Computer Security Issues in Libraries

1. Computer Security Issues in Libraries By: Daniel Fidel Ferrer* Head of Library Systems Central Michigan University Libraries Mary Mead Programmer/Analyst Central Michigan University Libraries Ryan Laus Programmer/Analyst Central Michigan University Libraries

2. Library Policies • Interpretation of the Library Bill of Rights • http://www.ala.org/alaorg/oif.electacc.html • Michigan State University Policies • http://www.msu.edu/dig/aup/msuaup.html • Anonymous Access (Survey of various Libraries) • http://bones.med.ohio-state.edu/eric/authentication.html • MichNet Policies • http://www.merit.edu/michnet/policies/acceptable.use.policy.html • University of Michigan Policies • http://www.umich.edu/~policies/acceptable-use-policy

3. Common Ways to Protect Your Computer/Server • Lock workstation before leaving for extended periods of time • Microsoft Updates Current • Virus protection • Personal firewall • File Protection • Sign-on security • Server Security

4. Most Common Viruses • BackDoor Virus • Can copy/delete files on host system, change registry, and allow programs to be ran by attacker • HapTime Virus • Can Delete vital .DLL files on infected system • Nimda Virus • Creates a hidden share on infected computer, e-mails virus to any person in Outlook address book

5. McAfee Virus Updates via SMS • DAT files are updated via SMS “push” • What is SMS? • SMS stand for Systems Management Server • Small client piece installed on each workstation • Centralized database containing information on each machine (HD size, memory, OS, processor speed) • Allows software to be updated automatically, with no user intervention

6. What is ZoneAlarm? • ZoneAlarm is a personal firewall for each machine • “Hides” your machine from other machines on the network • Makes machines harder for hackers to break into • Allows you to monitor any programs from your machine that try to access the Internet

7. Why Encrypt Your Files? • If your operating system is Windows 2000, and your file system is NTFS, you can use the Windows 2000 Encryption File System(EFS) • EFS will secure data on the hard drive using a decryption key • If the hard drive is accessed by an intruder, the files are unreadable without the decryption key • Only the user who encrypted the file can access it

8. How to Encrypt Files • Right click on the file or folder and select properties • On the General tab, click Advanced • Add a check mark to the box “Encrypt Contents to Secure Data” • Click OK • You will be asked whether to encrypt the file or the folder and its contents • Only the user who encrypted the file/folder can decrypt it

9. Clear Text vs. Secure Sign on • Clear text passwords are vulnerable since password information is not encrypted • Clear text passwords are often transmitted through telnet and FTP sessions, which make them vulnerable to packet sniffers (a program which can read data transmitted over a network) • Secure Sign in programs will encrypt password information before transmitting • CMU Libraries is currently using an encryption schema known as 3DES to transmit encrypted data between clients and servers • SSH, SCP

10. Why Hack Our Servers? • Server contains SSN data for ID theft • Servers can be taken over and used to attack other web sites • Servers can be used to send out thousands of bad e-mails, crippling the network • This happened to CMU Libraries and resulted in a down time of 3 days

11. Future Issues With Server Security • If you use your server for credit card information • Use SSL (Secure Socket Layer) for encryption • Do not use clear text for passwords • Protect your backups and use encryption • Inventory your backups and have then locked at all times • Limit who has Ids on the system. Only allow Static IP addresses • Ongoing operations • Costly • Updating Software because of security problems • Be prepared for problems