Tuesday, November 4, 2014

#LibSec: An Open Letter to Public Libraries

The following is a "Mini Report" written for Clark University's MSIT3710 Cyber Security Risk and Threat Management course. Throughout the Fall 2014 semester I'll be reporting on issues related to my class project about public library cyber security risks.

This week I'm going to talk about NIST's SP 800-116. Well, sort of...

In that document the authors specifically addressing the use of "Personal Identification Verification" (PIV) credentials for physical access control systems (PACS), which doesn't apply 100% to #LibSec but at the same time it's a great run-through of all the reasons why ID cards, like a library card, offer very minimal security. To put it bluntly: "most bar code, magnetic stripe, and proximity cards can be copied easily. The technologies used in these systems may offer little or no authentication assurance"—a direct quote from the executive summary.

Sure, from an IT operations / security standpoint there's little reason to worry about someone borrowing a book under the wrong patron's account and accruing exorbitant late fees. It has undoubtedly happened at some point in human history but no systems librarian is losing sleep over the idea. I've said this before but I'll say it again: it's not about that, it's about ensuring you know who is accessing the library network (internally and externally) with a relative degree of certainty. Quasi-anonymous ID cards and low-threshold passwords do very little to fix this.

As a solution, I propose more libraries universally add 2-factor authentication, at a minimum. It's actually not that difficult to implement and Google even has a fancy new USB key system that doesn't require a smartphone app to use. This SANS.edu community forum post doesn't give a complete rundown of how to do this but definitely offers a starting point on how to add 2-factor on the cheap too.

In the grand scheme of things, and taking into consideration all of the potential cyber security threats a public library might face, this change I'm suggesting may seem largely symbolic. That being said, I would argue it's not only a learning opportunity for patrons (does the general public understand how 2-factor works and why? I think not) but a great marketing opportunity as well.

I want to live in a world where a person can walk down to the public library and have guaranteed privacy. A version of the web without targeted ads and with total intellectual freedom. If the public library could truly promise that, I think that would do a lot in terms of gaining public support against budget cuts. A "win-win" situation for the public and the institution.

Public libraries: I love you, but please change.

No comments: