Networks Tackle Cybersecurity with MBLC State Grants

Identity theft, ransomware attacks, phishing and other types of cyber-risks are dangers that have become part of our daily existence, both as library workers and digital citizens.  In response, the websites we use now require multi-step logins, also known as multi-factor authentication or MFA.  Changes are even more striking in the workplace. Many of us log into staff applications via a VPN, or virtual private network, involving multiple steps and a dedicated phone. While our systems providers try to streamline our workflows, our computers and work phones are locked down, requiring more work simply to begin work.  Simple, shared passwords are a thing of the past. Data backup and recovery strategies are important for anyone using the internet, even casual home users.

Two years ago, news of large-scale cyberattacks exploded in the national media. The Colonial Pipeline attack in May of 2021 stood out in particular.  In July of 2021, I was made aware of some new guidance generated by New York State on ransomware attack prevention and response.  I myself had just become a victim of a ransomware attack at home, through a security hole in my backup software; the irony did not escape me. My music files were locked up and held for ransom.  At that time, I asked the nine automated resource sharing networks whether they were prepared. Were they confident with their cybersecurity posture? Were they on top of protecting core library services and patron data? Did they have the ability to quickly recover should they experience an attack?  Should all the networks, possibly with help from the MBLC, work individually or together to improve network resilience in the face of seemingly inevitable cyberattacks?

Three weeks later, on August 25th, 2021, the Boston Public Library (BPL) was hit by a ransomware attack which brought the BPL and Metro Boston Library Network systems down for a full week.  David Leonard, the President of the BPL was kind enough to meet with network administrators a few weeks later to share lessons learned — to describe what had happened, how it might have happened, how the BPL had recovered, and what step the library was taking to protect itself in future.

MBLC Awards State Cybersecurity Grants

The BPL attack showed how broadly disruptive a cyberattack can be on library services.  Networks provide the mission critical, core business functions on which every library operates.  When an attack occurs, patron records, the catalog and circulation system all become unavailable.  Ancillary systems, email, websites, access to electronic resources may all be affected.

The MBLC decided to offer a cybersecurity grant opportunity of up to $25,000 per network using state funds from account 7000-9506, Library Technology and Resource Sharing.  In total, we awarded $181,093 to eight networks.   The program ran from May 2022 through June 2023.

Each network used grant funds to address its own priorities as each was in a different place in its thinking, planning and overall preparedness.  To provide an overall framework, MBLC asked networks to categorize their activities according to the four goals laid out in the Minimum Baseline of Cybersecurity for Municipalities from MassCyberCenter. Though designed for cities and towns, the framework proved equally well suited for a common perspective on network grant activities.

The four goals are:

Not surprisingly, all eight participating addressed Goal 4. Providing technology is a network’s bread and butter. Four networks also identified staff training, and one network focused on response planning.

Minimum Baseline GoalsNetwork
Trained and Cyber-Secure EmployeesCW MARS, FLO, MVLC, SAILS
Improved Threat Sharing 
Cyber Incident Response PlanningSAILS
Secure Technology Environment and Best PracticesCLAMS, CW MARS, FLO, MBLN, MVLC, NOBLE, OCLN, SAILS

Staff Training

It’s almost a truism that human beings are the weakest link in the cybersecurity chain. Therefore, thorough training is essential. Besides a series of instructional sessions or webinars, training often includes a series of phishing tests. A security vendor will send out phishing emails or smishing texts (phishing via SMS) to see whether staff recognize the malicious messages or instead, open the message or message attachment, actions that might in the real world have led to a damaging security breach.  FLO reports that their “phish-prone percentage” came down to 7.8% from a 50% mark (half of FLO staff) at the beginning of the program, and that since January 2023 no FLO staff member has clicked on a phishing email at all, easily surpassing FLO’s objective of 5% originally set out in their grant application.

MVLC experimented with a suite of free security training tools to gauge their effectiveness. Having obtained encouraging results in participation, they will consider making this part of their annual training regime in future.

Cyber Incident Response Planning

SAILS undertook formal planning as part of the grant.  SAILS’ incident response plan, when complete, will cover the steps to be taken should there be a security breach. It will include who will be notified: the network attorney, the system vendor(s), the cybersecurity insurance provider, telecommunications support provider, the network internet service provider, and, of course, member libraries.

The plan will address the following six phases:   preparation, identification, containment, eradication, recovery, and lessons learned.

SAILS recognizes the importance of sharing the plan with member libraries. An incident can start at the library.

The Boston Public Library /MBLN network, which had suffered that significant cybersecurity attack in 2021, hired a consultant to develop a security roadmap to improve its overall security posture. Preliminary direction will have been guided by vulnerability scan and penetration testing. BPL also intends to hire a full-time Cybersecurity Analyst.

Improved Threat Sharing

No network explicitly identified threat sharing as a grant goal.  However, as part of incident response planning, networks recognize that registering with regional and national threat resource centers, such as MS-ISAC, the Multi-State Information Sharing and Analysis Center, and the New England regional office of CISA, the Cybersecurity & Infrastructure Security Agency, is critical.  Networks will proactively hear about threats that might affect them and will know whom to inform should an attack happen to them.  Networks will be better prepared to share threat information with each other in a timely fashion.

Secure Technology Environment and Best Practices

The majority of grant-related work focused on ensuring that networks’ core systems, backups, were secure, and that shared work environments being accessed by both central site staff and library staff were controlled by technologies, policies and procedures to minimize risk.

The Library System Hosting Environment

Two networks, CW MARS and NOBLE, had locally hosted library system servers. Recently, either as part of this grant, or slightly before, both networks had moved their servers into a Google Cloud environment under the management of Mobius Open-Source Solutions (MOSS).  Large-scale cloud hosts such as provided by Google and Mobius, bring assurances of a much more secure environment than any local installation could manage.  This includes physical security, system and software patching, vulnerability testing, standards, access controls, authentication, and backup and restore options.

Through a consultant, NOBLE audited the security of their servers’ new home, and especially the cloud-hosted data backups.  NOBLE’s consultant provided a series of recommendations back to Mobius that should benefit not only NOBLE and CW MARS, but other similarly situated library systems as well. NOBLE also now takes more frequent system backups, housing them in a separate location, a more secure approach.

CLAMS took a hard look at the hosting environment for their new Koha/Aspen Discovery library system from Bywater Systems. Bywater has tested incident response and business continuity plans.  Bywater had several recommendations for CLAMS, including the use of a reverse proxy server, regular vulnerability scans, an intrusion detection and prevention system, and IP access control for all Koha admin interfaces.

Equipment Replacement

OCLN and NOBLE replaced older routers in members libraries with state-of-the-art advanced firewalls that included intrusion prevention features. Intrusion prevention systems proactively check for real-time threats or attacks and take action to stop the activity.  The new routers will better protect not only the network, but also local library LANs, attached equipment and data.

The change to remote or hybrid work environments that we’ve seen over the last three years means that staff are no longer necessarily accessing the library system through library-owned computers on library-managed LANs.  As part of the grant, networks focused on ensuring that secure VPN connections are always used by both central site and library staff.  The newly purchased firewalls have made possible simplified VPN sessions for staff working remotely, and a much more manageable overall VPN environment for central site. As an example, OCLN reports that it now has single-sign-on capabilities through Google, so that staff can sign onto the VPN via a regular browser and using the same credentials that they use for Google Workspace.  And no more shared passwords among library staff!

Staff Applications: Google Workspace and Microsoft 365

Central site and numerous library staff use shared applications.  Several audits found that access to Google Workspace and Microsoft 365 needed better access controls. A clear, and near-term goal is to enforce multi-factor authentication for administrative users, and if possible, extend the requirement to all library staff.  CLAMS purchased MFA “security keys”, a small USB device for all staff to use when working remotely.  Security keys obviate the need for passwords and thereby avoid the danger of phishing attacks designed to capture passwords.

Password Strengthening and Management

CW MARS obtained a business class password management platform which enabled password strength to be audited.  By the end of the grant period, they reported that for central site staff, “Our average password strength was 94%. 0% of staff had a weak master password. 0% of staff had a reused password.”  Based on its security audit, MVLC intends to pursue a similar solution.

Email

Tighter network email attachment policies, better email verification via mailing system standards —DKIM and DMARC in particular– have been identified as ways to improve trust in email messages both coming into libraries and going out.

Penetration Testing and review by 3rd party

FLO was one of several networks that did vulnerability testing. FLO really dug into this issue, using Open Source Intelligence (OSINT) techniques to see whether there was information on potentially harmful attack vectors “out there” on the internet that might impact FLOs systems. As a result, they decommissioned an outdated server using an old operating system along, among other actions.

Not Just the Central Site – Including Member Libraries

Though some projects focused exclusively on central site systems and staff, others had broader reach. For example, MVLC’s security audit included 28 of its member libraries.

Next Steps

Every year, the MBLC provides network infrastructure grants from account 9506.  For FY24, the total grant round was increased by 33% to $400,000.  Cybersecurity investments are now allowable expenditures under this grant.   The initial MBLC cybersecurity grant round kicked off an ongoing process. Networks will take what they learned, and at the very least, invest in training, planning, plugging holes, updating policies, communicating cybersecurity roles and responsibilities to member libraries, and working together with their peers across the state to make Massachusetts libraries, resources, and library patron information safer and more secure.


Main Image: Lightning striking a rural building during a storm: onlookers react in terror. Engraving, 16 –. Weather. Lightning. Work ID: hfz9n5qe : under CC BY 4.0.

OCLN is letting residents know that they’re Wired to Reach You

Residents love their libraries. And thanks to the  Old Colony Library Network’s (OCLN) Wired to Reach You campaign, residents will be able to share what they love about their network, too.
“Statewide awareness and advocacy campaigns are reaching librarians and trustees,” said Dave Slater, Executive Director at OCLN. “We want to reach residents.”

OCLN’s small but mighty four-member legislative committee worked with MBLC staff to develop Wired to Reach You, a campaign that helps residents understand that many of the library services they love are made possible by OCLN. Residents can go to http://links.ocln.org/wired and say what they love about OCLN and their comments will be shared with state legislators.

Funding to networks and library technology (state budget line 7000-9506 Library Technology and Resource Sharing) is a priority in the FY2020 Legislative Agenda so the more information legislators have about how much residents value their networks, the better.  Especially since technology has a changed a lot in the past twenty years; but what hasn’t changed is state funding to support library technology and library networks. In fact, this funding is 36% lower than it was in 2001.

OCLN will launch the campaign during the week of January 14 and it will run for a month.

Wired to Reach you materials are available on the MBLC Awarehouse (link). Please contact Celeste Bruno or Matt Perry for more information.