Critical to your library's Security Policy are your protection strategies. These are the specific techniques your security team will use and the procedures they will follow to ensure the outcomes spelled out in the Security Policy. They should include the following strategies:
- Never assume a default software installation is secure
- Always require strong authentication
- Always perform and verify backups
- Close all unused ports
- Protect your network boundary
- Use anti-virus software
- Use desktop security software
- Always monitor logs
- Keep software patched
Recently, the SANS Institute began releasing a list of the top internet security vulnerabilities. Created by SANS and CERT working with security experts, software vendors, and university security programs, it was intended to be a guide to the vulnerabilities that exist in most networks so that network and systems administrators would know where to start first to improve security in their networks. It was so popular that the list has become a yearly fixture. The most recent version can be found at The Twenty Most Critical Internet Security Vulnerabilities (Updated). This list includes seven vulnerabilities that apply to all systems and networks, and then it addresses vulnerabilities specific to Windows and Unix systems. It also includes a list of common vulnerable ports. The strategies explained below are based upon this SANS Institute top twenty list.
Never Assume a Default Software Installation Is Secure
Software vendors make their installation programs as generic as possible, focusing on ease of use rather than good security practices. There are four separate vulnerabilities you should be aware of when installing an operating system or application.
- Default services installed (mainly applies to operating systems; however, you should always check what services are installed with applications, as well)
- Flaws in code
- Sample scripts and templates
- Default accounts and passwords
Default Services (Windows NT/2000/XP) Installed
Most operating system installation programs and even applications will install a fair number of services by default. A service in the Windows family of operating systems is software that, once started, runs without interaction from users and performs a variety of tasks, from maintaining network communications to managing printers to performing URL and IP address translations. Services are sometimes designed to open certain channels of communication called ports. Once a service that opens a port is installed and started, it maintains an open window of communication and waits to be contacted. It also uses memory and processor resources. For instance, the Windows 2000 installation defaults install Internet services which open up ports that wait for web and FTP activity. Both of these services should be uninstalled if they are not going to be used. Leaving them open allows an unnecessary open window through which someone can possibly exploit vulnerabilities in the service. In order to mitigate against this vulnerability in operating systems, always be sure to uninstall (or, better yet, never install in the first place) unneeded services. Doing this will save memory and processor resources, as well as secure the computer. For more on vulnerable ports and services, see Basic Firewall Configuration.
Flaws in Code
Another problem with installing any software or operating system is related to the fact that they are, by nature, complex. By the time software is released to the general public (perhaps prematurely because of market pressures), it inevitably has flaws—sections of code that could conceivably be exploited by attackers or just cause functionality problems. These flaws are called bugs. The only solution is to always be sure to immediately install patches or service packs for the operating system or application after their installation.
Sample Scripts and Templates
A third problem is that vendors sometimes include sample scripts and templates to help the end user with common administrative functions. The most commonly known sample scripts are those provided with a default installation of Microsoft's Internet services. Because everyone knows what these samples do and exactly where they are installed, hackers can exploit these sample scripts and do anything from causing damage on a computer to gaining full control of the computer. Always uninstall sample scripts, databases, etc. before releasing an application or operating system into production.
Default Accounts and Passwords
Finally, in the interest of making a product easy to use, vendors often set up generic user accounts and passwords as part of a default installation. Like sample scripts and templates, operating systems often provide generic accounts and passwords by default. Unless you change the defaults, an attacker will find it relatively easy to hack into a server simply by logging in as a user with the generic password! To protect against this all too easy attack, always change the administrative account password. Microsoft always forces you to create a unique administrative password; however, a guest account is often created that uses no password. In addition, consider renaming the account. If a hacker doesn't know what the account names are, s/he won't be able to perform a "brute force" attack by trying all possible password combinations for a particular user. Disable guest accounts whenever possible, and if using a Windows operating system, restrict the "Everyone" account on as many directories as you can.
Always Require Strong Authentication
The goal of an authentication system is to verify who a user is, which then determines what data is available to that user (see User-Level Security). A user can be authenticated because of:
Strong authentication demands at least two of these methods used together to verify a user. For instance, a user could be authenticated first by their library card (something s/he has) followed by a PIN, Personal Identification Number (something s/he knows).
It is important to educate users about how to create a good password, because weak ones can be fairly easy to figure out with the right tools and knowledge. As soon as a password is compromised, especially one that belongs to a user with administrative access or extensive rights, the entire security system falls apart. For more on how to create good passwords, see Using Passwords Effectively.
Always Perform and Verify Backups
In an emergency where one or more of your servers has gone down and must be restored, having reliable backups of your data is critical, especially if you can't afford to be down for very long. If backups are not made daily, or at an interval acceptable to your library, you won't be able to quickly recover (or recover at all) from data loss. You should create backup procedures that state what data must be backed up, when backups must be made, how they must be tested, where the backup media is stored, and how restores are performed.
It is important to establish an off-site storage location for backup media. When determining an off-site storage location, it is important to consider ease and frequency of delivery of backup media, safety from fire and other disasters specific to the area, and security depending on how sensitive the data is. It may also be a good idea to maintain a set of installation media for the backup software as well as some kind of backup hardware, should the production environment fail. This way, it is possible to at least restore data and access it. Test the integrity of your backups, as well. An easy method is to back up and restore a test file. Try to also test databases, websites, com objects and other features that may need further configuration beyond just a simple file restore.
Close All Unused Ports
|As described above (Windows Services), ports are open windows to a computer that wait for a particular kind of communication. Ports have identification numbers which are included with every TCP or UDP packet. Services that are running on a machine are programmed to be on the alert to "listen" for packets that arrive from other computers that have the same port number as they do.|
The more ports your servers have open, the easier it is for attackers to connect to that server. Just as bad, the types of ports your server has open can give away a lot of information about it. One of the first things a hacker will do is monitor your network traffic to try to see which ports are in use. An important security implementation is to restrict what traffic is allowed into your network by only allowing traffic through certain ports on your firewall. For more on closing ports, see Basic Firewall Configuration.
Periodically scan computers on your network to see what ports are open. This gives you a clearer idea of what open ports and traffic exist on your network, and over time it should enable you to spot attacks because you will notice additional ports open that were once closed. The best way to do this is to run a port scan on each individual server, and then run a network-wide port scan. Then you should compare the two lists. If they differ you should find out why and close any ports that have no reason to be open. For more on port scanning, see SANS' The Twenty Most Critical Internet Security Vulnerabilities, section G-4. Remember, access to open ports on servers inside your network is limited to the ports that are allowed through your firewall. If it isn't allowed through the firewall, then it won't get to the server inside.
Protect Your Network Boundary
The boundary between your library's network and the Internet (or the rest of your organization if you use their Internet connection) is an important one. It is one of the most vulnerable points in your network because it is the point through which all incoming and outgoing traffic must pass. It is therefore extremely important to protect it with some sort of device such as a firewall (or at the very least a router with access lists) that looks at network traffic in two ways: traffic that originates on the inside, and traffic that originates on the outside. Thus a boundary is created; it establishes what is acceptable incoming and outgoing traffic and what should be turned away.
If you have servers that need to be accessed from the outside, such as a bibliographic database server, a web server or an email server, consider establishing a perimeter network (also called a DMZ) that allows these servers to be accessed while still protecting the rest of your network. For more on firewalls and how to configure them, see Firewalls and Basic Firewall Configuration.
Use Anti-Virus Software
Using anti-virus software is a necessity nowadays. Back in the days when viruses primarily spread through infected floppy disks, a library could get away with disabling floppy drives and be done with it. With the advent of the Internet-borne virus, those days are over. Viruses and worms now spread with terrible swiftness and can cause amazing damage. The Code Red virus infected over 250,000 systems in 9 hours on July 19, 2001; NIMDA and Code Red worms cost business 3-6 billion dollars.
Not only must anti-virus software be installed on all servers and workstations, virus definition files (DATs) must be constantly updated. If your library is large enough, consider purchasing anti-virus software that has a management component that allows automatic DAT updates and virus scans over the network. In addition, your library should prevent the acquisition of boot sector viruses by changing the boot sequence of all computers. For more on anti-virus software see Anti-Virus Software.
Use Desktop Security Software
The security features that come with operating systems are sometimes not enough to meet the needs of a library. This is especially true with public access workstations. For that reason, desktop security software should be added when the operating system cannot provide enough security.
Certain operating systems are less vulnerable than others and may have less of a need for desktop security software. For instance, Microsoft has taken great pains to add many new security features to its newer operating systems Windows 2000 and Windows XP. For those library public access computer administrators who still use Windows 95 or Windows 98, using desktop lockdown software is strongly advised.
Always Monitor Logs
Keeping a close eye on a server's logs is one of the best ways to know when your network is under attack. Logs can show what ports are being opened, what files are being accessed, and what services are being run. Even more important, logs can show when someone has tried to log in with an incorrect password or access a resource. If your server or network is attacked, your log files are a good place to start investigating. Archive your logs on a regular basis so that the log files cannot be overwritten or erased by attackers who want to cover their tracks. If possible, configure your logs to automatically alert an IT staffer if an attack is detected, either by sending an email or generating a page.
Keep Software Patched
Finally, all software must be kept patched. As mentioned above, software code is complex; it is a given that once a new operating system is released, it will have bugs. In fact, there is a vulnerability life cycle:
- Software release
- Vulnerabilities discovered
- Vulnerabilities published
- Patches released
- Software hardened
- New vulnerability discovered, etc.
Server and network administrators must constantly be on the alert for software vulnerabilities, and they must evaluate and install patches as soon as they are released. However, not all patches are necessary; administrators must first be sure that their systems need the patches. Also, some patches can cause more trouble than they are worth. If possible, test patches on a minor system before installing on critical servers. In order to keep up with bugs and vulnerabilities, check the web pages of your software vendors for postings or see Vendor Patches and Security Updates.
Next: User Security