Securing & Safeguarding
Your Library Setup
Brian Pichman
Twitter: @Bpichman

Agenda
• Understanding Anonymity, Privacy, and Everything in Between
• Protecting Yourself
• Getting Hacked
• Best Security Tool: A Policy That Is Followed
• Tools for Protecting Your Network

Cloak of Invisibility
Anonymous Browsing tools like the Tor Project

Cloak of Invisibility
Top reasons why people want to hide their IP address:
1. Hide their geographical location
2. Prevent Web tracking
3. Avoid leaving a digital footprint
4. Bypass any bans or blacklisting of their IP address
5. Perform illegal acts without being detected

Onion Routing, Tor Browsing
• Technique for anonymous communication to take place over a network.
The encryption takes place at three different times:
• Entry Node
• Relay Node
• Exit Node
• Tor is made up of volunteers running relay servers. No single router knows
the entire network (only its to and from).
• Tor can bypass internet content filtering, restricted government networks
(like China) or allow people to be anonymous whistle blowers.
• Tor allows you to gain access to “.onion” websites that are not accessible
via a normal web browser.
• Communication on the Dark Web happens, via Web, Telnet, IRC, and other
means of communication being developed daily.

Cloak of Invisibility
How do you Hide an 800lb Gorilla?
• Use Free Wifi (To Hide your location)
• Use a Secure Web Browser
• Use a Private VPN
• Go back to Dial-up
• Setup RF Data Transfer over CB Radio
Waves
• Use Kali linux to hack someone else’s
Wifi Encryption.
• Setup long-range Wireless Antennas

Cloak of Invisibility
• How to hide yourself?
• Private VPN
• You want a TOTALLY anonymous service.
• Look for one that keeps no log history (Verify via reviews)
• Look at Bandwidth & Available Servers
• Recommendations:
• Private Internet Access (PIA)
• TorGuard VPN
• Pure VPN
• Opera Web Browser
• Avast AntiVirus (SecureLine)
• Worst Case: Free WIFI

Cloak of Invisibility
• How Tor anonymizes – “You”.
• How VPN keeps ”You” protected.

Dial Up?
• Use an ISPs like NetZero that can be registered with fictitious personal
information, and to which you can connect with caller ID disabled
• Makes it a bit more difficult to identity “you”

Free WiFi
• Sometimes a good alternative if
you need to do something
anonymously
• Nothing is ever 100% anonymous
• Some public wifi does track
websites you access, what you
do, etc.
• Make sure your computer name
you are using doesn’t include your
actual name

Hacked WiFi – Cain and Abel

Best Tips and Practices
Do
• Use a device that you’ve never
signed into anything ”personal
on”.
• Pro Tip: buy a computer from a
Pawn Shop or Garage Sale
Don’t
• While on a VPN or any other
anonymous tool; don’t sign into
personal accounts (banks, social
media, etc).
• If posting, don’t use anything
that could be associated to you

Easy Wins for Privacy
• 10 Minute Email
• https://10minutemail.com/
• Temporarily get an email box that’s anonymous and disappears after 10
minutes
• Dr Cleaner (Mac) or Eraser (Win) can overwrite files on your
computer with “blank” data to make file recovery near impossible.
• Tools like Recuva is free softwares to allow you to restore deleted files.

What People Pay For Your Data
• https://www.fortinet.com/blog/industry-trends/the-true-value-of-
data.html
• Credit Card Numbers: 50 cents to 2.50 per card.
• Bank Account Information (logins/information): $1.00 to $70
• Medical Records: $10-$20

Protecting Yourself

Google Isn’t Always Your Friend

Tools For Use
• Sites to protect yourself all the time (not free)
• IdentityGuard.com
• LifeLock.com
• Sites to monitor when breached data gets related (this is free)
• Haveibeenpwned.com
• Password Management Sites (like lastpass.com)
• Don’t have the same password for all your sites.
• Don’t write your passwords down on a post-it-note and leave it at your desk

Dual Factor Authentication
• After logging in; verify login via Email, SMS, or an app with a code.

Credit Card Tools for Online Shopping
• Check out Privacy.Com
• https://privacy.com/join/473XB
shameless plug

Basic Tips
• Accept only people you know to personal and professional accounts
• Never click on links from people you don’t know.
• Especially if they are using a url shortner: bit.ly, tinyurl.com, etc
• https://www.urlvoid.com/ - test the website to see if its safe
• https://snapito.com/ gets a screenshot of what will load on the site
• https://www.site-shot.com/ get a screenshot of what will load on site
• If there are people claiming to be you on social media, it’s best to get
your account “verified” on those social media platforms
• This lets users distinguish that you’re the actual official account
• Dual factor authenticate all of your social media logins

Checking Your Accounts / Name Online
• Use this site to check your usernames: https://namechk.com/
• The next is a tool searches through your email with things you may
have signed up for (I've paid for their premium service as well, not
really worth it, the free does just
fine) https://brandyourself.com/privacy-overview.
• This tool: https://email-lookup.online/index.php searches public
searches to see what links. Its similar
to https://www.spokeo.com/email-search.

Myths
• I’m/my library not worth being attacked.
• Hackers won’t guess my password.
• I/we have anti-virus software.
• I’ll/we know if I/we been compromised.

Understanding Breaches and Hacks
• A hack involves a person or group to gain authorized access to a
protected computer or network
• A breach typically indicates a release of confidential data (including
those done by accident)
• Both of these require different responses if breaches/hacks occur.

The Costs Of Breaches
• This year’s study found the average consolidated total cost of a data breach
is 3.9 million dollars and in the US the average is actually higher at 8.19
million.
[IBM 2019
http://www-03.ibm.com/security/data-breach/]
• Data Breached Companies Experience…
• People loose faith in your brand
• Loss in patrons
• Financial Costs
• Government Requirements,
Penalties, Fees, etc.
• Sending of Notifications
• Payment of Identity Protection or
repercussions.
https://betanews.com/2016/02/10/the-economic-cost-of-being-hacked/

Top Hacker Tools
• #1 Metasploit.
• #2 Nmap.
• #3 Acunetix WVS.
• #4 Wireshark.
• #5 oclHashcat. ...
• #6 Nessus Vulnerability Scanner. ...
• #7 Maltego. ...
• #8 Social-Engineer Toolkit.

BackTrack can get you ALOT
• BackTrack was a Linux distribution that focused on security based on
the Knoppix Linux distribution aimed at digital forensics and
penetration testing use. In March 2013, the Offensive Security team
rebuilt BackTrack around the Debian distribution and released it
under the name Kali Linux.
https://en.wikipedia.org/wiki/BackTrack

Why have a policy?
Staring Will Ferrell ….

Increases Efficiency
• Having a security policy allows you to be consistent in your approach
to issues and how processes should work.
• It should outline how and what to do, and repeatable across your
organization.
• Everyone is doing XYZ the same way and on the same page.

Accountability, Discipline, and Penalties
• Think of it as a contract – for legal purposes – that you have taken the steps
needed to secure your organization.
• Need to define penalties when violations occur. People need to know the
consequences are for failure to comply – both from a legal and HR standpoint
or even access permissions.
• Policies and procedures provide what the expectation is and how to achieve
that expectation. It should define what the consequence are for failure to
adhere.

Education For Employees
• By reading these policies (and signing them), it helps educate your
employees (and users) the sense of ownership for assets and data.
• Everything from advice on choosing the proper passwords, to
providing guidelines for file transfers and data storage, internet access
and rules, will help to increase employees’ overall awareness of
security and how it can be strengthened

Addresses Threats and Risks
• A good policy should address all threats, strategies to decrease the
vulnerabilities of those threats, and how to recover if those threats
became actionable.
• This makes the “what do we do if someone hacks our network” a
defined process already and who to call and what to do to mitigate
further damage.

Access Definitions and Permissions
• A good policy would outline who accesses what and why. This makes
reporting a security violation easier and streamlined.
• Policies are like bouncers at a night club
• It states who has access to the VIP section of the club, why, and any reasons
to allow entry.
• Without these rules, VIP wouldn’t be really VIP.

Protecting Your Library
you
threats
Delicious Library Data

Why do People Attack?
• Financial Gain
• Stocks
• Getting Paid
• Selling of information
• Data Theft
• For a single person
• For a bundle of people
• Just Because
• Malicious

How to navigate and prevent wrong turns
• Who are the people we’re
trying to avoid?
Hacker Groups
• Lizard Squad. ...
• Anonymous. ...
• LulzSec. ...
• Syrian Electronic Army. ...
• Chaos Computer Club (CCC) ...
• Iran's Tarh Andishan. ...
• The Level Seven Crew. ...
• globalHell.

So what Do You Need to Protect?
• Website(s)
• ILS
• Staff Computers
• And what they do on them
• Patron Computers
• And what they do on them
• Network
• And what people do on them
• Stored Data, Files, etc.
• Business Assets
• Personal Assets
• ….anything and everything that is plugged in…

Outside
• Modem Router Firewall
Switches
• Servers
End User
• Phones
• Computers
• Laptops

Outer Defenses (Routers/Firewalls)
• Site to Site Protection (Router to
Router or Firewall to Firewall)
• Encrypted over a VPN Connection
• Protection With:
• IDS
• IPS
• Web filtering
• Antivirus at Web Level
• Protecting INBOUND and OUTBOUND

Unified Threat Management
• Single Device Security
• All traffic is routed through a unified
threat management device.

Areas of Attack On Outer Defense
External Facing Applications
• Anything with an “External IP”
• NAT, ONE to ONE, etc.
• Website
• EZProxy Connection
• Custom Built Web Applications
or Services
Internal Applications
• File Shares
• Active Directory (usernames /
passwords)
• Patron Records
• DNS Routing
• Outbound Network Traffic
• Who is going where

Attacks
• Man in the Middle
• Sitting between a conversation and either listening or altering the data as its sent
across.
• DNS Spoofing (https://null-byte.wonderhowto.com/how-to/hack-like-pro-spoof-dns-
lan-redirect-traffic-your-fake-website-0151620/) set up a fake website and let people
login to it.
• D/DoS Attack (Distributed/Denial of Service Attack)
• Directing a large amount of traffic to disrupt service to a particular box or an entire
network.
• Could be done via sending bad traffic or data
• That device can be brought down to an unrecoverable state to disrupt business
operations.
• Sniffing Attacks
• Monitoring of data and traffic to determine what people are doing.

Inner Defenses (Switches/Server Configs)
• Protecting Internal Traffic,
Outbound Traffic, and Inbound
Traffic
• Internal Traffic = device to device
• Servers
• Printers
• Computers
• Protected By:
• Software Configurations
• Group Policy
• Password Policy
• Hardware Configurations
• Routing Rules

Updates, Patches, Firmware
• Keeping your system updated is important.
• Being on the latest and greatest
[software/update/firmware] isn’t always
good.
• Need to test and vet all updates before
implementation
• If you can – build a dev environment to
test and validate.

Casper Suite / JAMF - https://www.jamf.com/products/jamf-pro/

SCCM tools

Protecting End Devices
• Protecting Assets
• Business Assets
• Thefts
• Hacking
• Personal Devices
• Security Risk
• Usually pose an INBOUND threat
to your network

Passwords
• Let’s talk about Passwords
• Length of Password
• Complexity of password
requirements
• DO NOT USE POST IT
NOTES
• A person’s “every day
account” should never
have admin rights to
machines.
• That includes your IT
Folks!

Your Security is as Strong As the Weakest Link

Tools To Train
• Knowbe4

Pulling Everything Together
• Do A Risk Assessment
• Develop Policies
• Training Plans For Staff
• Implement tools to help rotect

IT Admin Tricks for Security
• Administrative Accounts are easy to figure out if they
are something like “administrator” ”root” or “power
users”. At the same time, no employee should have
their account as a full admin.
• Instead, give them their own username for admin access (like
brian.admin)
• Change the default “login” pages for sites to something
that’s not www.mysitename.com/login. Bots look for
this and attack.
• My Drupal Site login page is www.evolveproject.org/catpower
• User Awareness is key to any secure organization. Teach
users how to identify potential threats and how to
respond quickly.
• Avoid shared accounts. One account should only be
used by one person.

“Cool” Hardware
https://krebsonsecurity.com/2016/08/road-warriors-beware-of-video-jacking/
Be careful when plugging your
device in o public USB Outlet…
Either read the data on your device
OR
Record your screen ->

Credit Card Skimmers

Some Recommended Security Tools

ESET Products
https://www.eset.com/us/home-store/

Sophos Home
https://home.sophos.com/en-us/free-anti-virus-windows.aspx

Proactive Scanning
• Malwarebytes (Free): https://www.malwarebytes.com/

Proactive Cleaning
• CCleaner (https://www.ccleaner.com/ )
• CleanMyMac (https://macpaw.com/cleanmymac )

How About Your Network?

Web Security – No Installs Needed
https://www.opendns.com/

Parental Controls

Email for Kids
• There are service providers that can help manage kid’s emails and
help protect them.
• Google has an option where you can manage a Google Account for
your child:
https://support.google.com/families/answer/7103338?hl=en

Apple iOS Parental Controls
• https://support.apple.com/en-us/HT201304
• https://www.apple.com/families/

Microsoft Families
• https://account.microsoft.com/family/about

Google Families
• https://support.google.com/families#topic=7327495
• https://families.google.com/familylink/

App Based Monitoring

• Evolve Project
• https://www.linkedin.com/in/bpichman
• Twitter: @bpichman
• Email: bpichman@evolveproject.org
Brian Pichman
Questions?