{"id":1415,"date":"2023-10-27T11:30:39","date_gmt":"2023-10-27T15:30:39","guid":{"rendered":"https:\/\/mblc.state.ma.us\/mblc_blog\/?p=1415"},"modified":"2023-10-27T11:58:55","modified_gmt":"2023-10-27T15:58:55","slug":"cybersecurity-grants","status":"publish","type":"post","link":"https:\/\/mblc.state.ma.us\/mblc_blog\/2023\/10\/27\/cybersecurity-grants\/","title":{"rendered":"Networks Tackle Cybersecurity with MBLC State Grants"},"content":{"rendered":"\n
\"\"<\/figure>\n\n\n\n

Identity theft, ransomware attacks, phishing and other types of cyber-risks are dangers that have become part of our daily existence, both as library workers and digital citizens.  In response, the websites we use now require multi-step logins, also known as multi-factor authentication or MFA.  Changes are even more striking in the workplace. Many of us log into staff applications via a VPN, or virtual private network, involving multiple steps and a dedicated phone. While our systems providers try to streamline our workflows, our computers and work phones are locked down, requiring more work simply to begin work.  Simple, shared passwords are a thing of the past. Data backup and recovery strategies are important for anyone using the internet, even casual home users.<\/p>\n\n\n\n

Two years ago, news of large-scale cyberattacks exploded in the national media. The Colonial Pipeline<\/a> attack in May of 2021 stood out in particular.\u00a0 In July of 2021, I was made aware of some new guidance generated by New York State on ransomware attack prevention and response.\u00a0 I myself had just become a victim of a ransomware attack at home, through a security hole in my backup software; the irony did not escape me. My music files were locked up and held for ransom.\u00a0 At that time, I asked the nine automated resource sharing networks<\/a> whether they were prepared. Were they confident with their cybersecurity posture? Were they on top of protecting core library services and patron data? Did they have the ability to quickly recover should they experience an attack?\u00a0 Should all the networks, possibly with help from the MBLC, work individually or together to improve network resilience in the face of seemingly inevitable cyberattacks?<\/p>\n\n\n\n

Three weeks later, on August 25th<\/sup>, 2021, the Boston Public Library (BPL) was hit by a ransomware attack<\/a> which brought the BPL and Metro Boston Library Network systems down for a full week<\/a>.  David Leonard, the President of the BPL was kind enough to meet with network administrators a few weeks later to share lessons learned — to describe what had happened, how it might have happened, how the BPL had recovered, and what step the library was taking to protect itself in future.<\/p>\n\n\n\n

MBLC Awards State Cybersecurity Grants<\/h2>\n\n\n\n

The BPL attack showed how broadly disruptive a cyberattack can be on library services.\u00a0 Networks provide the mission critical, core business functions on which every library operates. \u00a0When an attack occurs, patron records, the catalog and circulation system all become unavailable.\u00a0 Ancillary systems, email, websites, access to electronic resources may all be affected.<\/p>\n\n\n\n

The MBLC decided to offer a cybersecurity grant opportunity of up to $25,000 per network using state funds from account 7000-9506, Library Technology and Resource Sharing.  In total, we awarded $181,093 to eight networks.   The program ran from May 2022 through June 2023.<\/p>\n\n\n\n

Each network used grant funds to address its own priorities as each was in a different place in its thinking, planning and overall preparedness.  To provide an overall framework, MBLC asked networks to categorize their activities according to the four goals laid out in the Minimum Baseline of Cybersecurity for Municipalities<\/a> from MassCyberCenter<\/a>. Though designed for cities and towns, the framework proved equally well suited for a common perspective on network grant activities.<\/p>\n\n\n\n

The four goals are:<\/p>\n\n\n\n

\n
    \n
  1. Trained and Cyber-Secure Employees<\/a><\/li>\n\n\n\n
  2. Improved Threat Sharing<\/a><\/li>\n\n\n\n
  3. Cyber Incident Response Planning<\/a><\/li>\n\n\n\n
  4. Secure Technology Environment and Best Practices<\/a><\/li>\n<\/ol>\n<\/div>\n\n\n\n

    Not surprisingly, all eight participating addressed Goal 4. Providing technology is a network\u2019s bread and butter. Four networks also identified staff training, and one network focused on response planning.<\/p>\n\n\n\n

    Minimum Baseline Goals<\/strong><\/td>Network<\/strong><\/td><\/tr>
    Trained and Cyber-Secure Employees<\/td>CW MARS, FLO, MVLC, SAILS<\/td><\/tr>
    Improved Threat Sharing<\/td> <\/td><\/tr>
    Cyber Incident Response Planning<\/td>SAILS<\/td><\/tr>
    Secure Technology Environment and Best Practices<\/td>CLAMS, CW MARS, FLO, MBLN, MVLC, NOBLE, OCLN, SAILS<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

    Staff Training<\/a><\/h2>\n\n\n\n

    It\u2019s almost a truism that human beings are the weakest link in the cybersecurity chain. Therefore, thorough training is essential. Besides a series of instructional sessions or webinars, training often includes a series of phishing tests. A security vendor will send out phishing emails or smishing texts (phishing via SMS) to see whether staff recognize the malicious messages or instead, open the message or message attachment, actions that might in the real world have led to a damaging security breach.  FLO reports that their \u201cphish-prone percentage\u201d came down to 7.8% from a 50% mark (half of FLO staff) at the beginning of the program, and that since January 2023 no FLO staff member has clicked on a phishing email at all, easily surpassing FLO\u2019s objective of 5% originally set out in their grant application.<\/p>\n\n\n\n

    MVLC experimented with a suite of free security training tools to gauge their effectiveness. Having obtained encouraging results in participation, they will consider making this part of their annual training regime in future.<\/p>\n\n\n\n

    Cyber Incident Response Planning<\/a><\/h2>\n\n\n\n

    SAILS undertook formal planning as part of the grant.  SAILS\u2019 incident response plan, when complete, will cover the steps to be taken should there be a security breach. It will include who will be notified: the network attorney, the system vendor(s), the cybersecurity insurance provider, telecommunications support provider, the network internet service provider, and, of course, member libraries.<\/p>\n\n\n\n

    The plan will address the following six phases:   preparation, identification, containment, eradication, recovery, and lessons learned.<\/p>\n\n\n\n

    SAILS recognizes the importance of sharing the plan with member libraries. An incident can start at the library.<\/p>\n\n\n\n

    The Boston Public Library \/MBLN network, which had suffered that significant cybersecurity attack in 2021, hired a consultant to develop a security roadmap to improve its overall security posture. Preliminary direction will have been guided by vulnerability scan and penetration testing. BPL also intends to hire a full-time Cybersecurity Analyst.<\/p>\n\n\n\n

    Improved Threat Sharing<\/a><\/h2>\n\n\n\n

    No network explicitly identified threat sharing as a grant goal.  However, as part of incident response planning, networks recognize that registering with regional and national threat resource centers, such as MS-ISAC<\/a>, the Multi-State Information Sharing and Analysis Center, and the New England regional office of CISA<\/a>, the Cybersecurity & Infrastructure Security Agency, is critical.  Networks will proactively hear about threats that might affect them and will know whom to inform should an attack happen to them.  Networks will be better prepared to share threat information with each other in a timely fashion.<\/p>\n\n\n\n

    Secure Technology Environment and Best Practices<\/a><\/h2>\n\n\n\n

    The majority of grant-related work focused on ensuring that networks\u2019 core systems, backups, were secure, and that shared work environments being accessed by both central site staff and library staff were controlled by technologies, policies and procedures to minimize risk.<\/p>\n\n\n\n

    The Library System Hosting Environment<\/h3>\n\n\n\n

    Two networks, CW MARS and NOBLE, had locally hosted library system servers. Recently, either as part of this grant, or slightly before, both networks had moved their servers into a Google Cloud environment under the management of Mobius Open-Source Solutions<\/a> (MOSS).\u00a0 Large-scale cloud hosts such as provided by Google and Mobius, bring assurances of a much more secure environment than any local installation could manage.\u00a0 This includes physical security, system and software patching, vulnerability testing, standards, access controls, authentication, and backup and restore options.<\/p>\n\n\n\n

    Through a consultant, NOBLE audited the security of their servers\u2019 new home, and especially the cloud-hosted data backups.  NOBLE\u2019s consultant provided a series of recommendations back to Mobius that should benefit not only NOBLE and CW MARS, but other similarly situated library systems as well. NOBLE also now takes more frequent system backups, housing them in a separate location, a more secure approach.<\/p>\n\n\n\n

    CLAMS took a hard look at the hosting environment for their new Koha\/Aspen Discovery library system from Bywater Systems. Bywater has tested incident response and business continuity plans.  Bywater had several recommendations for CLAMS, including the use of a reverse proxy server, regular vulnerability scans, an intrusion detection and prevention system, and IP access control for all Koha admin interfaces.<\/p>\n\n\n\n

    Equipment Replacement<\/h3>\n\n\n\n

    OCLN and NOBLE replaced older routers in members libraries with state-of-the-art advanced firewalls that included intrusion prevention features. Intrusion prevention systems proactively check for real-time threats or attacks and take action to stop the activity.\u00a0 The new routers will better protect not only the network, but also local library LANs, attached equipment and data.<\/p>\n\n\n\n

    The change to remote or hybrid work environments that we\u2019ve seen over the last three years means that staff are no longer necessarily accessing the library system through library-owned computers on library-managed LANs.\u00a0 As part of the grant, networks focused on ensuring that secure VPN connections are always used by both central site and library staff.\u00a0 The newly purchased firewalls have made possible simplified VPN sessions for staff working remotely, and a much more manageable overall VPN environment for central site. As an example, OCLN reports that it now has single-sign-on capabilities through Google, so that staff can sign onto the VPN via a regular browser and using the same credentials that they use for Google Workspace.\u00a0 And no more shared passwords among library staff!<\/p>\n\n\n\n

    Staff Applications: Google Workspace and Microsoft 365<\/h3>\n\n\n\n

    Central site and numerous library staff use shared applications.\u00a0 Several audits found that access to Google Workspace and Microsoft 365 needed better access controls. A clear, and near-term goal is to enforce multi-factor authentication for administrative users, and if possible, extend the requirement to all library staff.\u00a0 CLAMS purchased MFA \u201csecurity keys\u201d, a small USB device for all staff to use when working remotely.\u00a0 Security keys obviate the need for passwords and thereby avoid the danger of phishing attacks designed to capture passwords.<\/p>\n\n\n\n

    Password Strengthening and Management<\/span><\/h3>\n\n\n\n

    CW MARS obtained a business class password management platform which enabled password strength to be audited.  By the end of the grant period, they reported that for central site staff, \u201cOur average password strength was 94%. 0% of staff had a weak master password. 0% of staff had a reused password.\u201d  Based on its security audit, MVLC intends to pursue a similar solution.<\/p>\n\n\n\n

    Email<\/h3>\n\n\n\n

    Tighter network email attachment policies, better email verification via mailing system standards —DKIM<\/a> and DMARC<\/a> in particular– have been identified as ways to improve trust in email messages both coming into libraries and going out.<\/p>\n\n\n\n

    Penetration Testing and review by 3rd<\/sup> party<\/h3>\n\n\n\n

    FLO was one of several networks that did vulnerability testing. FLO really dug into this issue, using Open Source Intelligence (OSINT) techniques to see whether there was information on potentially harmful attack vectors \u201cout there\u201d on the internet that might impact FLOs systems. As a result, they decommissioned an outdated server using an old operating system along, among other actions.<\/p>\n\n\n\n

    Not Just the Central Site – Including Member Libraries<\/h3>\n\n\n\n

    Though some projects focused exclusively on central site systems and staff, others had broader reach. For example, MVLC\u2019s security audit included 28 of its member libraries.<\/p>\n\n\n\n

    Next Steps<\/h2>\n\n\n\n

    Every year, the MBLC provides network infrastructure grants<\/a> from account 9506.\u00a0 For FY24, the total grant round was increased by 33% to $400,000.\u00a0 Cybersecurity investments are now allowable expenditures under this grant.\u00a0\u00a0 The initial MBLC cybersecurity grant round kicked off an ongoing process. Networks will take what they learned, and at the very least, invest in training, planning, plugging holes, updating policies, communicating cybersecurity roles and responsibilities to member libraries, and working together with their peers across the state to make Massachusetts libraries, resources, and library patron information safer and more secure.<\/p>\n\n\n\n

    \n\n\n\n

    Main Image: Lightning striking a rural building during a storm: onlookers react in terror. Engraving, 16 \u2013. Weather. Lightning. Work ID: hfz9n5qe<\/a> : under CC BY 4.0<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

    Identity theft, ransomware attacks, phishing and other types of cyber-risks are dangers that have become part of our daily existence, both as library workers and digital citizens.  In response, the websites we use now require multi-step logins, also known as multi-factor authentication or MFA.  Changes are even more striking in the workplace. Many of us […]<\/p>\n","protected":false},"author":5,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[195,175],"tags":[],"class_list":["post-1415","post","type-post","status-publish","format-standard","hentry","category-grant-opportunity","category-networks"],"_links":{"self":[{"href":"https:\/\/mblc.state.ma.us\/mblc_blog\/wp-json\/wp\/v2\/posts\/1415","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mblc.state.ma.us\/mblc_blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mblc.state.ma.us\/mblc_blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mblc.state.ma.us\/mblc_blog\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/mblc.state.ma.us\/mblc_blog\/wp-json\/wp\/v2\/comments?post=1415"}],"version-history":[{"count":18,"href":"https:\/\/mblc.state.ma.us\/mblc_blog\/wp-json\/wp\/v2\/posts\/1415\/revisions"}],"predecessor-version":[{"id":1435,"href":"https:\/\/mblc.state.ma.us\/mblc_blog\/wp-json\/wp\/v2\/posts\/1415\/revisions\/1435"}],"wp:attachment":[{"href":"https:\/\/mblc.state.ma.us\/mblc_blog\/wp-json\/wp\/v2\/media?parent=1415"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mblc.state.ma.us\/mblc_blog\/wp-json\/wp\/v2\/categories?post=1415"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mblc.state.ma.us\/mblc_blog\/wp-json\/wp\/v2\/tags?post=1415"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}