It's such a cozy, comfy kind of word. One would think that it's something you either have or don't have, but just like the rainbow after a spring shower, it's elusive. Try to find the pot of gold at the end and you will find yourself traveling for ages. bThere seems to be no end to be no end to our search for the end of the rainbow and the treasures it holds.It's the same with computer and network security. As we use the word in this guide, security is non-attainable. Thomas Wadlow writes in his book The Process of Security, "Security is a direction you can travel in, but you'll never actually arrive at the destination. What you can do. . . is [manage] your level of acceptable risk." (1)
"So why spend our time on it?" one might ask. Isn't that the real question? Why spend time on an ideal that can't be achieved?
The possible effects of a security breach are loss of data, loss of services, loss of time, or loss of face and goodwill. In public libraries and other small community organizations, our time is especially precious, where we already have 800 other things we need to be doing. We can't afford the time it takes to recreate data (if it's even possible to be recreated) nor to get our systems cleaned up and operational again. For us security is the process of achieving a balance among our time, the risk associated with loss of our data or service, and the cost of implementing and maintaining adequate security.
Therefore, this is the direction in which we'll go once you turn the next few pages. We must identify the major areas of security, possible threats to resources, and the cost of securing systems.
Who is This Manual For?
When you wade into the waters of network security, you will not be wading into a tranquil pond to feed the duckies. One step into these waters and you are immersed in a whitewater rush of jargon, alerts, technical descriptions, and long, maybe incomprehensible, documents. The challenge is simply to stay afloat. For someone new to the topic, it's rough water indeed.
This manual is intended to provide a softer entry into the world of network security for non-technical managers of small libraries. Managers of other small nonprofit or community organizations will also benefit from it. It's a beginner's introduction.
We hope to teach you some basic principles to help you keep your kayak afloat and get to your campsite somewhere down river, a place where you will be ready to work with a vendor to discuss, plan, and implement your library's specific security strategy.
For the organization that uses network-based access to the Internet, network security is no longer an optional component of its technological infrastructure. Access has become an integral part of the business structure. Doing without Internet access for a long period of time will negatively impact services offered and normal business practice. So securing access against loss is imperative. We hope to show you why in the following pages.
Because few administrators of small libraries have technical support staff available, many are forced to learn at least the major facets of network security so that they can hire an outside entity to implement and maintain security for them. The goal of this manual is to provide a free resource where a non-technical person can go to learn essential security concepts without adding further to the burden already placed on what training funds the organization may have available.
For some of you, hiring an outside consultant or vendor will also not be an option. So I couldn't just leave this as a conceptual guide. For those who are interested, a companion online training module is being developed as well. The training module will help tech volunteers-or staff if the library is fortunate to have technically proficient employees-learn many of the primary procedures required in securing a Windows NT network and in working with general perimeter network equipment (routers, firewalls, and proxy servers).
A web-based version of this guide is available on the training site, with appropriate links to step-by-step tutorials, allowing the user to configure her/his organization's network servers, workstations, and other network equipment more safely. A virtual classroom component allows the user to participate in real-time class sessions using chat and whiteboard software, providing a forum to discuss problems, ask questions, and clarify understanding of security topics, just as one would in an in-person seminar.
The subject of network security is complex. This guide seeks to provide basic information about network security, but the information contained herein is not intended to take the place of consultation with a security professional prior to the implementation of security measures within an organization. There are many variables regarding network connectivity, and proper security configuration is incumbent on many of them.
Therefore, to minimize the risk of breaches, data loss, or other mischief or damage, we caution the reader to use the material to become familiar with concepts related to network security in order to contract with a security practitioner to plan the best security implementation possible.
I hope you find the guide helpful in your quest to understand network security. After you've read or looked through the guide, do feel free to send comments and suggestions by e-mail to firstname.lastname@example.org.