Tuesday, September 23, 2014

Wait, what do you mean by #LibSec?

The following is a "Mini Report" written for Clark University's MSIT3710 Cyber Security Risk and Threat Management course. Throughout the Fall 2014 semester I'll be reporting on issues related to my class project about public library cyber security risks. 

I want to take a moment to clarify why libraries, and especially public libraries, are a worthy topic of study in the realm of cyber security risk and threat management. I've presented this idea to a number of my peers in the MSIT program at Clark University and some seem quick to dismiss the idea.

No, the online catalog of books, DVDs and online journal subscriptions that most people interact with in a library are not what I'm talking about. Although one could make an argument that data leaking from these systems might enable some form of identity theft or user profiling, that seems very unlikely. Not only that but most if not all commercially available library systems obfuscate patron lending history for this very reason (privacy is, after all, a major tenant in the ALA code of ethics) and unless a patron's username and password info was already compromised, there's very little ROI for such an attack.

Instead, I want to point out the fact that most modern libraries offer at least a dozen or so computer stations connected to the internet for general use that, in addition to free public wifi, and a quasi-anonymous environment such as this enables any number of cyber security attacks to take place. The perfect vector. To make the situation even worse, many library patrons use this equipment because they do not have a home computer or ISP—if library staff members do not take cyber security seriously, these patrons then become the most vulnerable computer users in our society because they have no control over the computer systems they're using to access the internet.

So please understand, #LibSec is about cyber security risk and threat management as it relates to state funded public access IT infrastructure in your local community. Hardware that, in the wrong hands, could be used to perform attacks in a variety of ways. And I'm not alone: check out the Sec4Lib listserv for more info. I'll be crawling the archives for the next couple weeks!

No comments: