BY MONIQUE SENDZE - Faronics · JANUARY 2006» BY MONIQUE SENDZE om C IN L IBRARIES feature_battle...

JANUARY 2006 » http://www.infotoday.com

BY

MONIQUE SENDZE

A reprint from

COMPUTERS

IN LIBRARIES

feature_battle 2/15/06 9:40 AM 0

http://www.infotoday.com « JANUARY 2006

ecuring public accessworkstations should bea significant part of any

library’s network and in-formation-security strategy

because of the sensitive information pa-trons enter on these workstations.

As the IT manager for the JohnsonCounty Library in Kansas City, Kan., Iam challenged to make sure our thou-sands of patrons get the access theyneed on our 365 public computerswhile at the same time ensuring the in-tegrity of our system.

The Johnson County Library is lo-cated in metropolitan Kansas City. Witha central library and 12 branches, weserve a diverse population of 366,200people. We have a collection of 1.5 mil-lion items with an annual circulation ofabout 5.8 million. In 2004, we recordedan outstanding 2.5 million patron visits.As we continued to see more and morepatrons come into our library needing touse computers, it inspired our director,Mona Carmack. She wanted patrons tohave equal access to resources from anylibrary computer; she really wanted us to get away from having designatedcomputers for designated resources.

The Plethora of Security Issues and Enemies

The three main computer securityissues I deal with on a daily basis areconfidentiality and the integrity andavailability of the workstations and thenetwork. This grouping of issues issometimes referred to as “CIA.” I’llbriefly discuss the three pieces of CIA,then I’ll share our battle plan.

Confidentiality: Like many public li-braries, JCL has a formal policy that letsour patrons know that the library is notresponsible for any liability that may oc-cur as a result of the disclosure of anypersonal information over its publiccomputers and network. The purposeof this kind of a policy, in my mind, isto make our users aware that publiccomputers are not secure media andthat third parties may be able to obtaininformation regarding their activities.It is not news that, every day in publiclibraries around the country, patrons en-

gage in online shopping, file their taxes,complete job applications, carry out on-line banking transactions, pay theirbills, and so on using our public accesscomputers. If they need staff assistancewhile doing these tasks, we don’t denyit to them.

Here is where the real dilemma lies:Patrons expect that if we are going to as-sist them in getting adept at doing thesethings, then by the same token we aregoing to ensure that their privacy ismaintained by keeping our workstationssecure. Patrons will not remember thatthere is a policy that says the library hasno responsibility for any liabilities thatmay arise. (How many of our patronsreally read the Internet use agreementbefore using a library computer?) Thisis a real concern for public service staffat my library who would like to makesure that the IT folks are securing theworkstations, because they need to beable to reassure their patrons.

Integrity and Availability: Softwareand hardware vendors often distributetheir products with default configura-

tions because they are focused moreon features and functionality than on se-curity. It is important to note that I canavoid many of my security problems ifthe workstations and network are ap-propriately configured. Since vendorsare not aware of my organization’s se-curity needs, I must configure newworkstations to reflect my requirementsand then reconfigure them as my re-quirements change.

The operating system used on all ofour workstations at the Johnson CountyLibrary is Windows XP. According to the

SANS Institute, the average unprotectedPC running Windows XP, once it’s con-nected to the Internet, will last about 20minutes before it is compromised. Twelvemonths prior to the most recent study,this “safe” window was about twice aslong. For IT professionals like myself, theimplication is that if users even hope tohave a chance at starting with a cleanslate, all desktop security measures mustbe implemented immediately upon con-necting new machines, if not before.1

Spyware, viruses, worms, and Tro-jans are very serious IT security andsupport issues. Industry estimates indi-cate that anywhere from 7 percent to 20percent of all IT support calls are spy-ware-related.2 A further blow to IT pro-ductivity has to do with how manytimes IT folks have had to re-createsystems in order to fully purge spywareinfections and other threats. Viruses,worms, and Trojans cost global compa-nies (including libraries around the na-tion) between $169 billion and $204billion in 2004, according to digital riskmanagement firm mi2g. So as you cansee, the challenges are enormous.

»

IT’S HARD TO FIGHT ENEMIES YOU CAN’T SEE, SO WE’VE SET UP PERIMETERS TO KEEP THEM OUT.

COMPUTERS IN L IBRARIES

feature: secure our public access computers

feature_battle 2/14/06 2:37 PM Page 11


Our Battle Plan: How WeBalance Access and Security

Enforcing desktop policies is proba-bly the part of my job that is the mostimportant because if I don’t implementdiligent desktop control measures, I’llfind myself dealing with one headacheafter another. Instead of wasting timerecovering corrupted data, reconfigur-ing computers, and clearing memory-sucking downloads, creating preventa-tive rules and guidelines to minimizeproblems by using public access com-puter (PAC) management tools seemedlike a better option to pursue.

I recognized that my organizationhad made a significant investment ininformation technology and that it wasmy job to ensure that its resources werebeing used properly, and to increaseuser productivity. Therefore, when mystaff and I set out to implement securityfor our PACs, we were looking for prod-ucts that would address the challengesof confidentiality, integrity, availability,and access by ensuring that these goalswould be satisfied:

• Computers that demand littlemaintenance will be available foranyone who wants to use themwhen the library is open.

• Patrons won’t be able to delete,alter, or add applications andsystem files that might cause acomputer to suddenly malfunction.

• Computers will be protected againstviruses spread by patron diskettesor by Internet-borne viruses andTrojans that can damage not onlylocal computers but also servers.

• Patrons can be confident that theirdocuments will not be infected byviruses, Trojan horses, or othermalicious code.

• Patrons can expect thatapplications and other softwarewill function properly.

• Patrons can feel confident thattheir privacy is being protected in that others can’t view theirdocuments, access their e-mail, or view records of their Internetsearches and transactions.

• Staff members can feel confidentthat their documents, applications,and data won’t be accessedinappropriately by patrons.

• All network users can have areasonable assumption of privacy.This privacy cannot be disturbedby adware, spyware, or networkintruders using hacker tools.

• Our networks will be protectedagainst denial-of-service attacksthat slow Internet access to acrawl or, worse, deny it completely.

• Our library will be able to protectits resources and comply withfederal laws by making sure thatpatrons will only use computers,applications, or data for whichthey have been granted access.

• Because we comply with CIPA(Children’s Internet ProtectionAct), children will not be allowedto browse the unfiltered Internet.

Securing any computer in a librarymust be achieved without any compro-mise to the basic concepts of public ser-vice and user privacy. Library PACs andnetworks must be available for longhours without interruption of serviceand with very little need for supportfrom library computer technicians. Somy staff and I need to ensure data inte-grity and availability because we pro-vide these computers to our patrons asa public service. Polls taken of some li-braries showed that the No. 1 reasonwhy patrons came to the library wasto access the Internet. Therefore, if apatron’s experience using a computeris frustrating, his or her perception of

the library is negatively affected. Todayit is more important than ever that thepatron’s experience with computers isa positive one.

“Securing any computer

in a library must be

achieved without any

compromise to the basic

concepts of public service

and user privacy.”

Realizing that good security requiresa great deal of planning, my IT staffstarted on our PAC battle plan by do-ing a number of things:

1. Creating policies and proce-dures—A team of IT members and ad-ministrative staff put together an ac-ceptable use policy as well as an Internetuse agreement. We put both documentstogether into a bitmap image that weuse as our default Windows desktopbackground on all of our public accesscomputers. Patrons have to click on an“I agree” button to get past this screento gain access to the resources on thecomputer. This allows us to make ourpatrons aware of the security measuresin place and of any restrictions and lia-bilities involved with using our system.

2. Ensuring adequate funding—Implementing any good security sys-tem requires money for software, hard-ware, and other tools. What we did tomake sure we had a PAC security bud-get was to compile a risk assessmentof the threats and vulnerabilities fac-ing the library’s computers and net-works. We took this a step further by






http://www.infotoday.com « JANUARY 2006

also showing what it would mean if ournetwork was compromised. By doingthis, we got buy-in from the library’sadministration.

3. Training and educating staff—We realized that, for us to be success-ful at this, we needed the support of ourlibrary’s frontline staff. It was essentialthat they understand the importance ofsecurity. We trained them on the secu-rity procedures so they’d know what todo when they saw a patron breaking therules. They have been our allies on thisand would always call us whenever theyspotted something outside the norm.This relationship between the IT staffand the public service staff has yieldedvery positive results as we have beenable to avert very dangerous situations.There is nothing as valuable as havingan alert and knowledgeable librarianon our very busy floors who can spot ir-regularities and report them promptlyto the IT department.

To make sure the frontline workersstay current with the PC procedures,they often invited me to their meetingsand in-service days to give a technologyupdate. We also gave them the data onthe standard PAC configuration so ifthey see anything out of the ordinary,they’ll know it is a rogue application.

4. Following the whole securitylife cycle—Assume security is a never-ending process. At the Johnson CountyLibrary, we have a process for consid-ering product purchases. We take intoaccount the product’s known vulnera-bilities and incorporate our security re-quirements into the product specifica-tions. Once systems are in operation,we routinely and continuously monitorand update them to keep them securefrom new exploits that did not existwhen they were deployed.

We recently started a process of ran-dom audits. We got one of our youngerpatrons (16–18 years old), sat him downat one of our public access computers,and asked him to look for back doors

and to see what he could gain access to.This was a 15-minute exercise and wewere amazed at what he found and howhe got to the places he gained access to.This was a very rewarding exercise forus because we were able to observe theuser’s behaviors and as a result wewere better able to secure our library’svaluables. Frequent checks and auditsshould be an important step in anysecurity implementation process. At-tackers never sit still, and thereforethe people who are charged with pro-tecting a library’s information assetsshould never sit still either.

Purchasing the ProperSoftware and Defense Tools

With our goals spelled out, the riskassessments done, policies and proce-dures in place, staff awareness takencare of, and the funding secured, thenext step was to establish a solid and vi-able process to guide us in selecting theright software to meet our specific needs.We put together a list to guide us:

1. Assess needs. We had to decide be-tween two strategies. We could adoptand integrate separate niche solutionsdesigned for specialized processes aseach need arose, or we could invest inan integrated, enterprisewide solutionthat could be scaled over time.

2. Check vendors’ representationin the library industry. We lookedfor vendors that really knew our field.

3. Ensure vendor viability. Whilesome specific solutions were tempting be-cause they offered exactly what we werelooking for, many very small companieshave long-term viability challenges.

4. Look at pricing. While specificsolutions are generally less costly,some vendors, like Faronics Corp. andCenturion Technologies, scaled theirproduct for price parity. This meansyou can get what you need at the mo-

ment without sacrificing scalability inthe future.

5. Choose functionality. We optedfor a solution that would allow us toincorporate other software over timeand would reduce the probability ofsoftware silos.

Next, we assigned weights to the dif-ferent areas that we felt were importantfor software evaluation. We looked atwhat other libraries were doing, read ar-ticles in library journals about securingPACs, talked with some vendors, lookedat what others had to say on the In-ternet, and finally narrowed our list tothree vendors—Faronics Corp.; Cen-turion Technologies, Inc.; and FortresGrand Corp. We downloaded trial ver-sions of their software and went throughthe table below assigning points.

“This relationship

between the IT staff and

the public service staff

has yielded very positive

results as we have

been able to avert very

dangerous situations.”

After we went through this process(nearly 5 years ago), the vendor we se-lected was Faronics Corp. We initiallypurchased two of its products, DeepFreeze and WINSelect. Faronics’ solu-tions have empowered my IT staff aswell as our reference staff to easily pre-serve and protect workstations so pa-trons can enjoy the benefits of enhanced

»



privacy while having computers avail-able whenever they need them.

One of the more frustrating aspectsof my job had been tracking down andtroubleshooting configuration changes

that end users made to a client system—a time-consuming task multiplied bythe number of systems on the network.We didn’t want to develop policies thatwould stifle the patrons’ use of comput-ers. But users are often quite persistentwhen it comes to changing system set-tings, so we had to do something.

Faronics has approached workstationprotection through a nonrestrictive, re-boot-to-restore concept with a productcalled Deep Freeze. It literally freezesthe configuration of a computer. Once in-stalled, any changes to the computer—such as files added, files deleted, and con-figuration changes—are restored to theiroriginal state upon rebooting. Now wecan reboot the library’s computers on adaily basis to flush out any user data. Wecan also set a threshold for inactivity,which means that, once a computer isidle for a set number of minutes, DeepFreeze automatically reboots it.

WINSelect gave us the ability to turna computer into a kiosk-style worksta-tion by locking down browser functionsand Windows application settings, al-lowing access to only the most commonlyused features and functions. Sysadminscan selectively control third-party pro-grams and Windows operating systemstasks such as not allowing encryptedpages to be saved to a disk or directing

the system to empty temporary Internetfiles each time the browser is closed. Itgreatly benefits our library because itdoes away with all the settings and cus-tomizations that Microsoft IE offers andgives a plain interface for general pub-lic use, with customizations only avail-able to systems administrators.

More Enemies Attacked

When it came to spyware, viruses,worms, and Trojans, the grim realitywas that we were dealing with theseproblems as they arose and were onlyable to apply temporary fixes instead ofproactively implementing a real solu-tion before the onslaught came. Whilethere were a number of useful tools todeal with these threats, they all had thesame problem: They stayed resident onthe machines and required lists of def-initions to combat security threats. Ifour definitions weren’t current, we’d gethit and were left cleaning up the mess.

A Faronics product that came out inspring 2005, Anti-Executable, solvesthis problem for us because it preventsthe launch or installation of any type ofunauthorized or unwanted executable.Using a unique whitelist technology,Anti-Executable protects us againstthose viruses and spyware enemies that



TO CONTACT

THE COMPANIES

Centurion Technologies, Inc.512 Rudder Rd.Fenton, MO 63026(800) 224-7977http://www.centurionguard.com

Faronics Technologies USA, Inc.2411 Old Crow Canyon Rd.Suite 170San Ramon, CA 94583(800) 943-6422http://www.faronics.com

Fortres Grand Corp.P.O. Box 888Plymouth, IN 46563 (800) 331-0372http://www.fortres.com

CRITERIA WHAT IT MEANS WEIGHT

Product Functionality What the product actually does in terms of functions and processes 25 percent

Product Technology Architecture and environment in which the product can run 15 percent

Product Cost Both initial acquisition and longer-term total cost of ownership 10 percent

Corporate Service and Support Ability to provide implementation services and ongoing support 20 percent

Corporate Viability Financial and management strength of the vendor 20 percent

Corporate Strategy Timeline plan of how the vendor will develop, sell, and support the product 10 percent

Following this structured process for selecting the security software products helped reduce political agendas, enhanced internal credibility, reduced the time and cost of the selection, andincreased the accuracy and overall satisfaction with the final decision.




have not yet been developed. Here’s howit works: Upon installation, Anti-Exe-cutable performs a deep scan of the com-puter and authorizes every executableon it. From that point on, any other ex-ecutable program is deemed unautho-rized and will not run or install. Thatmeans I do not need to scramble to waitfor virus definition files because theyare only available after the virus is out.Now I am able to provide proactive sup-port as opposed to reactionary supportto my patrons, and they like this.

Sometimes a Good Offense Is the Best Defense

These are challenging times for any-one who needs to secure public com-puters. From my experience, I believelibrarians should use Deep Freeze orsimilar technology extensively becauseit doesn’t restrict patrons from accessingthe library computers and it saves IT ad-ministrators from doing so much painfulrebuilding of damaged workstations. Foran extra level of protection, I recommendthat librarians should push their IT/network support people to monitor thenetwork for viruses and other securitythreats (but in a way that absolutelydoes not invade individual privacy).

My boss, Tim Rogers (M.L.S., IndianaUniversity), who is JCL’s associate di-rector for operations, is also pleased withthe results of this work. “We have beenable to achieve our vision of easy and safeall-in-one computer access for our pa-

trons,” he says, adding that this securitysuite has enabled efficient use of IT staffresources. Rogers had been director ofseveral small libraries before comingto Johnson County in 1997, so he’s seenwhat can happen without adequate pro-tection. He tells me that our setup has“allowed us to focus on what is truly im-portant—answering peoples’ questions;inspiring their next questions; interact-ing with staff, library partners, and eachother to build understanding; and offer-ing opportunities for engagement thatchange and improve peoples’ lives.”

Here in Johnson County, I receivenumerous questions from library pa-trons about what steps we have takento ensure their privacy. With these toolsin place, I can say with 100 percentconfidence to the patron, “If you haveany doubts, reboot the machine andeverything you did will be gone perma-nently.” Members of the reference staffalso feel confident because they knowthey will not be faced by an angry par-ent saying their daughter sat down ata library computer and was faced withpop-up screens of inappropriate mate-rial. They like the fact that patronscannot download any unauthorized soft-

ware or application on the computers.I also have peace of mind that my com-puters will not become virus and spy-ware magnets as long as I use my main-tenance windows in Deep Freeze andAnti-Executable to push out my virusupdates and security patches. And that’sa secure feeling. ¤

Monique Sendze is IT manager atthe Johnson County Library in KansasCity, Kan., where she has been workingin different IT roles for the last 6 years.She has an M.A. in teacher educationand an M.S. in management informa-tion technology. Her e-mail address [email protected].

References1. Granneman, Scott (Aug. 19, 2004). Infected in 20 Minutes.

The Register. http://www.theregister.co.uk/2004/08/19/infected_in20_minutes

2. Jaques, Robert (Feb. 1, 2005).Cost of malware soars to$166bn in 2004: Viruses, worms and Trojans taking theirtoll. http://www.vnunet.com/vnunet/news/2126635/cost-malware-soars-166bn-2004

3. CNET News.com Staff (Feb. 11, 2005). Study: Anti-spywaremarket to boom in 2005: This may be a good year to be an anti-spyware vendor. http://news.com.com/Study+Antispyware+market+to+boom+in+2005/2100-7350_3-5572950.html

“Attackers never sit still, and therefore the

people who are charged with protecting a library’s

information assets should never sit still either.”

This article is reprinted in its entirety from the January 2006 issue of CIL, with the permission of Information Today, Inc., 143 OldMarlton Pike, Medford, NJ 08055, 609/654-6266, Web site: http://www.infotoday.com. Information Today, Inc. does not authorize thedownloading and/or printing of this article. If you require a copy of the article, contact the Copyright Clearance Center, 508-750-8400.


BY MONIQUE SENDZE - Faronics · JANUARY 2006» BY MONIQUE SENDZE om C IN L IBRARIES feature_battle...

Documents

Transcript of BY MONIQUE SENDZE - Faronics · JANUARY 2006» BY MONIQUE SENDZE om C IN L IBRARIES feature_battle...