Blake introduced the subject by emphasizing that everyone is a target, bad things are going to happen, and the best you can do in computer security is to try to get better, even though the security problems seem to be getting worse faster than we get better.
He then looked at several different categories of points of vulnerability and examined what simple steps can be followed to make you a less attractive target.
For desktop computer security he emphasized that staying safe takes more than just a firewall & antivirus. Some actions that you can take for security are:
- Quickly patch / update everything
- If you carry it, put a password on it
- Don't Trust Nothin' and Nobody
- Backup your stuff
- Use a second form of authentication (Google Authenticator, Yubikey)
- Do Good Passphrases - the bad grammar is intentional here. If you use a passphrase like lIbrariansIsTehBestestPeeple$EyeN0 it is much harder to hack than LibrariansAreTheBestPeopleIKnow. A passphrase (similar to the examples here) is better than a password as it's easier to make it long one you can remember. “The time it takes to crack a password is the only true measure of its worth.”
Also on passwords Blake suggested checking trying to crack them (as a strength test, not for evil purposes) using OCL Hashcat. He mentioned that a better policy than "Your password must be at least 8 characters long, contain one number, one special character, and both upper and lower case" is the policy "All passwords must be at least 20 characters." You should assume that someone, somewhere will successfully steal the password you are using so reusing a password is a bad idea.
With web browsers it's not about what's most secure, it's about what is widely used. Browsers are less attractive than Java, Flash & Reader and if you can use alternatives to those products you will be safer. Also studies have shown that users are most likely to run across malicious code on the Internet via content delivery networks and ads, which unfortunately means any site that uses content delivery networks and ads, which is most of them.
Some actions to take:
- Use Two (or more) Updated Browsers
- Know Your Settings
- Plugins / Ad-Ons / Whatevs:
- Something to limit JavaScript
- Ditch Java, Flash & Acrobat
- Something to Force HTTPS
- Something to Block Ads
Web Servers have the same uses for hackers that desktop computers have, but are more valuable since they tend to have a lot of resources and are always on
If you're a sysadmin:
- Always encrypt passwords
- Don't limit passwords
- Keep everything updated
- Educate the entire library staff
- Watch file/directory permissions
- Lock down as many programs as possible
- Lock down PHP as much as possible
If you need to secure WordPress (and the like)
- Keep it updated
- Use good passwords
- Make the admin login something other than "Admin"
- file permissions
- use security and backup plugins/modules
- ModSecurity
- Watch your logs
- External monitoring
It's important to make your library defensible (invulnerable just isn't possible). Some things to do to help library security are:
- Automate patching, backups, scans
- Use a Password Manager
- Train
- Secure PACs: Remove Java & Acrobat Reader
- Enhanced Mitigation Experience Toolkit
Your security things are seatbelts not force fields.
Blake suggested Kali Linux and/or the PWN Pad for testing your network.
His final thoughts on the topic are:
- Do good pass phrases
- Be Paranoid
- Keep Everything Updated
- Do something to make the bad guys job harder
No comments:
Post a Comment