A vulnerability is a weak spot in your network that might be exploited by a security threat. Risks are the potential consequences and impacts of unaddressed vulnerabilities. In other words, failing to do Windows Updates on your Web server is vulnerability. Some of the risks associated with that vulnerability include loss of data, hours or days of site downtime and the staff time needed to rebuild a server after it’s been compromised.
Before you start searching around for weak spots in your network, we suggest you first review our Where and How to Find Vulnerabilities tool.
- Understand common attacks. Attacks on and within your network come in many different varieties. Many times the attackers do not even know who they are attacking, but there are instances of networks or organizations that are specifically targeted. Learning the different methods used to compromise computers and networks will give you the necessary perspective to proceed.
- Inventory your vulnerabilities. Establish a full list of potential vulnerabilities. Take special care to identify anything unknown about your network. For example, a library new to network security might think they have a “firewall” while they might just have a router provided by their ISP. For more on this topic, read 10 Steps to Creating Your Own IT Security Audit.
- Use vulnerability scanning tools. Many tools exist to check the existing security state of your network. These tools check for open ports, unpatched software and other weaknesses. Some of these programs focus on a specific machine, while others can scan your entire network. Microsoft offers one such tool, the Microsoft Baseline Security Analyzer. This tool checks for updates and common configuration errors for Microsoft products. Nmap is another popular, free scanning program. For more about Nmap and other vulnerability scanning tools, see Further Resources.
- Assess the risks. The various vulnerabilities on your network represent potential costs — time, money and assets — to your library. These costs, along with the chance someone will exploit these vulnerabilities, help determine the level of risk involved. Risk assessment is a combination of both quantifying (the cost of the threat) and qualifying (the odds of the attack). Each library will have to determine its own tolerance for risk depending on the situation. Some examples are provided here.
- Patron information: Having your patron data compromised is unacceptable for any library. You would need to design your network and implement security to minimize this risk. While you can almost never remove risk completely, you can reduce risk to very low levels.
- Slow Internet connection: A library shares an Internet connection between public networks and staff networks. Since the cost of adding another Internet connection, increasing the speed of the current connection or purchasing complex network monitoring equipment might be too prohibitive, the library has a higher tolerance for a periodically slow Internet connection. Another library hosts its own Web site, online catalogue and email server, which require a more stable Internet connection, so a much lower tolerance for this risk exists.
Stories from the Field
The issue we have is that we have the public accessing the Internet on a network that needs to be secured due to the nature of some of the county businesses. We don't know that we've had any security breaches, but the potential is there. So the manager of our county IS Department has requested that our public computers be moved off of the county network. So we are in the process of moving to a cable modem system. Both our wireless and our public computers will be operating directly through Comcast.Claire Stafford
Madelyn Helling Library, CA
I can see a lot of reasons for having an Active Directory, but the chief one is authentication, and our staff is really very reluctant to do things like change passwords. For instance, our integrated library system, we would be able to have each clerk log on with a personal password. And then, when that person left our employment, you could get rid of the password. It would be a lot more secure.Bob Bjornson
Jefferson-Madison Regional Library, VA
To learn more about network security vulnerability threats, check out the Further Resources section.