we’re unfortunately dealing with software that was not designed with security in mind 10 or 15 years ago when it was originally conceived. The way that the Integrated Library System (ILS) clients and associated interfaces interact with our server are surprisingly outdated. So while ILS vendors like SirsiDynix continue to develop new products that incorporate modern standards of security and encryption, the fact of the matter is, the core of our services – the ILS – is still working from this decade-old security architecture, which forces us to seek alternate methods to secure everything around that architecture. In that way, I think we’re always pursuing new, sustainable methods to avoid threats, and to defend a somewhat antiquated system (from a security standpoint). That’s certainly a huge challenge for us, just to top off the security issues we face just like any typical organization – from login security, to permissions management and desktop viruses.
What standards does SWAN incorporate to secure their servers and networks?
For one thing, I’d say SWAN libraries are really at an advantage, as they’ve all been required to maintain a network firewall with Virtual Private Network (VPN) tunnels to SWAN, which I’ve been told is a rare practice with library consortia (one would assume out of convenience). That’s a standard throughout our libraries though, and it certainly helps to make our jobs easier, in that the communications between the libraries and the ILS server are at least secured from the prying eyes of the internet. We also secure traffic down to individual server ports, and assign those specific ports to libraries so that we can track specific traffic that could be questionable. Along those same lines, we’ve also been encouraging third party vendors to use alternate methods to authenticate patrons against the ILS. For example, we’ve been doing quite a bit over Symphony Web Services these days, which employs Secure Sockets Layer (SSL) encryption. SSL is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral. Additionally, OpenAthens is shaping up to be a great proxy solution for our database authentication, which is not only SSL, but maintains some additional distance between patron data and the database vendor by just handing off a simple true or false authentication. Much like other server/system providers, we also incorporate standards like a regular server patch cycle, a regularly audited firewall rules list, and several layers of transaction and login monitoring. We’ve been working to refine some of our intrusion detection tools as well.
What are the biggest security issues that our libraries face today?
We have a wide spectrum of technology at our libraries, from automated material handlers, to labs full of desktop computers. Some libraries even loan tablets and laptops now. Each piece of technology should be carefully considered with regard to security. I would urge libraries to work closely with their IT staff and contractors on new projects and tech acquisitions to avoid ending up with products having obsolete security standards that could put a library at risk. This even includes something like an HVAC or security camera system – these are absolutely susceptible to attacks, and should be considered no more secure than any typical desktop computer (even less-so). Additionally, any business offering public WIFI is always more susceptible to attacks, so libraries always need to keep this in mind when securing their network and the devices on that network.
Libraries interact with sensitive patron data every day, which could be highly desirable to attackers. Even though we generally don’t handle credit card data or something as sensitive as Social Security information, we should never underestimate the need for security in our libraries.
What can a library do to better secure its data and networks?
Well, once again, the network firewall is certainly a good start in that it’ll appropriately route traffic and block intrusions. For that reason, libraries absolutely need to maintain supported network firewall hardware (and the most updated firmware on those devices, when applicable). Libraries should also make certain that their patron and staff network traffic are separated appropriately through VLANs and/or firewall rules. We also hear of a lot of libraries with Windows XP and Vista computers that are providing difficult to retire. I can’t stress this enough – those computers have to go! Windows XP has not been receiving updates from Microsoft for over three years now, and Vista is several months off support now, meaning they both present a massive vulnerability to your library’s network.
Here are just a few best practices we’d recommend to any library:
- Make sure to apply all of the latest security patches and upgrades to all of your devices and software on a regular schedule. This includes that HVAC computer or the Android tablet that may act as an OPAC station. Supporting the latest operating system with the most up-to-date patches is generally the easiest way to maintain a decent level of security. If the hardware doesn’t support the latest patches or operating system, it’s time to budget for new hardware.
- Maintain an anti-malware/antivirus utility on any Windows workstation, and make sure they’re scanning on a regular basis. On public computers and labs, it may be a good idea to use an image restoration tool like DeepFreeze to bring a computer back to the original state after a patron is done using it.
- Keep your passwords secure using a password manager like LastPass or KeePass. Post-It notes do not count as a secure password manager.
- Always maintain your computer policies and permissions. No one should be logging in as an “administrator” user unless they have something to install.
- Keep your IT person in-the-loop. Even if they’re very busy now, overcommunication with IT is better than having than giving them more work later with unreliable/unsecure equipment. They’ll ultimately appreciate having been incorporated in the decision making process.
|
|
Upcoming Events
SWANstravaganza Annual Summer User Event
Friday, August 11 (9:30 a.m. - 4:30 p.m.) at Moraine Valley Community College
Join us for a full day of training, speakers, panel discussions, and more. This year's keynote speaker is George Christian, Executive Director of Library Connection Inc. Christian will share his perspective on defending libraries and their users in 2017.
Our keynote speaker will begin at 9:30 a.m. and there will be 45-minute sessions throughout the day. You can attend as many as you are able to. Seats are on a first-come, first-served basis. Boxed lunches and beverages are served at noon, and there will be snacks and beverages set out in the afternoon. We'll conclude at 4:30 p.m. after prizes, giveaways, and an update from the Illinois Library Association on current legislation and advocacy initiatives.
Tickets cost $28 each, and there is a $2.53 surcharge. You can buy as many tickets for your staff as you want. After tickets are purchased, Susan Ricker will follow up with you about your preferred lunch orders and answer any questions you may have.
Register and view session information at https://sx17.eventbrite.com.
|
|
Fake Library Stat
|
|
|
|
|
