Identity theft, ransomware attacks, phishing and other types of cyber-risks are dangers that have become part of our daily existence, both as library workers and digital citizens. In response, the websites we use now require multi-step logins, also known as multi-factor authentication or MFA. Changes are even more striking in the workplace. Many of us log into staff applications via a VPN, or virtual private network, involving multiple steps and a dedicated phone. While our systems providers try to streamline our workflows, our computers and work phones are locked down, requiring more work simply to begin work. Simple, shared passwords are a thing of the past. Data backup and recovery strategies are important for anyone using the internet, even casual home users.
Two years ago, news of large-scale cyberattacks exploded in the national media. The Colonial Pipeline attack in May of 2021 stood out in particular. In July of 2021, I was made aware of some new guidance generated by New York State on ransomware attack prevention and response. I myself had just become a victim of a ransomware attack at home, through a security hole in my backup software; the irony did not escape me. My music files were locked up and held for ransom. At that time, I asked the nine automated resource sharing networks whether they were prepared. Were they confident with their cybersecurity posture? Were they on top of protecting core library services and patron data? Did they have the ability to quickly recover should they experience an attack? Should all the networks, possibly with help from the MBLC, work individually or together to improve network resilience in the face of seemingly inevitable cyberattacks?
Three weeks later, on August 25th, 2021, the Boston Public Library (BPL) was hit by a ransomware attack which brought the BPL and Metro Boston Library Network systems down for a full week. David Leonard, the President of the BPL was kind enough to meet with network administrators a few weeks later to share lessons learned — to describe what had happened, how it might have happened, how the BPL had recovered, and what step the library was taking to protect itself in future.
MBLC Awards State Cybersecurity Grants
The BPL attack showed how broadly disruptive a cyberattack can be on library services. Networks provide the mission critical, core business functions on which every library operates. When an attack occurs, patron records, the catalog and circulation system all become unavailable. Ancillary systems, email, websites, access to electronic resources may all be affected.
The MBLC decided to offer a cybersecurity grant opportunity of up to $25,000 per network using state funds from account 7000-9506, Library Technology and Resource Sharing. In total, we awarded $181,093 to eight networks. The program ran from May 2022 through June 2023.
Each network used grant funds to address its own priorities as each was in a different place in its thinking, planning and overall preparedness. To provide an overall framework, MBLC asked networks to categorize their activities according to the four goals laid out in the Minimum Baseline of Cybersecurity for Municipalities from MassCyberCenter. Though designed for cities and towns, the framework proved equally well suited for a common perspective on network grant activities.
The four goals are:
Not surprisingly, all eight participating addressed Goal 4. Providing technology is a network’s bread and butter. Four networks also identified staff training, and one network focused on response planning.
|Minimum Baseline Goals||Network|
|Trained and Cyber-Secure Employees||CW MARS, FLO, MVLC, SAILS|
|Improved Threat Sharing|
|Cyber Incident Response Planning||SAILS|
|Secure Technology Environment and Best Practices||CLAMS, CW MARS, FLO, MBLN, MVLC, NOBLE, OCLN, SAILS|
It’s almost a truism that human beings are the weakest link in the cybersecurity chain. Therefore, thorough training is essential. Besides a series of instructional sessions or webinars, training often includes a series of phishing tests. A security vendor will send out phishing emails or smishing texts (phishing via SMS) to see whether staff recognize the malicious messages or instead, open the message or message attachment, actions that might in the real world have led to a damaging security breach. FLO reports that their “phish-prone percentage” came down to 7.8% from a 50% mark (half of FLO staff) at the beginning of the program, and that since January 2023 no FLO staff member has clicked on a phishing email at all, easily surpassing FLO’s objective of 5% originally set out in their grant application.
MVLC experimented with a suite of free security training tools to gauge their effectiveness. Having obtained encouraging results in participation, they will consider making this part of their annual training regime in future.
SAILS undertook formal planning as part of the grant. SAILS’ incident response plan, when complete, will cover the steps to be taken should there be a security breach. It will include who will be notified: the network attorney, the system vendor(s), the cybersecurity insurance provider, telecommunications support provider, the network internet service provider, and, of course, member libraries.
The plan will address the following six phases: preparation, identification, containment, eradication, recovery, and lessons learned.
SAILS recognizes the importance of sharing the plan with member libraries. An incident can start at the library.
The Boston Public Library /MBLN network, which had suffered that significant cybersecurity attack in 2021, hired a consultant to develop a security roadmap to improve its overall security posture. Preliminary direction will have been guided by vulnerability scan and penetration testing. BPL also intends to hire a full-time Cybersecurity Analyst.
No network explicitly identified threat sharing as a grant goal. However, as part of incident response planning, networks recognize that registering with regional and national threat resource centers, such as MS-ISAC, the Multi-State Information Sharing and Analysis Center, and the New England regional office of CISA, the Cybersecurity & Infrastructure Security Agency, is critical. Networks will proactively hear about threats that might affect them and will know whom to inform should an attack happen to them. Networks will be better prepared to share threat information with each other in a timely fashion.
The majority of grant-related work focused on ensuring that networks’ core systems, backups, were secure, and that shared work environments being accessed by both central site staff and library staff were controlled by technologies, policies and procedures to minimize risk.
The Library System Hosting Environment
Two networks, CW MARS and NOBLE, had locally hosted library system servers. Recently, either as part of this grant, or slightly before, both networks had moved their servers into a Google Cloud environment under the management of Mobius Open-Source Solutions (MOSS). Large-scale cloud hosts such as provided by Google and Mobius, bring assurances of a much more secure environment than any local installation could manage. This includes physical security, system and software patching, vulnerability testing, standards, access controls, authentication, and backup and restore options.
Through a consultant, NOBLE audited the security of their servers’ new home, and especially the cloud-hosted data backups. NOBLE’s consultant provided a series of recommendations back to Mobius that should benefit not only NOBLE and CW MARS, but other similarly situated library systems as well. NOBLE also now takes more frequent system backups, housing them in a separate location, a more secure approach.
CLAMS took a hard look at the hosting environment for their new Koha/Aspen Discovery library system from Bywater Systems. Bywater has tested incident response and business continuity plans. Bywater had several recommendations for CLAMS, including the use of a reverse proxy server, regular vulnerability scans, an intrusion detection and prevention system, and IP access control for all Koha admin interfaces.
OCLN and NOBLE replaced older routers in members libraries with state-of-the-art advanced firewalls that included intrusion prevention features. Intrusion prevention systems proactively check for real-time threats or attacks and take action to stop the activity. The new routers will better protect not only the network, but also local library LANs, attached equipment and data.
The change to remote or hybrid work environments that we’ve seen over the last three years means that staff are no longer necessarily accessing the library system through library-owned computers on library-managed LANs. As part of the grant, networks focused on ensuring that secure VPN connections are always used by both central site and library staff. The newly purchased firewalls have made possible simplified VPN sessions for staff working remotely, and a much more manageable overall VPN environment for central site. As an example, OCLN reports that it now has single-sign-on capabilities through Google, so that staff can sign onto the VPN via a regular browser and using the same credentials that they use for Google Workspace. And no more shared passwords among library staff!
Staff Applications: Google Workspace and Microsoft 365
Central site and numerous library staff use shared applications. Several audits found that access to Google Workspace and Microsoft 365 needed better access controls. A clear, and near-term goal is to enforce multi-factor authentication for administrative users, and if possible, extend the requirement to all library staff. CLAMS purchased MFA “security keys”, a small USB device for all staff to use when working remotely. Security keys obviate the need for passwords and thereby avoid the danger of phishing attacks designed to capture passwords.
Password Strengthening and Management
CW MARS obtained a business class password management platform which enabled password strength to be audited. By the end of the grant period, they reported that for central site staff, “Our average password strength was 94%. 0% of staff had a weak master password. 0% of staff had a reused password.” Based on its security audit, MVLC intends to pursue a similar solution.
Tighter network email attachment policies, better email verification via mailing system standards —DKIM and DMARC in particular– have been identified as ways to improve trust in email messages both coming into libraries and going out.
Penetration Testing and review by 3rd party
FLO was one of several networks that did vulnerability testing. FLO really dug into this issue, using Open Source Intelligence (OSINT) techniques to see whether there was information on potentially harmful attack vectors “out there” on the internet that might impact FLOs systems. As a result, they decommissioned an outdated server using an old operating system along, among other actions.
Not Just the Central Site – Including Member Libraries
Though some projects focused exclusively on central site systems and staff, others had broader reach. For example, MVLC’s security audit included 28 of its member libraries.
Every year, the MBLC provides network infrastructure grants from account 9506. For FY24, the total grant round was increased by 33% to $400,000. Cybersecurity investments are now allowable expenditures under this grant. The initial MBLC cybersecurity grant round kicked off an ongoing process. Networks will take what they learned, and at the very least, invest in training, planning, plugging holes, updating policies, communicating cybersecurity roles and responsibilities to member libraries, and working together with their peers across the state to make Massachusetts libraries, resources, and library patron information safer and more secure.