Ransomware and Data breaches in public libraries

What is Ransomware A specific type of malware that targets a computer or network with the intent of holding it hostage for payment. The infection can be caused by an intentional (such as a hacker) or an accidental (clicking on a phishing email) source The once the malware is in the system it encrypts the data until the release code is entered. Some strains of ransomware also send key types of data back to the hacker. First ransomware attack occurred in 1989 (Aids Cyborg)

What is a Data Breach A data breach is the unintentional or malicious release of sensitive information Depending on the information (and the industry) this can have financial or legal repercussions. Data breaches can be caused by electronic or paper means in the state of Wisconsin

Results in a Nutshell part 1 Library Data Breaches are not reported in a central location Ransomware is considered “big news” and tends to get more press in technical journals Library records had not been assigned a quantitative value for risk assessment purposes

Results in a nutshell part 2 Based on the publicized ransomware attacks, the financial loss for libraries from a data breach could catastrophic St Louis Public Library: (859,000 * 167.50) = 145,907,290.00 Spartanburg: (269,291 * $167.50) = $45,106,242.50 Brownsburg: (40,256 * $225.00) = $9,057,600 Some libraries (.14%) have documentable information security policies Wealthy libraries and systems have invested in cyber insurance but a levels that would not cover a full breach.

What are Library Records worth? Value does not refer to Dark web market value (average total records packe value $30) Value refers to total cost of recovering from a data breach per record This cost includes: Legal fees Network repair Notification of affected parties Penalties Loss of income due to loss of customers/clients/patrons

Library records values part 2 Because of reciprocal borrowing, this value differs from state to state The more liberal the reciprocal borrowing polices the higher the records value No reciprocal borrowing $110.00 (public service level Ponemon institute) Partial reciprocal borrowing $167.50 Full reciprocal borrowing $225.00 (average value of a data record in the United States. This is due to churn or potential patron turnover Wisconsin's’ records are valued at $225.00 To put that number in perspective had L.E. Phelps Memorial Library had a true data breach the estimated cost would have been $19,061,775

So what does that mean for us?

Information Security is essential to your library

Policy Procedure Training Response

Setting up an Information Security Policy is essential What should the policy contain? What are we protecting? What are the objectives (aka how secure are we going to be?) Who does what and who has ACCESS to what. Reference legislation (aka what statutes we need to follow based on our industry Source: Infosec Institute: Key Elements of an Information Security Policy; https://resources.infosecinstitute.com/key-elements-information-security-policy/#gref

What can a policy contain Security Policy part 2 What can a policy contain Data Movement criteria (What mediums are allowed or disallowed) Backup Criteria (frequency, storage criteria, access to backups etc) Network security strategies (antivirus, firewalls, etc.) Source: Infosec Institute: Key Elements of an Information Security Policy; https://resources.infosecinstitute.com/key-elements-information-security-policy/#gref

What legislation effects us? Wisconsin Statute 134.98 (Data breach Statute) Graham-Leach-Bliley Act Red Flags Law https://docs.legis.wisconsin.gov/statutes/statutes/134/97/4/b

Service Level Agreement (SLA) Used to define who is responsible for what in an IT service contract Is your provider going to do your backups? What documentation will they provide? Will they do your patching (aka system updates) what documentation will be provided In the event of a data breach/malware incident what will be their role? https://www.givainc.com/blog/index.cfm/2017/8/23/6-Key-Components-of-a-Service-Level-Agreement-SLA https://www.cio.com.au/article/268177/service-level_agreements_101_an_executive_guide_service-level_agreements_slas_/https://www.cio.com.au/article/268177/service-level_agreements_101_an_executive_guide_service-level_agreements_slas_/

Procedure Policy is what you will do Procedure is how you will do it. Procedures that would bolster library security Authentication aka password procedure Access Rights (including physical) Onboarding/offboarding procedures

Training – “knowing is half the battle” Policy training – make sure the information security policy is reviewed on a regular basis Procedure training aka “if someone asks us….” Incident response training aka “if this happens what do I do”

Training tools https://securityiq.infosecinstitute.com/ https://irtsectraining.nih.gov/publicUser.aspx https://iase.disa.mil/eta/Pages/online-catalog.aspx

Incident response – aka what to do when the worst happens Isolate the threat Who needs to be contacted? Who cleans up the infections? Examples and more resources https://www.sans.org/summit-archives/file/summit-archive-1506371074.pdf http://www.csirt.org/sample_policies/index.html https://www.incidentresponse.com/resources/policies-plans/ https://www.alvaka.net/steps-for-an-effective-cybersecurity-incident-response-plan/ After you have your IRP in place make sure you practice – just like a Fire Drill

Remember, You can do everything right and you will still be compromised

That being said you can still protect your self and your patrons Less is more – think long and hard about the data you keep in your online system At the Library System Level consider a coding system for birthdays/ages Make sure you have a paper records disposal policy Know what happens to your photocopier – they are actually a form of computer at this point.

Questions?