Prof. Quiros enumerated some security issues affecting libraries: students often use the library to launch attacks; libraries are the most insecure system; pornography and other undesirable materials; the proliferation of virus; spam; data or information theft; vandalism, etc.  There are a lot of horror stories of breaches in security in libraries because most libraries in the country do not have a full time IT technician assigned to them.  Lucky is the library that has one.

He identified the components of a library’s computer system that needs to be secured: the hardware, software, communication, data and information, and people.  The last component, people, reminded me of an article I read recently that the biggest security risk in a company’s IT infrastructure is its employees.  Hmmm, seems I have to go look for that story again.

Quiros further identified basic threats to and vulnerabilities of library systems.  First on the list of threats are probes and scans whereby hackers attempt to gain access to remote computers.  Second is the discovery of user accounts and their password.  There is also packet sniffing – that is capturing data across a network that might contain sensitive information like passwords.  Hackers may also flood a network with requests, overwhelm it, and eventually crash the computer.  Malicious codes like worms and viruses are threats, too as well as spoofing.  All these have been discussed by TechNews writers before.

As for vulnerabilities, libraries are at risk from installed software especially from unknown sources, the ineffective use of authentication, non-application of patches, too many open ports and services running, not analyzing incoming packets, non-maintenance and non-verification of backups which are crucial especially for library databases; and lack of protection against malicious codes.

Since he was addressing librarians, he offered solutions that they can handle in the absence of an IT expert.  To address problems posed by the user, he suggested strong identification, authentication, and authorization procedures.  In terms of software security, the suggested OS hardening, that is modifying and locking down a standard default installation of an operating system, installation of anti-virus software, updates and patches, and for Windows, management of the registry.  I’m not really sure though if librarians can actually manage the registry much less be able to locate it, but this is a good start to practice their IT fluency.

For securing the hardware, he recommended protecting the BIOS aside from locating the computers in a secured room or in containers.  You won’t believe the stories of stolen computer parts with all the internal components missing and only the computer case remaining.  There are also missing cables, mouse, etc.  I guess the next best thing to protecting hardware do is to chain the PC to the table.  But before resorting to this, he proposed using RFID (radio frequency identification) for each component.  On the other hand, if you think RFID is pretty expensive, well then by all means chain your PCs to the table.

To secure communication, he urged using a firewall, monitoring system logs, securing both wireless and remote access, and adapting redundant connection to ensure that when one connection goes down another one will take up the task.

On the level of data and information security, he encouraged the application of digital rights management technology at the document level, offline backup and archiving, and fault tolerance implementation.

Towards the end of his lecture he mentioned something about Wake-On LAN which he compared to a TV on a standby.  Using a remote control, one can easily turn on the TV set.  According to Quiros, this can be done with computers.  So he recommended that computers be completely shut down instead of being kept on standby.

I suddenly remembered that controversial column I wrote a few months back where I got the flack for arriving at a crazy conclusion.  Oh well, I at least I got redeemed.