An hour long presentation I gave for LYRASIS. It introduces many topics in security and privacy on the internet and computers and any other type of device with an ip address. IOT Internet of things, browsers, portable devices and more.
DevEX - reference for building teams, processes, and platforms
An Introduction To IT Security And Privacy for Librarians and Libraries
1. IT Security For Librarians
Blake Carver
LYRASIS Systems Administrator
2. Week One: Intro
Who and How and What
Privacy & Security in general
Why this is all important
5 Basic Things
Week Two: Outrunning The Bear
Privacy
Passwords
Securing Devices
Web Browsers
Email
Staying Safe On-line (General Tips)
Week Three: Outrunning The Bear @ Your Library
Training: Thinking & Behavior
Threat modeling
Hardware and networks
Week Four: Websites & Everything Else!
Web Servers and Networks
Backups
Drupal and Wordpress and Joomla
Servers in general
3. Everything You Need To Know
• Use Good Passwords
• Stay Paranoid & Vigilant
• Use Routine Backups
• Keep Everything Patched / Updated
• Think Before You Share Or Connect
Intro
4. Other Things
l Install Updates NOW
l Passwords are Key
l ALL Software Has Flaws
l Security Is Complicated
l Everyone Plays A Part
5. Common Security Myths
• You have nothing worth stealing
• Patches and updates make things worse and
break them
• You can look at a web site and know it's safe
• No one will guess this password
• Social Media Sites Are Safe
• I’m safe! I use Anti-virus / firewall
• There’s only malware on Desktops not phones
• If I'm compromised I will know it
• I'm too smart to get infected
Intro
6. Common Security Excuses
• But nobody would do that [Exploit Method/Thing]
• I can't remember all these passwords.
• Firewalls / AV / Security just gets in the way
• They won't be able to see that; it's hidden.
• It's safe because you have to log in first.
Intro
7. So What Are We Talking About
● ● ● ● ● ● ● ●
Intro
9. But the state argued that because cell phones constantly reveal their locations to carriers
by pinging nearby cell towers, Andrews “voluntarily shared this information with third
parties,” including the police, merely by keeping his phone on.
In other words, if you don't shut off your phone, you're asking to be
tracked.
“While cell phones are ubiquitous, they all come with 'off' switches,” the state responded in
the brief. “Because Andrews chose to keep his cell phone on, he was voluntarily sharing the
location of his cell phone with third parties.”
“The government has indeed repeatedly argued that there is no [reasonable
expectation of privacy] in cell phone location information, in court and
out,” Nathan Wessler, a staff attorney with the ACLU's speech, privacy and technology
project, told Motherboard in an email. “In cases involving historical cell site location
information, the government has danced around this argument, arguing that phone users
give up their expectation of privacy in their location information merely by making and
receiving calls.”
State of MD Vs Kerron Andrews
23. Why does this keep happening?
The Internet was built for openness and speed
More Things Online – More Targets
Old, out-of-date systems and budget shortfalls
New poorly designed systems
Surveillance is the business of the Internet
28. Not much of this crime is new
Automation
Distance
"Technique Propagation"
(“Only the first attacker has to be skilled; everyone else can use his software.”)
Intro
29. The technology of the internet
makes the bad guys vastly more
efficient.
Intro
30. It's Safe Behind The Keyboard
Hacking is a really safe crime.
Comparatively. To other real life crime
40. What's It Worth?Credit Cards: $5-$30
Basic or “Random” $5-$8
With Bank ID# $15
With Date of Birth $15
With Fullzinfo $30
Payment service accounts: $20-$300
containing from US$400 to $1,000 between $20 and $50
containing from $5,000 to $8,000 range from $200 to $300
Bank login credentials: $190-$500
A $2,200 balance account selling for $190.
$500 for a $6,000 account balance, to $1,200 for a $20,000 account balance
Online premium content services: $.55-$15
Online video streaming($0.25 to $1)
premium cable channel streaming services ($7.50)
premium comic book services ($0.55)
professional sports streaming ($15)
Loyalty, community accounts: $20-$1400
A major hotel brand loyalty account with 100,000 points for sale for $20
An online auction community account with high reputation marks priced at $1,400
"The Hidden Data Economy" study by MacAfee October 2015
51. Everything You Need To Know
Use Great Passwords
Strong (Long, Complex)
Unique
Stay Paranoid & Vigilant
Never Trust Anything or Anyone
Always Double Check
Intro
53. Everything You Need To Know
Use Great Passwords
Strong (Long, Complex)
Unique
Stay Paranoid & Vigilant
Never Trust Anything or Anyone
Always Double Check
Think Before You Click
Use Routine Backups
Keep Everything Patched / Updated
Think Before You Share
Intro
54. Avoid The Worstest Things
• Moving Slow on updates
• Thoughtlessness
Surfing/Clicking/Following/Sharing
• Over Sharing
• Reusing Weak Passwords
• Not Backing Up
• Thinking It Can’t Happen To You
55. Week One: Intro
Who and How and What
Privacy & Security in general
Why this is all important
5 Basic Things
Week Two: Outrunning The Bear
Passwords
Securing Devices
Browsers & Tor
Email
Staying Safe On-line (General Tips)
Week Three: Outrunning The Bear @ Your Library
Training: Thinking & Behavior
Threat modeling
Hardware and networks
Week Four: Websites & Everything Else
Web Servers and Networks
Backups
Drupal and Wordpress and Joomla
Servers in general
56. IT Security For Librarians
Blake Carver
LYRASIS Systems Administrator
Notas do Editor
The following slides outline what I mean here.
Things *should* be better.
This news article on Privacy tried to load a REDICULOUS number of trackers.
IF the NSA comes after you, they’ll get you. Ain’t nobody got time for that kind of defense.
WHEN a bot finds your open ports / not updated WordPRess site then you’re dead.
The NSA isn’t very likely.
The bot WILL happen.
I like to use bad guys.
Bad guys or good guys?
Bad guys! The bears we want to out run. Bots and other things that are crawling IP address 24/7
Evidence of bots looking for insecure PHPMyAdmin installs
I like IT Security
Let’s make it a part of Information Literacy!
Things aren’t SECURE or NOT
It’s not all black and white.
The link is there, a really interesting read as it applies to privacy.
Read that prvious link
Professionals, who are good at what they do, and smart and talented.
But then everyone else follows what they do.
Good guys? All these “good guys” are doing their best to track our every move.
Would you rather risk going out and robbing people in real life, or sit behind a keyboard?
Got this from
http://www.verizonenterprise.com/DBIR/resources/2013/
An example of being careful. That “Click Here” link had a really scary link in it.
Turns out it’s just a constantcontact link, nothing bad, but holy cow it looks scary.