questions for this week’s discussion!
I have some thoughts from Tracy’s talk, but I want to hear from you all first!
Misc. thoughts:
I probably should have known this but really appreciated her breakdown of the different hacker “hats”. I knew there were different types (by intention and such) but not the different terms, and that they are so clearly defined.
The idea of cyberinsurance being like a broom, not a shield reminds me of April Glaser’s comment about how you can’t clean up a data spill - both are really succinct, easy-to-impart ways of explaining the concepts. (That said, don’t some homeowner/rental insurance policies protect against some forms of data/digital fraud like credit card numbers being stolen online?)
I could see incorporating some of her suggested links about keeping up to date on breaches into a basic online safety class. I also would definitely include the sites she showed us for checking on links’ safety (I’m happy to know about those for myself). And this isn’t a well-formed idea by any means, but I could possibly see structuring a digital safety series around the CIA triad - so, the confidentiality session could talk about phishing, strong passwords and two factor authentication; the integrity session about physical safety and encryption; and the availability session on viruses, software updates and patches. (That said, I’m a little unclear on the difference between availability and integrity, so maybe some of those should be shifted.)
Cybersecurity at my library: we have separate public and staff wifi networks, though the staff one often doesn’t connect properly to the iPads we sometimes use so many people use the public one instead. We aren’t supposed to put public USB drives in staff computers, which makes a lot of sense. The loaner flash drives are wiped clean on a computer that’s not connected to the staff network. I have no idea how often software is updated or what sort of malware/antivirus protection is installed on either the staff or the public computers.
She shared so much great info and so many useful links! (Also her story/how she got into infosec is awesome.)
Here are my thoughts:
I really, really appreciated Tracy’s breakdown of terminology–most of it was familiar, but I appreciated the way she described things.
I took a photo of her slide about how to to check the links in emails and her suggested URLs for testing them. There have been A LOT of phishing emails lately getting through whatever filters my work sets up, and I’m really interested now to check out where the links in some of them are directing people.
We typically check the the computers in the library throughout the day to make sure that people have logged out of everything and that they haven’t left USB drives or other peripherals (which they do all the time), but I don’t think any of us have thought to/known to check for things like that malicious USB extender thing she showed on the “integrity” slide, or wi-fi pineapples. I’m planning to work with one of our student tech assistants to make a small primer on things like that to look for, and what to do if they’re found.
Cybersecurity at my library… is pretty lousy. I’m going to follow up with staff and IT about the things @sjbrown mentioned. We don’t currently have a policy against putting patron USBs in staff computers, but we totally should–it is not uncommon that one of us will put a student’s USB into one of our computers to print a document. We also have loaner flash drives that we’re not wiping in any secure way, and our WI-FI network is not segmented. I have a meeting scheduled with our CIO in a couple of weeks and the list of things on my agenda to talk with her about keeps growing and growing.
Great idea! And integrity and availability are closely linked imo. I think of integrity more like “is this data able to be tampered with?” and availability as “can I use this website or software properly?”
That sounds like a strange problem!
I bet your IT staff can answer this.
I agree! It’s super helpful even if you already know this vocab, because she talked about it in ways that could be shared easily with patrons.
Avoiding phishing could be an entire class for patrons (or staff) all by itself.
Sorry about that 
Kade Crockford said “abuse if guaranteed.” On a Venn diagram, sometimes privacy and security overlap. Sometimes they don’t. Everyone has a right meaningful labor. If you don’t trust the institution you work for/with, you pay a high psychological toll. Edward Snowden said “privacy is the right to a self.” These are the things I am muttering to myself as a stumble between cars in the Undergraduate Philosophy Parking Lot.
Recently, all Metro departments were asked to complete a “Cyber Risk Insurance” survey to help determine the value of each departments data assets. A big part of this is how much PII do you handle and store. The end goal here is help determine if departments, individually, need or want to buy cyber insurance. My coworkers’ hunch is that this is in response to the Atlanta ransomware attack. One of things that came up was if “name alone” counts as PII. Apparently, the answer is no:
For the purpose of responding the questions below “personally Identifiable Information” (PII) is defined as information which can be used to distinguish or trace an individual’s identity, such as their name, Social Security number, or biometric records, alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, home address, username/email address with password, state identification numbers, medical insurance information, etc.
NIST Special Publication 800-122 (https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-122.pdf) and Government Accountability Office (GAO) Report 08-343 (https://www.gao.gov/new.items/d08343.pdf) both state that the name alone (Name, such as full name, maiden name, mother’s maiden name, or alias) does constitute PII. However, we have been instructed by AJG to only count as PII names in combination with other personal or identifying information. So, for the purpose of the Data Assessment section, please use the following revised definition:
For the purpose of responding the questions below “personally Identifiable Information” (PII) is defined as information which can be used to distinguish or trace an individual’s identity, such as their Social Security number, or biometric records, alone, or name when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, home address, username/email address with password, state identification numbers, medical insurance information, etc.
Rando: in the chat during the lecture @alison mentioned Jeremy Hammond. The password he used for everything was “Chewy123.” He paid a high price for this lapse. I slightly misquoted the last words of his sentencing statement. I should have wrote, “Stay strong and keep struggling.” Personally, I have found his sentencing statement motivating. This is not to lionize Mr. Hammond. I don’t know him personally and he might be a total jerk.
Yeah you’re right, Tracy said “fluffy123” but his was “chewy123”, the name of his cat. even high profile hackers make bad passwords. I’ve never met him but we know a lot of people in common and he does seem like a decent person. definitely not deserving of prison that’s for sure.
To address this question directly: there are monthly cybersecurity newsletters sent to all Metro employees. Each one will have tip like, “delete cookies sometimes” or “have a good password” and talk about how. If you combined two years of them you’d have LFP’s Online Privacy Basics course. The info is good but sparse, and I’m not sure how many employees pay attention to what is more or less spam from the city’s central IT department.
Via Metro Human Resources there is an annual “Securing the Human” online training. Do any of your employers utilize “Securing the Human?” This is an online course about how every staff member is a security vulnerability, and every staff member has responsibility to keep work networks and their data safe. The content of this training is excellent, and has been echoed throughout our LFI curriculum, but it is a webinar that suffers from robo-voice and 90s Lawnmower Man graphics. Its aesthetics, and the fact it is mandatory, cause it to be brutally mocked and ignored by staff.
Most other policies are dictated by Metro’s central IT department. They are security-minded not privacy-minded. They are a Microsoft house. In a very complicated relationship, the library also has a separate IT staff. They answer to central IT and library administration. They mostly handle Microsoft stuff and network infrastructure. They are security-minded. Library specific applications are administered by Shared Systems. This is the team I transferred to shortly before LFI began. We work closely with the library IT department, we have a positive relationship with library IT staff, but Shared Systems is all librarians and are privacy-minded. Though not librarians, library IT enjoy their independence from central IT and will usually work with us on new projects.
How could this be improved? Perhaps this is self-serving, but I think the security trainings could be delivered to library staff by library staff. Maybe library staff would take them more seriously if the were delivered in a more personal way by peers. Cold emails and laughable webinars are a hard sell.
Hmm…some rhetoric would put security and privacy at odds with each other. Many an anti-privacy argument has been framed within protecting us from ourselves, each other, and the other!
As far as incorporating this into classes, in the immediate future I’m thinking about a a two hour “Shop Online with Confidence” class we teach before the holidays. Last year, we discussed phishing emails, but I’m going to add in the information she gave on checking links in an email. I’m also going to talk about recent breeches and show the pwned website. (BTW, I had been pwned in a Ticketfly breach, so thanks for that Tracy!) I think that’s a good way to demonstrate why it’s important to have unique passwords on different sites without being too fearmongering. Harm reduction! (I think for people who can’t drive anymore or walk/stand for long periods of time, online shopping is the best thing since sliced bread.)
The pwned site really is amazing. I’ve been pwned 3 times. Two I already knew about (LinkedIn and Ticketfly), the other is from some site I’ve never had an account with at all. So I’m thinking that’s a double pwn. Someone used my email address to set up an account, perhaps? Changing all passwords on everything now.
I was struggling a bit when Tracy first started talking about reading e-mails as part of security even though I understood what she was saying. I like the way you phrased it @Sarah_in_Oregon. Since we’ve lost so much privacy in the name of making us more secure this logic wasn’t really making sense to me at first. And while I believed that Tracy doesn’t care what’s in the e-mails, someone else might.
That said, I’m embarrassed to say I hadn’t really thought about all the ways in which we, as employees, (as well as patrons) can threaten our systems with outdated devices and software that hasn’t been updated. I also appreciated the links to virustotal.com and urlscan.io and will share these with staff.
I’d be interested in hearing feedback from employees to see if anyone actually pays attention to those emails! I suspect you’re right that they treat it as spam.
oh my goshhhhhhhhhhh lol. as if we needed further proof that aesthetics and presentation style matters so much. especially when it’s a passive setting like an online course or email.
definitely. it’s like what we learned from Mallory about making workshops relevant and engaging and also meeting people where they’re at and recognizing what they already know. otherwise you lose them before they even begin.
When Tracy said the thing about looking at emails for security reasons I was like, omg everyone in this class rn is like DO WHAT NOW lol
I’m surprised you weren’t in the hack that every librarian and library patron is generally in, the Adobe breach!!!
Yes exactly! And I don’t really buy the idea that there isn’t some better (and privacy preserving) way of getting users to stop clicking on malicious links etc. It actually seems like a big security flaw to have multiple people accessing private emails.
I really think that one of the worst ways developers screwed up was by putting updates in the hands of the user. People don’t understand how important updates are, and updates break things, so people don’t update.
Yesss, this! When Tracy said that privacy people and security people sometimes divide themselves up, I was like, um, I know which side I’m on.
That said, @Rebekah, what you said really resonates for me. I’ll confess, a few months ago I had to go to our campus IT to get my OS updated because it was so old that they stopped updating all the things…which I also wasn’t updating, because, I don’t know, I’m bad? (Another one of those terrible habits that is hard to break, I guess.) Anyway, all of this is a reminder to me to get my act together – and that there can be a broader impact than just on me if I let things languish. Community motivation!