Defining Risk

Mrs. Winkle stared at the e-mail message in disbelief.

"We have traced the source of a denial-of-service attack against our Internet connection to several dozen hosts on the Internet. Two are part of your network. We would appreciate your assistance in removing this source of attack against our resources.

"Please scan the two workstations (IP addresses listed below) for viruses and have the offending software removed. Also, have your firewall configuration updated to minimize the possibility of similar attacks occurring in the future."

It was signed by the Security Manager of a company in Ohio she'd never heard of.

"Oh, my," she murmured. "Id better call Tony."

She picked up the phone and pressed speed-dial 8 as they had decided in the response plan.

The process of securing your library network begins with realizing what the library stands to lose if security is not pursued. Network security is not just "another thing to do." Its importance lies in protecting the library&'s network resources.

Network resources? What does this conjure up in your mind? Maybe we need to start at the beginning.

In this chapter I hope to accomplish three things:

  • define some of the concepts involved in the world of network security
  • provide you with an understanding of the "treasure" present in your library's network
  • help you see the possible dangers to this treasure

In the next chapter I will suggest a strategy you can use in beginning to defend your library's treasure. For now, let's proceed to some definitions and some basic questions about security. Are you ready?

Definitions

Listed below are eight terms I will use throughout the remainder of the manual. Learn them well, be able to use them in the correct context, and everyone will begin to think you're a security expert!

Network Resources — the equipment, software, and data that make up a networking system, including the user data that is shared over the network. In terms of network communication, this includes the servers, workstations, hubs, switches, routers, firewalls, and telecommunications links that make up a network. In terms of usage, this includes shared printers, database systems, shared software, user accounts, the shared or user-specific files stored on a central server, and the keystrokes and form information that travels across the network.

Backup — a term I use throughout this manual in a general sense to mean any preferred method of making a copy of the software and data installed on a computer's hard drive. Along with traditional backup hardware and software, many entities now use "ghosting" software to make image copies of a hard drive's contents.

Attacker — a person (or inanimate force, such as a fire, torrential rain, or thunderstorm) willfully seeking to access in an unauthorized manner, damage, alter, corrupt, misuse, steal, or otherwise deny access to any network resource. Likewise, an attack is an event during which a network resource is accessed for any of these purposes.

Weakness — a characteristic of hardware or software (especially of an operating system) making a network resource susceptible to attack.

Vulnerability — an unprotected weakness by which an attacker can attack a network resource.

Exploit — (use, take advantage of) a process or procedure by which an attack is launched.

Intrusion, Infiltration — a successful break-in, where a user breaks through the security implementation and gains unauthorized access to network resources. Likewise, an intruder is someone who has gained unauthorized access to network resources.

Threat — an avenue by which a vulnerability can be exploited to attack a network resource (e.g., a flood or a lightning strike is a physical threat to network resources—a local user or an Internet "hacker" is a personal threat)

Risk — the likelihood that a particular vulnerability will be exploited.

These are all terms commonly used in documents and conversations related to security. But they don't cover the full range of events that might occur in a library, or any other business environment. What do you call it when a patron out of curiosity looks around a workstation's web browser files to see what he can discover about previous users' Internet use, or when someone installs personal software on a public workstation? What is it called when a patron changes the desktop wallpaper to something he likes better? Are these really attackers?

This sounds a little strong, doesn't it? So I've coined a different term: mischievous user. Nevertheless, even though their actions may be mischievous rather than malicious, the effect may be the same: loss of staff time because of the maintenance required to restore the system, or even the loss of a service itself for a period of time.

Why Would Anyone "Attack" a Library?

If we rule out that casual mischief we have all seen to some extent, are there really people who would try to break in to the library network? Maybe not in every community, but many communities will experience such break-ins. Before we discuss users in your local community, though, let's look at the people on the Internet who work in security circles, either as attackers or as defenders. The likelihood of these guys breaking into your system is a lot less than someone messing with your network locally. On the other hand, local attackers may get their knowledge from these.

Black Hats

If you've see "westerns," you already know these guys. They are the bad guys who learn the various ways to steal, mutilate, or view your information resources. They come with all types of personalities and levels of experience:

  • the "hacker" (really more appropriately called a "cracker") who searches across the Internet for likely targets and then begins the process of breaking in.

These guys get the publicity, but they're hardly the most common threat to networked resources. True crackers write software that enables them to take advantage of vulnerabilities in network equipment and operating systems. A less knowledgeable, and generally less capable, group called script kiddies may simply obtain software created by crackers and wreak havoc on networks. Either group can be dangerous.





Some crackers specialize in breaking into web servers and defacing web pages. Unfortunately, this can be done quite easily, and detailed exploits are available on the web. For this reason it is very important to maintain security on your web server. This can be done to a large extent simply by applying security updates to your web server software on a regular basis.

  • creators of viruses, Trojan horses, and Bots—while these programmers may never visit your network personally, their work can and very likely may be used against it.

These are malicious software components, generally designed to attack your network resources, provide information about your network to a cracker, or use your computers to launch an attack against another organization's network. While these bad germs are mindless and attack any system they're exposed to, their creators are not. See the section Bragging Rights below to learn some of their motivations.

  • an inside "predator;" in public libraries this may also be a local cracker or a staff member with a bad attitude.

Public libraries inherently provide more fertile ground for "inside" security violations. Public libraries are one of the few environments where total strangers can walk in and use computer resources. This means workstation security is much more important in public libraries than it might be in another organization.





Strangers and teenagers with too much time on their hands are just two groups representing internal threats in public libraries. Disgruntled employees are another, and they account for a high percentage of security breaches in most organizations. Therefore, some public libraries can expect to see similar activity. If there is sufficient motive, employees can be a serious threat to network security.

  • a staff member or volunteer with a big curiosity.

Maybe I'm stretching things a bit here. Most employees don't want to impair the network or use it to attack other systems. But some may search for information that is none of their business—what other employees or patrons are looking at on the Internet, for example. These are still breaches of security.

  • a former employee who was fired and is holding a grudge; also a current employee who feels he has been mistreated and is preparing to move to another job.

I'm not exaggerating. Someone with a little knowledge of the library network (e.g., the Administrator password) may take that with them and use it, trade it, or give it away. I wouldn't expect this to happen in libraries nearly as much as it happens in the business environment. It's a real threat nonetheless. A good program of security will take this into account and minimize the associated risk.

  • other mindless, purposeless causes: natural disasters and simple accidents

Accidents happen. Someone may spill liquid onto a workstation and short it out. A storm may damage one or more systems. For these events there may be no recourse but replacement. In this case, good security requires a disaster recovery plan and financial planning.

Grey Hats

Normal human beings don't see these guys often. Usually they are very knowledgeable network users. Some are "hackers" in the true sense of the term, curious about the details of operating systems, but with an interest in how they can be made to do what normally cannot be done. They do so "for the good of the networking world."

Their distinguishing characteristic is that when they find a vulnerability, they typically notify the software manufacturer to reveal the security weakness. Sometimes they make their discoveries public, trying to force recalcitrant manufacturers to take measures to fix the problem. While this may seem good, it also has the negative effect that it may lead to exploitation by the black hats.

White Hats

You've probably seen these guys in the westerns as well. The good guys. They lead the fight for truth, justice, and the American way. (Okay, I do get a little carried away, but they do lead the fight to defend the network frontier.) These are security experts and practitioners charged with defending large organizations from attack. They may also help other organizations learn about vulnerabilities and develop measures promoting sound security practice.

These, too, may be hackers in the pure sense. They test the strength of operating systems and network software to see if they can find vulnerabilities before the Black Hats do. When they find vulnerabilities, they may develop procedures, create software patches, and post security alerts so the rest of us can protect ourselves from the insecurities they've discovered.

In many cases, White Hats are available to consult on security matters, perform security audits, speak at conferences, conduct workshops, and generally help the computer and network industry protect itself against attack.

Personality

What this demonstrates is that there are many, many personalities out there. Some are just curious. Some are benevolent. Some are greedy. And some are just downright mean. When a break-in occurs, if the attacker is a curious person, he may just look at your data. A greedy person may steal a copy. A vindictive person may cut off your access to it. One wants it for himself. The other wants to make sure no one else has access to it. The effect may be the same, but the motivation is totally different.

Unfortunately, it's just not possible to forecast which personalities may come into contact with your network today—whether Internet-based or within your library. It's just as impossible to determine whether local attackers will be complete strangers or patrons using your workstations for the fortieth time, but it is possible to guess why they are trying to break in.

Treasure: The Pot of Gold

Obviously, anyone breaking into a network is looking for something. Thieves are treasure hunters. They want the gold.

If an attacker breaks into a bank's network, you can imagine what the treasure might be. Maybe he could take money from one account and put it into his own, or into another account over which he has control. Or maybe he could simply disrupt the network so that no transactions could be processed. Maybe he could try to steal credit card numbers, along with the name and address information used to confirm credit transactions on the web. There is a boatload of treasure waiting in a bank.

If the attacker was a teenage student breaking into a school network, you could just as easily guess what his treasure might be. The ability to change a grade or two—or ten or twenty; this is a lot of skill and power to be sold to other students. Lots of treasure there.

What treasure awaits the thief attacking a library network? (It certainly doesn't have anything to do with the fine money!) The ability to spy on someone's reading habits? Man, that sounds pretty boring! It would be easier just to stand behind a person in line at the checkout desk and look over her shoulder. There is probably not even any driver's license information stored online. So there is no gold in library networks, right?

I'd better give you a moment to think on this one. . . . On second thought, it might be time for a coffee break. So take a break and think on it a moment. Why would anyone want to break into a library network? Or, take the flip side. What is so valuable that it's worth a public library's time and money to secure?

What is the pot of gold we're protecting?

Okay, go get that coffee.

Okay. Break time is over. Here it is, my list of three treasures: budget, opportunity, and real estate.

Technological Support Costs

Budget. I'll bet you weren't expecting this! Think about it. If an attacker is mean-spirited, he may attack the network out of sheer spite. Just to deprive someone else of the resource, he may choose to deliver mayhem to your network configuration. Maybe he's just trying to install his own stuff. Either way, it usually takes staff time, or a volunteer's time, or a paid tech support person's time to recover from the attack. Two of these result in lost time for doing other, probably more important, library activities. The third results in finding real money in our already strapped budgets to recover. Neither is an acceptable alternative. How many times will the library have to repeat this during the year?

In this case the gold is not what the attacker sees, but what we see as a result of the attack. Our time is valuable!

However, causing financial pain and suffering is not the only treasure on the network. The following two sections describe treasure much more likely to be of interest to an attacker.

Bragging Rights

Opportunity. In the scheme of things, small public library networks ought to be the last ever tampered with by attackers and malicious users, but library computers and networks do get tampered with, and on a regular basis! Most attacks are only mischievous, and many of the remainder are simple acts of ignorance. Some are purposeful, malicious acts. Why are library networks hit?

Because they are usually unsecured! Here are a few common reasons why unsecured networks are attractive targets:

  • bragging rights; young "script kiddies" can break into a library network and then tell their teenage computer buddies all about it.
  • learning opportunities; open networks allow inexperienced hackers to practice tradecraft; in this case, the library may never know it's been attacked because the normal intent of this type of attack is not destructive.
  • mischief; some attackers are joyriders who just want to have "fun" and know the library network is one where the repercussions of their joyriding are minimal.
  • meanness; what can I say—some people are just mean-spirited; they attack just to break something or to keep others from using it; for this reason, almost any network is at risk.

Strategic Bases

Real Estate. Besides bragging rights, computers on library networks also provide two other benefits to an attacker, sometimes together:

  • Anonymity

Few public libraries assign specific user accounts to patrons accessing network resources. Almost all assign some generic account for public users: Public, Patron, or some other class name.





While this makes network administration easier, it also makes use of the network totally anonymous. There may not be any way to know who sent the latest death threat to the President of the United States from the public computer. Likewise, there may not be any way to trace the source of harassing e-mail sent to members of the community. It gets worse. There may be no way to know who used a public workstation to chat with a teenage runaway in another city or state, or who used a public workstation to break into computers at the Pentagon, Los Alamos, or the local bank. But all these activities can be traced to the library computer used for such activity.

  • Nest building

Some attackers will break into a library network just to build a "nest." If they can succeed in gaining administrator rights on a library computer connected to the Internet, they can store software tools on its hard drive. From this computer they can launch more aggressive attacks against other computers and networks on the Internet. Generally, these attackers also store tools allowing them to cover their tracks. Any subsequent investigation dead-ends at the nest—your library's computer.

Are These Threats Real?

In short, yes—to all of the above. One library suffered an attack resulting in the loss of its bibliographic database, with the system being down for two weeks while the database was rebuilt. Another library reported having a computer impounded because of purchases made online with a stolen credit card. Yet another incident involved a teenager using a library computer and an Internet-based chat room to arrange a face-to-face meeting with a man she had met there. And one librarian reported having e-mail sent from a library computer to a community member with whom she was having a personal conflict—signed as if she had sent it! Bots (software robots) have been developed that, when activated, make the victim computer participate in a distributed denial of service attack against another site on the Internet.

The threats are real.

The question is how likely are they to occur? Below I present a list of threats with particular activities listed below them. Each is rated—on a scale ranging from very rare to very likely—with my best guess of its likelihood to occur in your library. The more likely a threat is to materialise, the greater the risk of problems if the network is left unsecured.

  • Lack of Discipline or Knowledge
  • no data backups (common)
  • no Windows registry backups (very likely)
  • no protection or poor protection of passwords for network resources (likely)
  • Library staff fails to obtain password information that a vendor has used to secure a network device (common)
  • Accidents (including operator error)
  • Fire (rare)
  • Breakage or Damage to Equipment (very rare)
  • Spills (rare)
  • Faulty Wiring or Electrical Equipment (rare)
  • Natural Disasters
  • Flood (depends on location; not uncommon)
  • Electrical Storm (not uncommon)
  • Tornado (very rare)
  • Human Attackers
  • Theft of equipment (not uncommon)
  • Web server defacement (common)
  • Password guessing (common)
  • Internet probing (very likely)
  • Infiltration and nest building (common; likely in a poorly secured web server)
  • Workstation configuration alteration (very likely)
  • Installation of personal software (common)
  • Illegal activities (not uncommon)
  • Destructive activities (reformatting hard drive or deleting files— rare)
  • Viruses on unprotected workstations (common)
  • Unauthorized access to patron data (rare)

Consequences of Not Securing the Library Network

In many libraries Internet access has been offered for two or three years without any major problems. Installation of basic workstation security measures alleviates many, many headaches and eliminates a lot of wasted staff time. So, what are the consequences of just letting the network configuration roll on as it is?

It is tempting to let things continue as they are when there have been no demonstrable problems. The problem with leaving a network unsecured is that past performance is no predictor of future events. Leave your server poorly secured and one day you may find yourself unable to log in as Administrator to add another user, or change some system setting. Then you will be left with the option of trying to crack the current Administrator password yourself or reinstalling the system from scratch. It's almost totally unpredictable what may happen. Here are some possible consequences of doing nothing:

  • Nothing bad will happen; the network will continue operating as it always has (consider yourself fortunate)




  • A workstation or two will have to be reconfigured occasionally; if we could predict this, we'd just invest our security money in tech support




  • The library will suffer the embarrassment of having one of its workstations or servers participate in an Internet attack or of having its web server's pages defaced




  • The library will suffer the loss of a workstation or server as evidence due to its being used to conduct illegal cracking attempts over the Internet (the attacks could originate from a user inside the library or across the Internet)




  • The library will lose a key component of the network—a switch or the router or firewall—due to storm or theft. The entire network will be down until a replacement is installed and configured.

Just looking at this range of possibilities shows the cost of inadequate security varies from practically nothing to almost catastrophic. If the library has no disaster budget and no means of replacing equipment, it may lose network access completely: no Internet access and no catalog (if the library is automated). If the library is providing access to its library catalog over the Internet, what will be the perceived loss when patrons can no longer access the catalog from home?

What Attacks are Most Commonly Experienced?

Thankfully, the most common attacks experienced in public libraries are more mischievous than damaging. These are workstation configuration messes: adding or removing icons, changing the wallpaper, changing the screensaver, installing personal games and browser plug-ins required to play Web-based games, and others. Occasionally a patron will try to break into the Administrator account on the network, just to see if he can.

Theft always remains a very real possibility. If your library just got a $30,000 grant to expand access to the Internet and provide access to your library catalog over the Internet, it will not be a secret. Everyone in the community will know about it. Even the bad guys. $30,000 worth of computer equipment will still fetch a handsome price on the black market. Not only that, but with 24-hour-a-day access to the Internet, your web server will become more of a target for Internet-based attackers.

These aren't the most significant problems. Libraries aren't like the normal business world where business-critical security simply must be implemented. Libraries exist in a very different economic and political environment and, therefore, have a much broader set of concerns. The list below demonstrates this in item one: money. Because of its cost, network security may be easily overlooked by policymakers in local communities. Yet, sustainability of grant projects, including increased funding for maintaining current levels of technology, is of primary importance. In most small communities, the threat of losing service due to inadequate funding cannot be understated or overemphasized.

With that said, Table 1 below presents the top ten threats to network security I see in most small libraries, listed first in order of probable occurrence. In column three I've also listed the order in which I believe most small libraries are able to implement security measures to defend against them, from least expensive (in time and funds required) to the most expensive.

Table 1. Top Ten Network Security Threats

Order by Likelihood

Threat

Order by Expense

1

Inadequate funding to operate, maintain, and replace network equipment

10

2

Local patron tampering with workstation desktop and hardware settings

4

3

Unauthorized access to workstation file systems, including installation of personal software and other activities

5

4

Defacement of library web pages if hosted on library-based web server

8

5

Theft of equipment

9

6

Damage to equipment or data due to electrical anomaly; for example, lightning strike, surges, or inadequate power

2

7

Local users cracking of passwords, especially for the Administrator account

1

8

Internet-based attacks of internal network resources

3

9

Unauthorized access to server file systems

6

10

Tampering with local network infrastructure: network devices, network wiring, etc.

7






Having listed the above threats, one commonly overlooked item when networks are first configured in libraries is obtaining copies of passwords. Some vendors have not provided to their library customers the passwords used to secure switch, router, or firewall configurations. Not having the passwords can cause expensive delays when the devices must be reconfigured in the future. Be sure you obtain the passwords from your vendor.

A Self-Assessment

Having noted some threats that are present in every library environment, it's time for a test. How has your library prepared for the common maladies that plague networks? Look at the questions below and check the ones you've already addressed in your library.

  • Is the back up of your library automation server current (performed within the last week)?




  • Is the back up of your primary administrative workstation current (performed within the last week or two)?




  • Do you have workstation security software installed or Windows NT/2000 Workstation securely configured to minimize mischief on your public access workstations?




  • Are the virus definitions for your anti-virus software up-to-date (new signatures downloaded within the past week)?




  • Do you have the BIOS supervisor password set on all your public access workstations?




  • Have you changed the default Administrator password on your Windows NT/2000 Server and your Local Administrator password on your Windows NT/2000 workstations?




  • Does the library have a simple, written, disaster recovery plan (e.g., do you have procedures in place to help you recover if your server is stolen over the weekend, or if the library roof develops a leak and pours rainwater on top of your server and network equipment)?




  • If someone breaks into your network, do you have a mechanism in place by which you might discover it (you get bonus points if your network is configured to alert you immediately that certain attacks are happening right now)?

Okay, now for the assessment part. If you checked less than five items, you need to do a lot of work, just like most small organizations! If you checked less than seven items, you still have some work to do. If you checked all eight, you have reason to celebrate! Your library has already done a lot of work. You may still have a couple of corners to clean up, but your network is secure from a lot of the bugaboos likely to attack it.If your library is like most, you've discovered some threats that need to be addressed. To help you get started, I will present some principles to use in assessing and managing risk and security in your library in the following chapter.Summary

  • We defined nine key terms used in discussing network security: network resources, backup, attacker, weakness, vulnerability, exploit, intrusion, and risk.




  • We described three types of personalities involved in network security:
  • Black hats: the bad guys who seek to control or misuse others' network resources
  • Grey hats: the in-between guys who work at discovering vulnerabilities and getting vendors to fix them, but who sometimes publish their findings, making it easy for black hats to break into networks.
  • White hats: the good guys who seek to discover vulnerabilities and educate the network community about them.
  • We described three aspects of the treasure incorporated into your network:
  • Budget: time and expense incurred in recovering from attacks
  • Opportunity: the bragging rights and learning opportunities represented by weakly secured library networks
  • Real estate: servers or workstations attackers can use to run their own software, typically used to attack other networks
  • We categorized the likelihood of particular threats materializing and the consequences of not securing your library's network.




  • We listed the top ten threats to network resources in small public libraries.
  • Continue to Managing Risk

 

Page last modified: March 2, 2011