SURVIVING A SERVER HACK: LESSONS

LEARNED & WAYS TO SECURE YOUR

SYSTEM

Lou Balek, Information Security Specialist

Marie Martino, Systems and Catalog Services Librarian

WILIUG SPRING CONFERNCE 2015

MORAINE VALLEY COMMUNITY COLLEGE

• 2 year public cc in SW suburbs

just outside Chicago

• Spring 2015

• FTE: 9,066

• Headcount: 15,293

• Collection:

• 111,000+ Items

• Recently moved from Turnkey

Software Only Site

• Millennium, 2011

SysLib’s Log : Stardate 68421.4

(December 15, 2014)

3:31pm – call from IT about excessive

traffic on server/iii contacted

4:51pm – Millennium is reported

down/iii contacted again

6:55pm – iii contacted with request to

follow-up

H A C K E D!

SysLib’s Log : Stardate 68421.4

(December 15, 2014)

7:53pm - sent email to key staff

with iii update; early morning

meeting scheduled

8:55pm - strategic communication

approved and sent out to public

about the system being down

REBUILDING PROCESS

iii disables Millennium and ability to restart it

IT takes server offline

IT wipes server

IT reinstalls OS & iii reinstalls Millennium

iii restores the DB

IT brings server back online

All of us test

All of us(re)configure

All of us deal with lingering/hidden issues

DB RESTORATION

Bumpy start to process seemed to set the tone for remainder

System was completely down about 43.5 hours

Core public services were fully restored first* (catalog, WAM)

Millennium back end was partially operational after additional 12 hours (early post-reconfig, testing, and fresh backup)

Some components needed to be pieced back together

Took a full month to recover

*Well, mostly, if you don’t count Encore, more on that later . . .

CHALLENGES

Timing Issues

Never a good time for a hack . . .

Finals Week

Just before our winter break (closed

for 2 weeks), but also lowest usage

time

Encore server hardware failure, in the

same week!

CHALLENGES

Preparation

Didn’t have a “disaster” plan

Library had a new relationship with IT

Dept and iii after recent Millennium

server migration

Hindsight is 20/20

CHALLENGES

Restoration is not immediate nor is it

without consequence

Technical hiccups & glitches & snafus (oh

my!) happen and slow down the process

Possibility of data loss

May have to reconfigure a number of system

settings, like starting from scratch

BROKEN “STUFF”

Transactional data loss

Reset all system passwords

Thousands of locked records

Broken OCLC connections

ILL problems:

Requests lost and broken

WEBPAC forms failed/locking

ILL/OCLC connection broken

illoptions form-- for mapping to OCLC form reconfig

Route statements for Encore had to be restored

Diacritics missing

Reconnecting web services (patron sync)

Ongoing issue with backups/enterprise API

WebBridge settings lost

CHALLENGES

Communication/Coordination

Lots of hands working in different

places/different time zones

Logistical issues cropped up during

initial restore and beyond

Project hand-offs were not always

smooth

CHALLENGES

Communication/Coordination (cont.)

Needed PM, iii side! At least flag our account in system!

Ultimately increased amount of time to fully recover system

Defining expectations (urgency/priority)

Emotions running high at all levels, across organization

CHALLENGES

Users

Managing communication with public

Depending on the data you keep about patrons,

may have to address the stolen data issue

Patron trust?

LESSONS LEARNED

Complacency is your worst enemy—have a plan in place!

Communication/coordination with ALL stakeholders is key—

state needs/expectations explicitly.

Advocate for your system, doggedly, if expectations not

being met and reach out to those who can help.

Remember, the restoration process takes time. Be

prepared for “bumps in the road,” possible data loss, and

configuration issues.

Prioritize services--users first!

Yes, it can get worse before it gets better (but it will get

better).

Document the process – learn from previous incidences.

Get to know your Security Specialist!

MILLENNIUM/SIERRA SECURITY TIPS

http://innovativeusers.org/past-iug-conferences.html

IUG 2012 A03: Security 101 for System Administrators, presented by Daniel Ferrer from Central Michigan U and Doug Randall, iii

http://csdirect.iii.com/documentation/presentation_archive.php

IUG 2014 D09:IUG 2012 A03: Security 101 for System Administrators, presented by Chris Pettibon and Doug Randall, iii

ATTACKS ON WEEK

42 Bash OS Vulnerability attack

Over 15 different countries

TOOLS OF THE TRADE

Firewall

Vulnerability scanner

OS / software patches

Logging events

IP blocking

NEXT-GENERATION FIREWALLS

Next-generation firewalls combine

application awareness and deep packet

inspection to give companies more control

over applications while also detecting and

blocking malicious threats.

NESSUS

Vulnerability scanner for auditors and

security analysts.

Patch Auditing

Risk Assessment

OS / SOFTWARE PATCHES

Update OS include features and bug fix

LOGGING EVENT

When an event happen write this log file

Login event

Process event

IP BLOCKING

Black list

By event type

By county

OPEN-SOURCE SOFTWARE

OSS is computer software with its source code

made available with a license in which the

copyright holder provides the rights to study,

change, and distribute the software to anyone

and for any purpose.

OPEN-SOURCE TOOLS

OpenVAS - vulnerability scanner

Snort - lightweight network intrusion detection

system

OSSEC - is an Open Source Host-based

Intrusion Detection System

Graylog2 - log analyzer and searching through

log errors.

ANY QUESTIONS

THANKS!

Lou Balek

BalekL@morainevalley.edu

Marie Martino

martinom43@morainevalley.edu