LFI.2: Week 7 discussion: cybersecurity in libraries

#1
  • How do privacy and security overlap? How do they differ?
  • How might you incorporate cybersecurity competencies into privacy classes?
  • How is your library already practicing cybersecurity? How could it improve?

I would love to hear people’s ideas for incorporating the 5 P’s of cybersecurity (can anyone remember the ones Tracy used, I am finding a different list when I search – we can also check the video which I am uploading now).

Also, just to gently push back on Tracy’s idea of not letting people use library wifi in the parking lot, here is EFF’s take on that: https://www.eff.org/issues/open-wireless

0 Likes

#2

I was a little taken aback by the not-having-wifi-when-closed. I’ve spent enough time wardriving to know how important it is to have a network people can use. Especially students who may not have access at home. Doubly so since some libraries are closed on Sundays or have limited hours.

I like the article and I think we should be doing all we can with our bandwidth to serve our communities. If we’re paying for that bandwidth it should absolutely be accessible all of the time.

Some people are concerned about loitering, but I’d rather have someone loiter in our parking lot finishing their homework then not being able to do so. Students are just one example of many that come to mind.

6 Likes

#3

Yeah, I visited Savannah GA summer before last (went to art school there in the early 90s) and, as usual on a trip, visited a few branches of the local Live Oak library system. It was a Sunday and all the branches but main were closed. At the WW Law branch I visited there were dudes in the parking lot with their car doors open, one had a TV tray with his laptop on the side of the car. Just sitting and using the WiFi. Hardly condemnable. I had to look up wardiving, ha.

3 Likes

#4

5P’s from my notes: Passwords, Patching, Precaution, Preservation and Privilege

This is a hard one. I’d maybe say that privacy refers to the imperative that a particular space, time or object necessarily precludes intrusions and divulgences based on a set of negotiated circumstances . For instance that imperative might be enacted in a home or flat or room, in a car, or consist of the contents of my devices or tote bag, or to my papers, mail and account info, or when I’m on the phone or speaking to or being with a particular person. I think privacy is something that is constantly negotiated at all levels of interaction, from community to personal.

So I’d say that cybersecurity is the set of practices, tools and habits that we employ against the threats to our privacy in the digital sphere (and which may also be extensible into ‘meat space’).

The 5Ps would work well set after the threat modeling questions in a training - they’re actionable!

City of Boston just implemented 2FA for our employee accounts which is great, but the library isn’t as proactive with addressing cybersecurity practices. It think it comes down to resources and staffing, honestly. A few things:

•Public staff workstations are updated fairly often, but there is a shared login floating around. There’s also a shared login for copiers and scanners. Who knows how many people have it?

•A prominent administrator’s email got hacked and a bunch of staff received a spoofed email from his account.

•There are no trainings for staff on some of the actions Tracy laid out (backups, strong passwords, id’ing malicious mail/content) that we can do be resilient and better respond to and resist threats. To be fair, IT did send out an email earlier this year with instructions to send malicious materials to a special account, but there weren’t a lot of details about what malicious looks like.
So as far as the 5P’s, we need to work as an institution on privilege (too many credential sets out there!) and passwords first.

1 Like

#5
  1. Privacy vs. Security
    I think of privacy as a state or way of using different technologies in ways that can either further protect or erode your privacy. In terms of digital technologies- privacy isn’t a static state you can achieve, but rather a state/way of using tech. to match your level of comfort with how your information is being used and collected. Security overlaps with privacy in the ways that people adapt certain techniques, technologies, or mindsets to achieve greater levels of privacy. Security and privacy overlap one clear way to me: security is the act you take in order to achieve a higher level of privacy.

  2. Incorporating cybersecurity competencies into class:
    I think there were a lot of examples that Tracy gave about types of cybersecurity threats or attacks that can be easily woven into threat modelling approaches. Social engineering/spoofing emails/et cetera are concrete examples of how digital privacy can be compromised sometimes for criminal purposes.

  3. I work at two different libraries in higher ed. One library doesn’t allow students to plug USB drives into staff computers. Another doesn’t wipe clean the laptops we rent out / a few publicly available computers (where I’ve found people were logged into their chrome accounts for god knows how long). I think that it could probably improve if there was more direct communication between library staff/faculty and IT - Tracy had some pretty good pointers about how to get that relationship going but I think in order to get the ball rolling, someone within the library should probably be appointed to be in contact with IT so it is more centralized/direct communication and solid grounding for a continuous relationship.

—> WIFI & public library parking lots : I also was uncomfortable with this suggestion. Of course there are many ways that libraries can be compromised, but it feels like a waste to deny the public access to wifi. also, in new york - it just drives people to connect to LinkNYC which is partially owned and controlled by Alphabet, Inc.

1 Like

#6

Thanks for that EFF link. Counting the number of students who sit outside the library and login to the WiFi was a successful data point that come of our local community colleges used to convince administration to allocate more money for longer library hours. I agree that you have to be thoughtful about how you serve up your open WiFi, and it can be done in a way that is both secure for the library and the patrons.

The idea of having a non-networked computer sounds really cool. We were having a similar conversation in our NY Census working group about having a secure, non-networked computer for patrons to fill out their 2020 forms online. My take is that it should officially be known as the “Battlestar Galactica” computer.

5 Likes

#7
  • How do privacy and security overlap? How do they differ?
    Cybersecurity refers to protecting secure, critical and sensitive data and preventing it from falling into the hands of malicious third parties. Privacy generally relates to citizens’ personal information and their ability to fully understand their rights regarding how data about them is collected, used and shared.

  • How might you incorporate cybersecurity competencies into privacy classes?
    Don’t assume the role of a cybersecurity expert. Collaborate/partner with IT department. Ask what they would recommend for teaching people to make smarter security decisions.

  • How is your library already practicing cybersecurity? How could it improve?
    My library invested in a third party security awareness training and simulated phishing platform called KnowBe4. I know of at least one upper management staff member that fell for a simulated phishing attack so I do think it has had at least some effect. How to improve? We could require Enable Two-Factor email Authentication for all staff members. Be better about deleting unused accounts. Enforce stronger password rules.

0 Likes

#8

I think the best way to incorporate the 5 P’s of cybersecurity is to provide training and resources to library staff. For example, in order for patching and preservation to happen, organizations need proper IT staffing or designated people in library staff to make sure that this happens. This could mean advocating for staffing or resources, but in a large institution like mine, it can be difficult when departments all over the college are vying for more faculty or staff positions. In my case, I’ve gotten myself on to the college’s IT Advisory Committee which can have some sway in the process.

In terms of precaution, my college could do some more work in the areas of training staff on better cybersecurity practices. One of our administrators recently fell for a phishing scam. I don’t know what that type of training or scam alerts could look like. I think the current method of alerting faculty and staff via email doesn’t seem to be working though. However, even training on basic strategies such as hovering over a link url, as Tracy mentions, could help to educate our staff.

As for passwords and privilege, I agree that limiting the number of people with passwords is a good strategy, as well as changing passwords periodically. We have people that retire or move on and ff committees all the time. ’d like to bring this info back to our librarians and staff that update all of our social media sites, for instance. I’d also like to bring up the issue of using password managers on public stations. I recently logged onto one of our reference desk stations and saw that one of our librarians was still logged into their password manager. I had access to his email, QuestionPoint chat, etc. I logged him out and sent him an email reminding him to log out, but I think a training session for all library staff can help us all exercise more precaution. It can also provide a way for us all to perhaps even brainstorm some other ideas or inform on other areas where we need to be more secure.

0 Likes

#9
  1. How do privacy and security overlap? How do they differ?
    On a very broad level, privacy is an individual’s right to disclose and share information in the way and/or at the time in which the individual chooses (if they choose to do so at all). Privacy is achieved through taking steps to protect and through the ongoing acts of maintaining and securing data. These ideas are linked because they work in tandem to achieve a goal (protection) but differ in that security is a practice whereas privacy is the data and values that one wishes to protect.

  2. How might you incorporate cybersecurity competencies into privacy classes?
    I have observed that people find a lot of value in learning about technology through concrete examples. Cybersecurity and privacy can be difficult to conceptualize, so approaching these topics in a way that is personal and/or visible is important. As an idea, demo’ing a phishing email might be a valuable experience for people in a class.

  3. How is your library already practicing cybersecurity? How could it improve?
    Earlier this year, I moved library jobs. At my former place of employment, we were completely apart from our City’s IT Department and had direct control over all of our IT decisions – though, our library network was responsible for the internet. I, along with the Tech Services Supervisor, were the technology leads and worked together to ensure routine machine maintenance & upgrades and I made sure that our library staff user account passwords would have to reset after a certain period of time. Generally, the use of widely shared common emails and/or passwords across staff was not permitted (or even considered) and each staff member had their own account for the tools that they needed an account for.
    In my new library, one area that strikes me as a large vulnerability is the use of a few master passwords for shared non-individual specific accounts that everyone has access to. I have been working on moving the organization away from this practice – predictable, commonly shared usernames and passwords is a strong invitation to disaster! I have been exploring password managers more and will be working towards shifting my library towards these tools as I break up what is happening with widely held account & password sharing across the institution. Also – the reliance on saving passwords in the web browser is another risky area; these tools can be hacked and house a wealth of valuable information.

0 Likes

#10

I like the basic stripped-down definition of privacy, that is being selective about the information you share. Security in this context is what you do to uphold your privacy. I think there’s also maintaing the balance of value between privacy, and convenience which factors into security. I read or heard somewhere that the most private computer is one that isn’t connecting into the network, which I feel is a extreme form of security. It is secure and private, but it’s also disconnected from the rest of the world, for better or worse. However, this also reminds me of what Tracy had mentioned about isolating a workstation specifically just to look at USB drives. I think that’s the difference between the two is negotiating this balance.

Another example is our college WiFi password. It is over 26 letters long, uses alternating caps, and is publicly available. I find this extremely unappealing for tablet/phone users as they have to type this in. After they type it in, they then must authenticate with the system, where they download a piece of software that scans their system to make sure it is up to date with virus definitions. I personally do not use this WiFi that I have a lack of trust of what data is collected when I connect to this network; this is extremely secure but is it private?

I think going through the 5 P’s would be a good way to gauge cybersecurity in a privacy class. Simple questions like, do you use strong passwords? Do you patch systems? What precautions do you take to protect the system? How often do you preserve the data? Can you restore data? Who has and what levels access (privilege) do persons have to the system?

There are many improvements to our library’s security. We use HTTPS, most everything has strong passwords, and we have an added level of security dictated by campus IT which is both a blessing and a curse, in the sense that we can’t do certain things and if we do want to do them, it takes months for them to happen. We could definitely improve just through staff training and using stronger passwords.

1 Like

#11

Like others have mentioned, I see cybersecurity as one of a number of tools that can be used to protect individual’s and a group’s privacy. And I think the P of Precaution is a technique that can lend itself well to teaching in a variety of different setting. In my library instruction sessions I cover quick ways to evaluate a resource students may find online–who is producing this information (is the site a .gov, .edu, etc.), who and where are they linking to, and other tips. Precaution seems to go hand in hand with critically evaluating a source, a link, or an email. I don’t teach (right now at least) privacy classes for patrons, but reminding the students in my instruction session that evaluation is a transferable skill could be a good way to teach privacy-protecting skills in this setting.
The biggest push around cybersecurity at my library right now is looking at moving our electronic resources behind multifactor authentication. I have a number of feelings about this–most of which aren’t good. At least as it is set up now, our MFA calls you on your office number or a cell phone before you get access to whatever you are trying to get to. For our students that’s assuming that they will have cell service and given the amount of concrete on this campus that can sometimes be a problem and that also doesn’t consider our students and researchers who are off campus and sometimes in areas with poor or no cell reception. My other concern is that this push to MFA is arising from the fact that some of the vendor’s content was being improperly downloaded (by accounts from across the globe). And instead of shoring up their security measures the burden of their content security is failing to libraries. And the methods for securing their content creates significant friction for our users. What could have been a partnership of how both parties could be better at security, it becomes libraries do this or you lose all access. This seems to be one of these moments when a corporation has greater opportunity to set the boundaries for protecting their content (their privacy) than is afforded to our users who use their content.

1 Like

#12

Agree. My library doesn’t have a parking lot, but we have patrons sitting up against the exterior walls before opening and after closing to access the wifi. It would be unfortunate to see that go away, especially in areas with large tech disparities.

0 Likes

#13

My library is part of the larger county system, and retains all sorts of private info – not just library patron accounts, but court records, property tax info, social services, etc. We had a breech in our cybersecurity last summer, which, fortunately, did not have dire consequences. A happy outcome is that it is kind of a pain to set up the system to check work e-mail from home, which means many people do not.

0 Likes

#14

I have been listening to this podcast “Intelligence Matters” for a year now. I think it would beneficial to all of you to listen to. Based on today’s session, the episode with Chris Krebs, Director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) will beneficial to you and the knowledge we are all trying to acquire.

Have a great day!
Grace

0 Likes

#15

The best current example I can think where privacy and security were overlap was when Lynda.com was purchased by LinkedIn. Libraries offered Lynda.com to patrons. Patrons registered to use it because they thought it will be secured and their private information will be kept. As it turn out, not so much when the library decided to end their contract with Lynda.com. Their patrons receive a number of solicitations via email.

In my system, we started offering cybersecurity classes to library staff a few years back. It was interesting to find out that we need to offer basic technology and software information first and then get into the cybersecurity piece. I do think we need to do more education.
We are always talking about making staff change their password often but never get around to do it.

0 Likes

#16

I think there are definitely improvements that could be made with regards to cybersecurity at my library. As a part of the city, we are required to complete periodic cybersecurity training. But as with most city-wide training, most people just click through aimlessly & learn just enough to pass the modules. Our IT department sent out of phishing test email last year & it was reported that quite a few people at the library clicked on links in the email (I can’t remember the exact numbers or find the email right now!), which was quite depressing for me to hear… but also not surprising.

Our system usually uses very basic passwords & reuses passwords for nearly everything we have to login to, which is horrible. We are also given passwords when we start for our email & we are told to NEVER change them… again, terrible. At my old branch, my former boss created a bunch of accounts (social media & some other websites) using his work email & password. He typed his password into multiple documents & didn’t think anything of it until he was training me & he was suddenly like, “Oh my… this is MY email password, I probably shouldn’t have that printed & all over the workspaces.” :exploding_head:

Another odd thing about my system is that every branch has a staff wifi network, but pre-2018 no one at branches had access to the staff wifi. I asked about why this was the case, but I’ve never gotten a straight answer from IT. Every time a staff member would request to use the staff wifi for a library-related reason they would just give them the run-around & not end up giving them access. Thankfully staff can now use their city login information to get on the staff wifi for things like using the ILS on the branch iPad. I definitely plan on keeping a log of IT requests that this course has brought up for me & making suggestions once I have my massive list compiled. :nerd_face:

+1 supporter of 24/7 open wifi over here. We have 24/7 wifi at all our branches & I’ve never heard of it being an issue with loitering. My previous branch did end up reducing the wifi range since many of the people in (literal) million dollar condos across the street decided that they’d just use the library wifi instead of paying for service themselves & they were slowing the network down drastically. I do think that’s a fair case of reining in the range a bit! :slight_smile:

0 Likes

#17

O M G

0 Likes

#18

I loved Michelle’s explanation here. So… yeah, what she said. :wink:

Re: wifi after hours, I agree with many of you who say they’d rather people loiter in a relatively safe parking lot to use wifi than go to Starbucks or the local hospital waiting room. (Not a lot of options in Rockwall county.) But not many people do, probably because the county courthouse is directly next door, with the jail just down the street.

The entire county’s currently undergoing a series of Cybersecurity Awareness Training Courses offered through the Texas Association of Counties. It covers issues on passwords, phishing, using mystery devices (plugging in a USB drive left by someone to determine its owner), etc. I’d like to see something like this offered for our patrons, who, like many of y’all’s, use the library for their main internet access. So that’s in the works.

1 Like

#19

Although my county in Georgia is classified as suburban rather than rural, we still have a lot of patrons who still don’t have internet access at home. They have devices so they come to the library. My wireless use has tripled in the last two years, and yes, we offer 24 hour access. Until a few months ago, I lived down the street from my library, and I would see people in the parking lot whenever I drove by. Fortunately, we do have two wireless accounts – the public wifi one and one for staff that our payment iPad and other staff devices are set up on.

0 Likes

#20

I am not completely clear on the argument to turn off wifi when the library closed in terms of cybersecurity. What was the benefit? So that fewer people will put their devices on our wifi thereby decreasing risk by numbers?

Our public network is completely separate from our staff network, so that helps with security. No staff devices are allowed to connect to the public wifi. So that is a layer of protection.

I don’t know a lot about what ways my library practices cybersecurity. We have a Chief Security Officer in IT whose job is cybersecurity. We aren’t allowed to use USBs ever and every device purchased as to be personally approved by the Head of IT. No one is allowed to download anything onto any device except for IT. Security wise, I guess that helps protect the library.

I remember Tracy saying something about everyone on staff at a library having a Twitter password, and her suggesting that is completely unnecessary, and I agree and understand her point, but that leads me to another quirk? “security measure”? of my workplace. The library is not allowed to have any social media at all. Everyone in the whole city has to share one account, and in 2017, the password was shared with 3 additionally people in the city to post. As a FB hater, I am completely fine with the library not having one, but security is often mentioned as one of the reasons.

0 Likes