Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- WEBVTT
- 1
- 00:02:38.430 --> 00:02:39.090
- Nick Fowler: You're on mute.
- 2
- 00:02:40.620 --> 00:02:41.130
- Nick Fowler: Or unmute
- 3
- 00:02:50.400 --> 00:02:50.700
- All right.
- 4
- 00:02:53.040 --> 00:03:10.770
- Okere, Kelechi N. (ELS-NYC): Hello, everyone. Thank you. Thank you for joining us. Welcome to the census Security Summit. My name is cultural carry. I am the global director of Elsevier seamless access initiative be the CO moderator of this event, along with my colleague, Daniel Asher from spring and nature.
- 5
- 00:03:12.270 --> 00:03:18.840
- Okere, Kelechi N. (ELS-NYC): Before introducing the speaker for our opening remarks, I like to go over some program program logistics.
- 6
- 00:03:19.830 --> 00:03:34.950
- Okere, Kelechi N. (ELS-NYC): The theme of today's event is cyber security landscape protecting the scholarly infrastructure speaker BIOS are available on these fancy website you can scan the QR code that you see on your screen to get to the website.
- 7
- 00:03:36.120 --> 00:03:40.890
- Okere, Kelechi N. (ELS-NYC): You can also access the website by clicking on the link in the chat box.
- 8
- 00:03:43.080 --> 00:04:00.090
- Okere, Kelechi N. (ELS-NYC): Program to there will run from 11am eastern standard time until 3:30pm Eastern Standard Time and the hashtag for this event is sensi security 2020 so please do I engage on social media with the hashtag.
- 9
- 00:04:04.500 --> 00:04:24.510
- Okere, Kelechi N. (ELS-NYC): Again, the, the purpose of this virtual Security Summit by the scholarly network security initiative, short for sensi is to discuss security threats to the research ecosystem, with the aim to engender closer collaboration between publishers and academics in dealing with the threats.
- 10
- 00:04:25.680 --> 00:04:37.140
- Okere, Kelechi N. (ELS-NYC): So just to go over the program today. We've assembled a list of fantastic experts on this subject to speak to you, and we hope you'll enjoy their presentations.
- 11
- 00:04:37.920 --> 00:04:50.430
- Okere, Kelechi N. (ELS-NYC): Will start by with a opening remarks by Nick Fowler, who is the Chief Academic Officer at Elsevier, it will be followed by Corey Roche, who is the Cecil, University of Utah.
- 12
- 00:04:52.050 --> 00:05:03.210
- Okere, Kelechi N. (ELS-NYC): Korea will then be followed by a crane household, who's a former FBI director FBI agent and currently the Senior Director of threat research or a Gary and he'll talk to us about
- 13
- 00:05:03.810 --> 00:05:17.790
- Okere, Kelechi N. (ELS-NYC): Side hub and other state sponsored or individual bad actors, then we'll break for lunch. When we come back, well lunch for those of us in the US and abroad. For those of you elsewhere.
- 14
- 00:05:18.510 --> 00:05:28.710
- Okere, Kelechi N. (ELS-NYC): When we come back we'll be we'll hear from Linda Van Buren, who's the assistant dean for resources and Access Management at the diagram Memorial Library Georgetown University Medical Center.
- 15
- 00:05:29.700 --> 00:05:38.670
- Okere, Kelechi N. (ELS-NYC): She'll talk to us about library patrons security and why it's important. Then we'll hear from Joe DeMarco, who is partner divine DeMarco LLP.
- 16
- 00:05:39.180 --> 00:05:47.850
- Okere, Kelechi N. (ELS-NYC): About foreign interference in academia, we'll have a break after the break. We'll then we'll hear from Tim Lloyd co lead links.
- 17
- 00:05:48.360 --> 00:06:02.100
- Okere, Kelechi N. (ELS-NYC): Who will talk to us about federated authentication how that helps with security that was taught to round things out with a roundtable discussion which we moderated by Rick and this and the university library and Brigham Young University.
- 18
- 00:06:03.300 --> 00:06:15.630
- Okere, Kelechi N. (ELS-NYC): Then we'll have the closing remarks and other logistics. So the closing remarks will be given to us by Stephen inch gum, who is the chief publishing and solutions officer, Springer nature.
- 19
- 00:06:17.490 --> 00:06:33.960
- Okere, Kelechi N. (ELS-NYC): I want to thank my colleagues that Elsevier, Springer nature. Tell him Francis Brigham Young University HP just associates who contributed to putting this program together. I also want to thank our speakers for the generosity of their time and expertise.
- 20
- 00:06:35.490 --> 00:06:47.250
- Okere, Kelechi N. (ELS-NYC): Just to get started in the days of in person conferences, you always had a feel of the room by just looking around and seeing who's in there and talking to people.
- 21
- 00:06:47.730 --> 00:06:58.290
- Okere, Kelechi N. (ELS-NYC): So today we have in terms of registrations will have about 16 countries represented about 56 universities 16 publishers and 13 other types of
- 22
- 00:06:58.740 --> 00:07:10.290
- Okere, Kelechi N. (ELS-NYC): Organizations are in total. And we got some last minute registrations, which has progressed are about 165 so hopefully all of those people showed up.
- 23
- 00:07:11.730 --> 00:07:21.630
- Okere, Kelechi N. (ELS-NYC): Just some housekeeping tips. Again, we thank you for joining. Everyone is on mute the webcast audio will be broadcast through your computer speakers.
- 24
- 00:07:22.500 --> 00:07:33.300
- Okere, Kelechi N. (ELS-NYC): We ask you to check your volume and new function as if you cannot hear the webcast will be recording will be available on these fancy website and you'll receive a link to it after the event.
- 25
- 00:07:35.130 --> 00:07:47.160
- Okere, Kelechi N. (ELS-NYC): Please use the Q AMP a box to post questions for panelists and except for two presenters questions will be addressed during the Round Table panelists will also answer some questions as we go.
- 26
- 00:07:48.900 --> 00:07:58.260
- Okere, Kelechi N. (ELS-NYC): And also use the chat box for comments and general conversation is again not to pose questions because the chat box. Questions can tend to get lost. There
- 27
- 00:08:00.030 --> 00:08:10.110
- Okere, Kelechi N. (ELS-NYC): Now for the opening remarks, I like to introduce you to Nick Fowler, who is the chief academic officer Elsevier, and also the co Chair of Sensi. Thank
- 28
- 00:08:12.030 --> 00:08:23.250
- Nick Fowler: Thank you. And thank you all for joining us today. It's a real pleasure to be here, but I have to take just a couple of minutes to kick us off, so we can get into the substance of today's sessions.
- 29
- 00:08:24.240 --> 00:08:40.470
- Nick Fowler: We're here today because each one of us is a stakeholder in the scholarly ecosystem and IT security is important to all of us during the pandemic. We've seen news articles on hackers targeting universities, especially in the US, Canada and UK
- 30
- 00:08:41.550 --> 00:08:49.320
- Nick Fowler: Trying to steal covert 19 vaccine research and other assets. Sadly, this is no surprise education.
- 31
- 00:08:50.370 --> 00:09:04.830
- Nick Fowler: Largest sector targeted by cyber attacks, putting our industry ahead of the retail sector university systems. For example, routinely store a tremendous amount of personal data, making them dangerous the attractive targets.
- 32
- 00:09:06.300 --> 00:09:14.370
- Nick Fowler: UK is National Cyber Security Center last year published its first report on cyber threats to UK universities.
- 33
- 00:09:14.970 --> 00:09:33.270
- Nick Fowler: The report noted that some of the effects of state sponsored espionage includes damage to the value of research, notably in STEM subjects before and in a fallen investment by public or private sector ineffective universities and damage to the UK knowledge advances.
- 34
- 00:09:34.470 --> 00:09:54.180
- Nick Fowler: Earlier this year, the White House is Office of Science and Technology Policy or STP gave a presentation on foreign interference among the key takeaways. Was that hidden diversions of intellectual property weaken the US innovation base and threaten our security and economic competitiveness.
- 35
- 00:09:55.770 --> 00:10:02.700
- Nick Fowler: This is why the scholarly networks security initiative or sensi for short was for him.
- 36
- 00:10:03.870 --> 00:10:15.960
- Nick Fowler: To bring together librarians academic technology and security experts published, large and small, learning societies and anyone with an interest in the scholarly ecosystem.
- 37
- 00:10:16.860 --> 00:10:27.000
- Nick Fowler: Together, we aim to solve the cyber challenges threatening the integrity of the scientific record of scholarly systems and the safety of personal data.
- 38
- 00:10:28.560 --> 00:10:43.470
- Nick Fowler: So we thank you for your time today. We heard today will inspire and foster greater collaboration between all of us so we can make progress against these very serious challenges. I like to have back nicoletti call introduce our first speaker. Thank you.
- 39
- 00:10:45.960 --> 00:10:47.220
- Okere, Kelechi N. (ELS-NYC): All right. Thank you Nick.
- 40
- 00:10:49.590 --> 00:10:53.400
- Okere, Kelechi N. (ELS-NYC): Before we introduce our first speaker, I like to just
- 41
- 00:10:55.080 --> 00:10:56.820
- Okere, Kelechi N. (ELS-NYC): present you with a poll
- 42
- 00:10:57.900 --> 00:11:00.840
- Okere, Kelechi N. (ELS-NYC): So you just see the poll on your screen.
- 43
- 00:11:02.100 --> 00:11:06.420
- Okere, Kelechi N. (ELS-NYC): And I'll give it a couple of minutes. I encourage everyone to
- 44
- 00:11:08.130 --> 00:11:15.390
- Okere, Kelechi N. (ELS-NYC): Participate in the poll, we just like to get an idea of where people are on this topic.
- 45
- 00:11:27.510 --> 00:11:36.690
- Nick Fowler: Let me for some reason I'm getting a note saying hosts and panelists cannot vote. So I'm not sure if something needs to be activated work we've been intercepted already
- 46
- 00:11:38.190 --> 00:11:39.540
- Okere, Kelechi N. (ELS-NYC): Yeah, no, I
- 47
- 00:11:41.460 --> 00:11:43.380
- Okere, Kelechi N. (ELS-NYC): Think that's that's intentional that
- 48
- 00:11:44.430 --> 00:11:45.990
- Okere, Kelechi N. (ELS-NYC): The panelists can participate
- 49
- 00:11:48.420 --> 00:11:48.840
- Nick Fowler: Okay.
- 50
- 00:11:48.900 --> 00:11:49.530
- Good, yeah.
- 51
- 00:11:50.790 --> 00:11:53.790
- Nick Fowler: glad I'm glad you kept me honest here. Thank you.
- 52
- 00:11:54.240 --> 00:11:54.690
- Yeah.
- 53
- 00:12:03.930 --> 00:12:07.920
- Okere, Kelechi N. (ELS-NYC): Alright 69% of everyone has voted.
- 54
- 00:12:09.060 --> 00:12:16.920
- Okere, Kelechi N. (ELS-NYC): Just want to leave it open for a few more seconds just encouraging everyone else to vote.
- 55
- 00:12:18.840 --> 00:12:19.980
- Okere, Kelechi N. (ELS-NYC): See if we can get
- 56
- 00:12:22.080 --> 00:12:24.570
- Okere, Kelechi N. (ELS-NYC): It's above 70% participation.
- 57
- 00:12:34.470 --> 00:12:40.080
- Okere, Kelechi N. (ELS-NYC): Awesome. So we're now up to 74% a few more if you want, please.
- 58
- 00:12:45.120 --> 00:12:47.940
- Okere, Kelechi N. (ELS-NYC): And then I'll show you the results as well.
- 59
- 00:12:49.620 --> 00:12:55.980
- Okere, Kelechi N. (ELS-NYC): Alright, so just a few more seconds here and then I'll close the poll and show you the results.
- 60
- 00:13:00.630 --> 00:13:01.110
- Okere, Kelechi N. (ELS-NYC): Alright.
- 61
- 00:13:07.770 --> 00:13:08.670
- Okere, Kelechi N. (ELS-NYC): Alright, so
- 62
- 00:13:11.100 --> 00:13:23.910
- Okere, Kelechi N. (ELS-NYC): The question. How concerned are you that cyber security is a threat to the scholarly infrastructure and by infrastructure we mean how peer reviewed literature low prices content is shared funded and trusted
- 63
- 00:13:25.320 --> 00:13:32.430
- Okere, Kelechi N. (ELS-NYC): 60% of you said I think about this issue a lot. So this is really good to see that, you know,
- 64
- 00:13:34.230 --> 00:13:40.530
- Okere, Kelechi N. (ELS-NYC): Yeah, you know, everyone here most of the majority of people here thinking about this a lot, so
- 65
- 00:13:42.510 --> 00:13:47.010
- Okere, Kelechi N. (ELS-NYC): With this, we can then get started and I'll
- 66
- 00:13:48.090 --> 00:13:52.650
- Okere, Kelechi N. (ELS-NYC): Call upon by my colleague Daniel Asher to introduce our speaker.
- 67
- 00:13:54.570 --> 00:14:05.970
- Daniel Ascher: Thank you collect your neck. So for our keynote speaker. We will now be starting with Corey Roche, the chief information security officer from the University of Utah take away
- 68
- 00:14:10.710 --> 00:14:15.120
- Corey Roach: Good morning everyone, or afternoon for our friends in Europe.
- 69
- 00:14:16.410 --> 00:14:18.420
- Corey Roach: You see if we can get this up on the screen.
- 70
- 00:14:21.630 --> 00:14:22.320
- Right.
- 71
- 00:14:27.240 --> 00:14:32.400
- Corey Roach: So as Daniel mentioned, I am Corey Roche, I'm the chief information security officer for the University of Utah.
- 72
- 00:14:32.850 --> 00:14:42.390
- Corey Roach: I joined the University of Utah about 22 years ago I kind of came up through the technical ranks and I've focused on information security for much of that time.
- 73
- 00:14:43.290 --> 00:14:50.820
- Corey Roach: When I started with the university. There were basically three of us in the information security office for the entire University of Utah.
- 74
- 00:14:51.300 --> 00:14:59.700
- Corey Roach: Now we have 34 employees, plus a handful of student interns. I give you a little bit of that background, just because I wanted you to understand that.
- 75
- 00:15:00.090 --> 00:15:06.900
- Corey Roach: While I'm not a library and a researcher or a publisher and therefore I don't know everything that is going on in this field.
- 76
- 00:15:07.440 --> 00:15:17.040
- Corey Roach: I do know a lot about the threats that you are up against, and I can tell you that as the same kind of goes the chain is only as strong as the weakest link.
- 77
- 00:15:17.790 --> 00:15:27.420
- Corey Roach: Unfortunately, in the chain of authors publishers and researchers. The information security around libraries, providing access to that research is a pretty weak link.
- 78
- 00:15:28.860 --> 00:15:41.760
- Corey Roach: So hopefully by the end of this presentation, someone will tell me that maybe they're way ahead of me. Or maybe they like what we've brought up here and it's something they want to work along those lines, or maybe it'll just get you thinking and you'll have an idea that's even better.
- 79
- 00:15:43.950 --> 00:15:53.820
- Corey Roach: So when I was asked to talk about this topic. Actually, I thought it probably wasn't a terribly interesting one, to be honest. But as I researched it kind of became more and more
- 80
- 00:15:54.360 --> 00:16:11.790
- Corey Roach: Intriguing as I got into the details of it and to just restate part of the problem as Nick mentioned, we're concerned partly about the theft of data and the reduction of its value and disrupt disrupting that publishing model, which has a lot of knock on and and downstream effects.
- 81
- 00:16:12.810 --> 00:16:23.580
- Corey Roach: It's an interesting problem, partly because there are unique privacy requirements here with lots of industries requiring privacy for one aspect or another but not very many where the
- 82
- 00:16:25.380 --> 00:16:31.020
- Corey Roach: Consumer is kind of anonymized from the provider where they don't actually see all of their customers.
- 83
- 00:16:32.100 --> 00:16:39.960
- Corey Roach: The assets involved can be fragile, the rate of devaluation of those assets is interesting, you know, having a last once probably doesn't
- 84
- 00:16:40.530 --> 00:16:58.680
- Corey Roach: Always reduce it to no value. But the more it has lost the more value reduces there are limited resources involved, you know, libraries are not known for being terribly well funded even universities or parent organizations, if they are well funded oftentimes people like myself.
- 85
- 00:16:59.700 --> 00:17:09.510
- Corey Roach: Will direct those resources toward areas where there is risk to the organization, rather than our partners and oftentimes that's not the library.
- 86
- 00:17:10.620 --> 00:17:20.340
- Corey Roach: There's also limited legal support, in my experience, there's been practically direct interest a local level, very little at a federal or international level.
- 87
- 00:17:21.240 --> 00:17:32.580
- Corey Roach: And although that might increases. Some of the awareness around state sponsored threats comes up, it's not likely to raise soon to the level of prominence is things like child exploitation or extortion and those types of things. So
- 88
- 00:17:33.000 --> 00:17:37.920
- Corey Roach: It's pretty unlikely that law enforcement is going to take a strong hand in this in the short run.
- 89
- 00:17:40.140 --> 00:17:46.110
- Corey Roach: So as we talk about threats mean one of the things that's important to start with is the threat vector. So how is this happening.
- 90
- 00:17:46.530 --> 00:17:55.860
- Corey Roach: Most of this it seems is happening with bots or scripts that are using Valid Credentials in order to scrape information off of publishers
- 91
- 00:17:56.520 --> 00:18:00.540
- Corey Roach: And it's important to look at how those credentials are obtained
- 92
- 00:18:01.020 --> 00:18:15.840
- Corey Roach: So the first two on that list fishing and social engineering are actually very similar in that it is typically an attacker getting a user to unwittingly give up their credentials. Oftentimes, without the user even realizing that they have done it.
- 93
- 00:18:16.950 --> 00:18:23.670
- Corey Roach: Credential reuse. There is when a user uses the same username and password often their email address.
- 94
- 00:18:24.360 --> 00:18:38.820
- Corey Roach: For more than one location. And if a less secure site is compromised, then those credentials can be used at other locations and if you know that name happens to end in a.edu it's pretty obvious where to try those credentials.
- 95
- 00:18:40.320 --> 00:18:48.390
- Corey Roach: The last one on the list is activism and there's a lot of aspects to that. But in this case, we're talking about people giving up their credentials.
- 96
- 00:18:49.020 --> 00:18:58.020
- Corey Roach: For something they believe in, whether that's patriotism for their country or some kind of ethical objection. They know they're not supposed to give away their credentials, but they do it anyway.
- 97
- 00:19:01.200 --> 00:19:11.760
- Corey Roach: But anyway, we look at it, we can safely say that this is primarily a people problem and the technology alone is not going to solve that problem technology can help us take reasonable precautions.
- 98
- 00:19:12.330 --> 00:19:19.230
- Corey Roach: But we kind of risk, creating an arms race, which we don't want to do and so long as the business model involves
- 99
- 00:19:19.950 --> 00:19:25.980
- Corey Roach: allowing access to the data that we're providing and also trying to protect that same data we're unlikely to stop theft entirely
- 100
- 00:19:26.520 --> 00:19:38.160
- Corey Roach: So fortunately, this industry is not the first to face this type of a challenge some of the, the first couple that come to mind for me is Motion Picture Association and the recording industry.
- 101
- 00:19:39.690 --> 00:19:48.060
- Corey Roach: Today, most of us happily stream music from a subscription service and music piracy is almost dropped off the map.
- 102
- 00:19:48.540 --> 00:19:56.370
- Corey Roach: On the other hand, people are frustrated with having to subscribe to multiple services and have a cable bill to access most of movies.
- 103
- 00:19:56.880 --> 00:20:09.780
- Corey Roach: And they still don't get the blockbuster movies often until it comes out in a DVD. As a result, movie prior piracy is still pretty rampant. I know my organization fields DMCA complaints almost every day.
- 104
- 00:20:10.590 --> 00:20:19.950
- Corey Roach: So I'm not saying either one of those models necessarily solves this problem, but I think there are certainly some takeaways and lessons that we can we can have from their
- 105
- 00:20:20.700 --> 00:20:28.050
- Corey Roach: Experience. One would be to be adaptable because technology is always evolving and if you don't innovate, you'll be left behind by those that do
- 106
- 00:20:29.070 --> 00:20:38.160
- Corey Roach: One is to kind of show value. If I get more value from the locations that are doing piracy, then why would I go the legitimate route.
- 107
- 00:20:39.360 --> 00:20:47.370
- Corey Roach: We don't want to put up any unnecessary barriers, you know, people often like water, follow the path of least resistance and we want that to lead to our product.
- 108
- 00:20:48.090 --> 00:20:54.480
- Corey Roach: And then lastly, and this one. Seems kind of obvious to me, but we don't want to be attacking our customers, either.
- 109
- 00:20:54.930 --> 00:21:06.060
- Corey Roach: We live in a social media world. And where does get around it seems like the recording industry has learned this one a lot faster than the Motion Picture Association, but
- 110
- 00:21:06.990 --> 00:21:17.250
- Corey Roach: Keeping those in mind and keep you in mind that technology is not necessarily a panacea. What I want to propose today is a better way for defending that material, I think.
- 111
- 00:21:19.440 --> 00:21:25.080
- Corey Roach: Before we get started, I want to also kind of go over the technologies that I'm going to talk about just so we have some common vocabulary.
- 112
- 00:21:26.700 --> 00:21:33.060
- Corey Roach: First off is a web server obviously that serves up content, we're all used to interacting with those
- 113
- 00:21:33.660 --> 00:21:40.980
- Corey Roach: There's an automation server those. This allows various technologies to work with each other and create an automated response.
- 114
- 00:21:41.580 --> 00:21:49.050
- Corey Roach: There's analysis engines that monitor things like logs and other contextual information to look for bad activity.
- 115
- 00:21:49.980 --> 00:22:04.740
- Corey Roach: multifactor devices something most of us have been interacted with. Now it could be an app on your phone. It could be an SMS message could even be a token, you may have used it at your employer bank or even some of the online games use them now.
- 116
- 00:22:06.360 --> 00:22:13.080
- Corey Roach: Then we have an identity store which, at minimum is going to be a username and password. Preferably, it has more context than that.
- 117
- 00:22:14.490 --> 00:22:24.990
- Corey Roach: And then we have also a log storage which does just that. It stores logs, our customer. In this case, which is likely to be a student research or medical professional, etc.
- 118
- 00:22:25.650 --> 00:22:33.690
- Corey Roach: We have a web proxy which downloads data on the user's behalf and it might be there to protect the user or it might be in this case us to anonymize their access
- 119
- 00:22:34.200 --> 00:22:45.330
- Corey Roach: And lastly, we have a web application firewall, which is similar to a normal network firewall, but it's intended specifically to protect a web application and often has additional features to do that.
- 120
- 00:22:47.010 --> 00:22:55.530
- Corey Roach: So out a typical library. This is kind of the layout for how access to those resources happen. And I'll kind of walk you through it.
- 121
- 00:22:55.860 --> 00:23:07.890
- Corey Roach: So the arrows on this diagram, the green ones are the internet. The origins of back end network blue is library logging and purple is publisher logging, but you don't actually need to really remember that, just bear in mind that they're separate processes.
- 122
- 00:23:09.120 --> 00:23:13.860
- Corey Roach: So in this design, primarily the focus is privacy not security so
- 123
- 00:23:14.400 --> 00:23:20.820
- Corey Roach: A user will request a resource. The first thing that will happen. They'll be asked authenticate which usually is just a username and a password.
- 124
- 00:23:21.240 --> 00:23:36.090
- Corey Roach: Once that's done, they can then send their request through and receive the materials back each time something happens on the library side those get logged back to the library server, something that happens on the publisher side gets logged to theirs. So what does that leave us with
- 125
- 00:23:37.440 --> 00:23:45.690
- Corey Roach: Typically kind of looks like this. And in essence, the, the library has some limited info and the publishers tend to have even less.
- 126
- 00:23:46.530 --> 00:23:59.880
- Corey Roach: It does what it was intended to do. It's great for privacy but not so great for security. So understanding that let's kind of see what happens when this turns into this
- 127
- 00:24:01.230 --> 00:24:08.070
- Corey Roach: Now that we have a bot involved in their have bad activity. Typically, in my experience, the process has been that
- 128
- 00:24:08.430 --> 00:24:14.310
- Corey Roach: The publisher is the first to notice the anomaly. Usually, that seems like it's manual. Some of them may be automated.
- 129
- 00:24:14.700 --> 00:24:24.450
- Corey Roach: But they send a manual notice over to the university and the library staff then will come through their logs and then usually manually contact it and try and get an account turned off.
- 130
- 00:24:25.410 --> 00:24:32.130
- Corey Roach: Oftentimes, this can take hours or weeks, which is way too slow. When we're talking about an automated process like a bot.
- 131
- 00:24:34.500 --> 00:24:45.150
- Corey Roach: In addition to that, the, the publishers often only really have one recourse. And it's the sledgehammer of turning off access for everyone that's using that proxy. So that pretty broad stroke.
- 132
- 00:24:47.640 --> 00:24:54.360
- Corey Roach: So let's step back, though, and kind of look at how a typical web application works in comparison
- 133
- 00:24:54.900 --> 00:25:03.630
- Corey Roach: So in a web application, usually that user will request a resource. And again, there'll be asked to authenticate. But we're going to add two factor authentication into this mix.
- 134
- 00:25:03.990 --> 00:25:18.450
- Corey Roach: So we get some additional information from the device that they're they're authenticating with and it makes it so that we're pretty sure that the person we're talking to is the one that's the account holder. It's not bulletproof. But it's a lot better than just a username and a password.
- 135
- 00:25:19.590 --> 00:25:24.900
- Corey Roach: Once they're done with that, again, they can just kind of request, whatever the resources. They're trying to access
- 136
- 00:25:25.350 --> 00:25:37.470
- Corey Roach: And again, all those back end systems log back to a log server. But now we're introducing that analysis engine and it is looking at those logs and it's using context from other sources like the identity store.
- 137
- 00:25:38.550 --> 00:25:55.320
- Corey Roach: To look for suspicious behavior if it finds something that it doesn't like it can then use the automation server to send out messages to other parts of the network and say things like your stop talking to this person or ask for additional authentication or slow this process down so
- 138
- 00:25:57.900 --> 00:26:08.250
- Corey Roach: This is more what is resulting on the back end from that type of a setup and there's a lot more data. And I'll kind of talk about a little bit about what we can do with that data.
- 139
- 00:26:09.000 --> 00:26:21.240
- Corey Roach: But the key feature here is that it provides that automated and rapid response. However, on the downside is that it can be terribly intrusive and provides basically zero privacy.
- 140
- 00:26:22.560 --> 00:26:28.500
- Corey Roach: And I believe Linda is going to be talking on a similar subject later in the day. So I'll be interested to hear her take on it, but
- 141
- 00:26:28.890 --> 00:26:39.420
- Corey Roach: In this scenario, that seems to be one of the most important parts. So let's kind of look at what we could do if we combine some of that modern web app design with the library layout.
- 142
- 00:26:40.290 --> 00:26:49.410
- Corey Roach: So if we put everything back together and we put our proxy back in there. What happens again is the user requests the resource, they get authenticated, they get that second factor.
- 143
- 00:26:50.520 --> 00:26:53.250
- Corey Roach: There then able to get their resources passed through again.
- 144
- 00:26:54.000 --> 00:27:01.470
- Corey Roach: And then the logging still happens only this time we're going to log the library recess says back to that server and the publisher resources back to their server again.
- 145
- 00:27:02.130 --> 00:27:06.600
- Corey Roach: And then the monitoring and analysis can happen and the automated response going to happen.
- 146
- 00:27:07.440 --> 00:27:17.130
- Corey Roach: The result is we get something that looks more like this, which is there's rich data on the library side and anonymized data still landing on the publisher side.
- 147
- 00:27:17.940 --> 00:27:26.220
- Corey Roach: So I'd like to kind of go over what some of this data is and what we can do with it. So timestamps is pretty obvious. We get a lot more information from the browser in this scenario.
- 148
- 00:27:27.240 --> 00:27:37.470
- Corey Roach: We get of course the username and account information, but hopefully here with an identity store. We have a lot more than just their username and password. It might be information about them as a student or an employee.
- 149
- 00:27:38.430 --> 00:27:43.920
- Corey Roach: We get the customer IP address of where they're coming from. And the URLs for the material. They've requested.
- 150
- 00:27:44.400 --> 00:27:52.140
- Corey Roach: And then we get also information from that two factor device. So we can use those in combination to kind of compare what the two factor device says
- 151
- 00:27:52.380 --> 00:28:00.480
- Corey Roach: And what the browser and the IP address from the client side says, and make sure that those all matchup and giving us things like geographic location.
- 152
- 00:28:01.590 --> 00:28:11.580
- Corey Roach: We also then get things that are considered user behavior. So that would be stuff like what material. Are they downloading, how do they navigate the site. How quickly are they accessing material.
- 153
- 00:28:12.210 --> 00:28:19.800
- Corey Roach: We get biometric data or we can get biometric data which can be things like how quick did they type. How do they move their mouse how random is it
- 154
- 00:28:21.120 --> 00:28:29.490
- Corey Roach: And then we can add to that some contextual information either from that identity store or from other places that give us attributes about the user
- 155
- 00:28:30.030 --> 00:28:40.500
- Corey Roach: But it can also give us attributes about threats, so we can learn things like, what are the latest attributes of bots that are being used. What are the IP addresses that attackers are using lately.
- 156
- 00:28:41.250 --> 00:28:49.680
- Corey Roach: Have we seen this account be compromised recently adding all of that together, then we can start asking some interesting questions we can say things like, you know,
- 157
- 00:28:50.130 --> 00:28:55.080
- Corey Roach: We commonly see this user coming in from the US and today it's coming in from Botswana.
- 158
- 00:28:55.860 --> 00:29:08.940
- Corey Roach: You know, has there been enough time that they could have traveled from the US to Botswana and actually be there. Have they ever access resources from that country before is there residents on record in that country.
- 159
- 00:29:10.020 --> 00:29:17.280
- Corey Roach: You can also move over to behavioral stuff. So it could be, you know, why is a pharmacy major suddenly looking up a lot of material on astrophysics or
- 160
- 00:29:18.300 --> 00:29:27.000
- Corey Roach: Why is a medical professional and a hospital suddenly interested in internal combustion things that just don't line up and we can identify fishy behavior.
- 161
- 00:29:28.140 --> 00:29:35.280
- Corey Roach: We then have a much broader spectrum of how we can respond to that. Also, so we can do things like send another
- 162
- 00:29:36.780 --> 00:29:43.740
- Corey Roach: authentication request or what's known as a capture request, where you get those little pictures or some type of interaction that tries to tell if you're human.
- 163
- 00:29:44.610 --> 00:29:55.980
- Corey Roach: We can throttle the user and with this type of material we can actually throttle the user way down if we wanted to, you know, allowing them one paper for a minute is still useful, but it's much slower for something like a bot.
- 164
- 00:29:56.940 --> 00:30:02.280
- Corey Roach: We can lock them out temporarily or we can even lock them out permanently. But again,
- 165
- 00:30:03.000 --> 00:30:16.650
- Corey Roach: It breaks those logs into two locations and gives us all of this much more useful information. But then on the publisher side, they're still seeing anonymized information and it's not detracting from what they have today, and they still have their controls on that site as well so
- 166
- 00:30:17.790 --> 00:30:28.350
- Corey Roach: Looking at that, you know, that is all great, but what would be the obstacles and putting something like this into play. So the first one on that obviously is privacy.
- 167
- 00:30:30.120 --> 00:30:39.780
- Corey Roach: Fortunately, most of this information. These institutions like universities already have we already have that information about our students or about our faculty and we are already stewards of that information.
- 168
- 00:30:40.770 --> 00:30:46.530
- Corey Roach: The data that we create or new data that we synthesize at that point would be in control of the library and
- 169
- 00:30:46.980 --> 00:31:00.060
- Corey Roach: Within the limits of the law or their organizational policy, they can kind of set parameters around what they want to do with that data do we share with our other peers do we, how long do we keep it. Do we want to anonymize or tokens, any of that data.
- 170
- 00:31:01.770 --> 00:31:10.950
- Corey Roach: Unfortunately, also, that most of that data is analyzed by an algorithm, not by a person. So there's far less bias, although we do have to be careful about not building bias into the algorithms.
- 171
- 00:31:11.400 --> 00:31:17.850
- Corey Roach: Particularly with things like machine learning or artificial intelligence, we have to be careful about not building bias into the system.
- 172
- 00:31:19.770 --> 00:31:29.040
- Corey Roach: The second kind of obstacle, there is expertise and although we have a lot of talented library technical staff, most of the time they are not security experts.
- 173
- 00:31:29.700 --> 00:31:45.930
- Corey Roach: And security experts oftentimes make extremely high salaries and again we go back to funding where libraries are not always super well funded so paying those salaries becomes pretty tough on top of that, the security industry right now is going through a pretty severe
- 174
- 00:31:47.850 --> 00:31:54.300
- Corey Roach: shortage of qualified professionals, there's more coming into the market, but it is kind of hard to hire security professionals right now.
- 175
- 00:31:55.890 --> 00:32:03.780
- Corey Roach: In some cases, libraries, may have access to expertise in their parent organization as with my university or sometimes they may not
- 176
- 00:32:06.090 --> 00:32:17.790
- Corey Roach: And circling back around to that same issue is costs. So libraries are not generally the well known for being well funded and they're certainly not known for having excessive technology budgets.
- 177
- 00:32:18.660 --> 00:32:28.290
- Corey Roach: Security programs like mine as a see. So, as I say, I'm probably likely to put those resources somewhere where I feel the risk is more acute for my organization.
- 178
- 00:32:29.430 --> 00:32:44.640
- Corey Roach: commercial tools to do these types of things can be very expensive, even with discounts given to things like government or education and unfortunately free or open source tools that do these kind of things are really not up to snuff. They're not sophisticated are specialized enough
- 179
- 00:32:45.810 --> 00:32:55.230
- Corey Roach: So how can we kind of overcome some of these obstacles and that is where you know publishers and Cincy or groups like this can come in to help
- 180
- 00:32:57.120 --> 00:33:04.470
- Corey Roach: One of the first things we can do is develop or subsidize a low cost proxy or a plug into existing proxies so
- 181
- 00:33:05.190 --> 00:33:24.660
- Corey Roach: To speak plainly. The most commonly used proxy right now is easy proxy and I'd recommend either creating a proxy that is some type of drop in turn key replacement or some type of application or or plugin that can enhance easy proxy so
- 182
- 00:33:25.740 --> 00:33:37.320
- Corey Roach: Since that can potentially threaten the business model of OC. Hello, the company that owns easy proxy. I would also propose that they might be a good organization to to approach as being a
- 183
- 00:33:38.070 --> 00:33:45.420
- Corey Roach: Potentially, a member of sensi and contributing to these types of efforts. So other things that we can do.
- 184
- 00:33:46.230 --> 00:33:51.420
- Corey Roach: As as an organization, you can facilitate threat sharing information between the members.
- 185
- 00:33:52.260 --> 00:34:04.020
- Corey Roach: This can be things like mailing list or message board automated mechanisms, but a lot of that, again, is being done within the security industry. So we don't have to reinvent the wheel, but we could have it specialized to this industry.
- 186
- 00:34:05.130 --> 00:34:19.170
- Corey Roach: We could provide training to those library IT professionals and help upscale them in the area of security. It doesn't do us any good to have these tools. If we don't have anybody that knows how to run them.
- 187
- 00:34:20.280 --> 00:34:33.780
- Corey Roach: We could also promote promote community around this effort, whether it be the proxy or just in general, it's possible that if this proxy or tools like this were to be open source the community may even end up supporting them in the long run.
- 188
- 00:34:34.830 --> 00:34:50.130
- Corey Roach: And then last, is that publishers could provide pricing incentives to share the risk, as I've mentioned as a see. So most of the risk in this endeavor is not mine. It's the publishers. But if we were to enter into an organism, an agreement where things like
- 189
- 00:34:51.810 --> 00:35:01.710
- Corey Roach: Knocking some amount off the price if there were not security compromises within a period of time would incentivize the organization to share in those risks.
- 190
- 00:35:02.160 --> 00:35:08.310
- Corey Roach: And honestly, it really wouldn't have to be that big of an incentive to get organizations like a university or a library to buy in.
- 191
- 00:35:09.360 --> 00:35:12.390
- Corey Roach: But at least it would create kind of a shared interest.
- 192
- 00:35:13.680 --> 00:35:28.050
- Corey Roach: There are other opportunities that this leads to that are worth mentioning. And many of these collaborations are things that could be useful even on their own, but with the more modern scenario where libraries have the capability to act, they become even more useful.
- 193
- 00:35:29.280 --> 00:35:34.560
- Corey Roach: We could as an organization foster security advocates and help provide materials for them or training.
- 194
- 00:35:35.820 --> 00:35:40.020
- Corey Roach: Just building allies within the consumer side of this equation.
- 195
- 00:35:40.680 --> 00:35:49.260
- Corey Roach: We can educate leaders, whether that be in a parent organization or in a library or other consumers about the shared risks. Honestly, as I say,
- 196
- 00:35:49.590 --> 00:35:58.320
- Corey Roach: When I started out with this. I didn't see much shared risk for me as I see. So at all. But as I got more educated on it. I can see that there are things
- 197
- 00:35:58.890 --> 00:36:06.810
- Corey Roach: Like the exposure of those credentials, which might affect my in my organization, probably not enough for me to completely realign my security program.
- 198
- 00:36:07.110 --> 00:36:14.970
- Corey Roach: But certainly enough to make me want to collaborate and take a closer look at it, we can educate our users on the personal risk, they're exposing themselves to
- 199
- 00:36:15.450 --> 00:36:23.400
- Corey Roach: I don't think you want to go so far as to take the Motion Picture Association route and do a you know you don't want to download a car approach, but
- 200
- 00:36:23.730 --> 00:36:28.800
- Corey Roach: We could remind users that you know by giving away their credentials or not being cautious about fishing.
- 201
- 00:36:29.100 --> 00:36:37.680
- Corey Roach: They may be exposing more than just their access to these types of resources, oftentimes those credentials are things that allowed us access to your student or your employee record.
- 202
- 00:36:38.640 --> 00:36:48.270
- Corey Roach: And then last, one of the things that I thought was an interesting finding during my research is that I think there needs to be more effort around promoting the value of this process and these publishers
- 203
- 00:36:48.660 --> 00:37:07.650
- Corey Roach: To the customers have that information. It was interesting to me how few of the people that I spoke with could actually explain the value of the publishing process. And so that's why some of their perceptions of consuming the pirated information seemed a little out of balance.
- 204
- 00:37:10.020 --> 00:37:20.490
- Corey Roach: So I hope the presentation may have sparked some ideas or interests and how we might collaborate in the future. I appreciate your, your time and attention.
- 205
- 00:37:21.060 --> 00:37:33.360
- Corey Roach: I will be coming back for the roundtable this afternoon. If I don't happen to catch you there and you have a question, feel free to reach out and I hope all of you. Enjoy the rest of the webinar. Thank you.
- 206
- 00:37:36.900 --> 00:37:37.770
- Thank you, Corey.
- 207
- 00:37:44.490 --> 00:37:55.170
- Daniel Ascher: And with that we will be moving to our next speaker, who is crane hassled the Senior Director of threat research at Gary data incorporated
- 208
- 00:37:57.480 --> 00:37:58.140
- Daniel Ascher: Take it away. Great.
- 209
- 00:37:58.650 --> 00:37:59.850
- Crane Hassold : Thank you very much.
- 210
- 00:38:01.110 --> 00:38:02.400
- Crane Hassold : share my screen here.
- 211
- 00:38:13.470 --> 00:38:17.790
- Crane Hassold : Alright and just making sure. You're seeing the right view here. Not all of my fancy notes.
- 212
- 00:38:19.680 --> 00:38:20.760
- Daniel Ascher: Yes, we can just see here
- 213
- 00:38:20.820 --> 00:38:22.110
- Crane Hassold : All right, fantastic.
- 214
- 00:38:22.800 --> 00:38:36.750
- Crane Hassold : Alright, thanks for having me on. I'm really excited to actually talk about a topic that I haven't really talked about much really in the past couple years. Um, we're looking at sort of a group within this segues very nicely to the previous presentation.
- 215
- 00:38:37.920 --> 00:38:52.230
- Crane Hassold : I'm looking at some librarian a threat group coming out of Iran sigh hub, an issue that I know a lot of folks on this, on this webinar are probably interested in and you know the role of state sponsored actors in
- 216
- 00:38:52.830 --> 00:39:01.890
- Crane Hassold : In threats targeting academic institutions. Before we get started, just want to give everyone to a little, a little background about myself.
- 217
- 00:39:02.310 --> 00:39:12.870
- Crane Hassold : I'm so I'm currently the senior director of research at a company called Gari where we focus on a real identity deception email based attacks.
- 218
- 00:39:13.200 --> 00:39:22.830
- Crane Hassold : Business email compromise is a really big focus of ours right now, which is, you know, one of the predominant threats that is impacting all institutions all over the world right now.
- 219
- 00:39:23.550 --> 00:39:35.670
- Crane Hassold : I'm I've been in the private sector for about five years now. Prior to coming to a Gari about two years ago, I was with another company. And I've had had had a role in building out to
- 220
- 00:39:36.120 --> 00:39:43.650
- Crane Hassold : Fishing threat intelligence teams really from the ground up, which has been, you know, really, really fun and enjoyable.
- 221
- 00:39:44.250 --> 00:39:53.400
- Crane Hassold : Um, prior to that, I was with the FBI for 11 years and most of my time in the FBI. I was in the behavioral analysis units based out of Quantico, Virginia.
- 222
- 00:39:54.180 --> 00:40:04.740
- Crane Hassold : Where for six years. I did violent crime behavioral analysis. So looking at serial killers other types of violent criminals, you know, the traditional profiling.
- 223
- 00:40:06.240 --> 00:40:11.370
- Crane Hassold : Type of type of work did that for six years and then myself and a few other folks.
- 224
- 00:40:12.690 --> 00:40:27.540
- Crane Hassold : Built the FBI cyber behavioral analysis center, which has taken those concepts that have been used for decades in the violent crime profiling world and apply those to cyber threat actors as a new way to better understand how these actors.
- 225
- 00:40:28.290 --> 00:40:38.550
- Crane Hassold : Are working how they're motivated and how we can use their behavioral characteristics to better understand, you know, the threats, they pose and just try to help mitigate some of those threats as well.
- 226
- 00:40:39.930 --> 00:40:53.730
- Crane Hassold : So that's just a little bit about my background where I'm coming from. I'll start off here with some library and so sound librarian is a group that I started tracking back in late 2017
- 227
- 00:40:54.780 --> 00:41:04.620
- Crane Hassold : And I was the one who actually named the group. I got to give them a nice little fancy name that I know if there's anyone on the call. Who knows anything about a PT groups.
- 228
- 00:41:05.430 --> 00:41:17.700
- Crane Hassold : That a lot of those names don't make a lot of sense. I always try to make our names means something so obviously from the sun librarian name. You can tell that obviously there is some library connotation to this.
- 229
- 00:41:18.420 --> 00:41:27.900
- Crane Hassold : So when we did when we were looking at the song librarian. One of the really interesting aspects of their attacks is, you know, we see
- 230
- 00:41:28.410 --> 00:41:38.280
- Crane Hassold : We see a lot of cyber criminals others other types of cyber threat actors targeting universities and colleges all over the world. But what was really unique about
- 231
- 00:41:38.610 --> 00:41:45.120
- Crane Hassold : Sound librarian is that the fishing pages. They were setting up we're specifically targeting
- 232
- 00:41:45.810 --> 00:41:53.400
- Crane Hassold : Libraries and library credentials, which is something we had never seen before. And when you looked at some of the patterns and how they were setting these up.
- 233
- 00:41:54.210 --> 00:42:03.990
- Crane Hassold : It was very unique and in clearly all centered around the same group of actors. So based on our analysis, we were able to track them and find a tax.
- 234
- 00:42:04.500 --> 00:42:14.070
- Crane Hassold : Linked to sell my brain, all the way back to 2013. So this is a group that's been around for at this point now going on, seven, eight years.
- 235
- 00:42:14.910 --> 00:42:22.140
- Crane Hassold : We were able to link them to around pretty early on in our investigation based on some analysis of the
- 236
- 00:42:22.710 --> 00:42:29.310
- Crane Hassold : The fishing kits. They were using as well as an open source intelligence that we were able to link to some of the actors and at the time.
- 237
- 00:42:30.300 --> 00:42:38.100
- Crane Hassold : Of our initial report, we were able to see that they were targeting more than 300 schools in 22 different countries all around the world.
- 238
- 00:42:38.490 --> 00:42:50.190
- Crane Hassold : And when you looked at a lot of those schools. One of the things that you can see is that, you know, there was clearly some sort of targeting that was happening there. They were targeting some schools.
- 239
- 00:42:50.910 --> 00:42:59.550
- Crane Hassold : Multiple times over and over and over again, there's one school University out of Australia that at this point, they've they've targeted I think more than two dozen times
- 240
- 00:43:00.060 --> 00:43:16.050
- Crane Hassold : And when you look at those the schools that they were going after a lot of them were research schools research universities that would have access to information that would be that would be of interest to especially something like a like a state sponsored actor
- 241
- 00:43:17.850 --> 00:43:27.480
- Crane Hassold : As I mentioned, you know, the, the phishing page is mimicked library login pages. You can see on the screen here. This is actually a phishing page setup I library and this morning.
- 242
- 00:43:27.960 --> 00:43:42.630
- Crane Hassold : So that's how fresh. This is for Durham University out of the UK and you can see it looks identical to the actual login page that would be used that someone with a normal student or faculty would see if they're trying to log in.
- 243
- 00:43:43.320 --> 00:43:54.990
- Crane Hassold : To to this this library login page. And essentially what they're doing is there simply scraping the HTML code from from the legitimate websites.
- 244
- 00:43:55.710 --> 00:44:01.350
- Crane Hassold : From a website and hosting it on another location so that the fishing kits. They use
- 245
- 00:44:01.950 --> 00:44:13.530
- Crane Hassold : Which is a very similar tactic that know a lot of actors use out there, whether it's, you know, a university login page or an apple login page or Wells Fargo login page very similar tactic that a lot of these actors use
- 246
- 00:44:14.190 --> 00:44:24.960
- Crane Hassold : And at the end of the day, the purpose here is to compromise student in faculty credentials for the most part, this is going to be to get access to library resources.
- 247
- 00:44:25.620 --> 00:44:34.260
- Crane Hassold : Journal articles. We know that, you know, based on some work that we've done with some other some other partners that know
- 248
- 00:44:34.740 --> 00:44:44.880
- Crane Hassold : Where the big motivator innovations is to access and take down and scrape journal articles that they wouldn't otherwise have access to
- 249
- 00:44:45.510 --> 00:44:52.290
- Crane Hassold : Now what's really interesting is this goes back to sort of the profile of the universities, they're going after, when you look at those.
- 250
- 00:44:52.590 --> 00:44:58.650
- Crane Hassold : While there, isn't there hasn't been any specific evidence of this that I've seen at least
- 251
- 00:44:59.220 --> 00:45:06.060
- Crane Hassold : I think that there's certainly another motivation behind this and this sort of goes to the state sponsored side of things is that there's
- 252
- 00:45:06.510 --> 00:45:17.250
- Crane Hassold : Always the potential of theft of other sensitive research that faculty may be working on at one of these universities that may be of interest to a state sponsored actor
- 253
- 00:45:18.600 --> 00:45:40.290
- Crane Hassold : So that's a brief overview of some librarian looking at their attacks. So one of the really interesting aspects of this group is that since the beginning. Since 2013 to present day. So we're talking about seven, eight years their tactics have barely changed.
- 254
- 00:45:41.370 --> 00:45:59.100
- Crane Hassold : Their lower emails are always coming from the quote unquote library, um, that, you know, there are the messaging that they're using in their emails in some cases have only been updated to correct very basic spelling errors. Other than that, they're exactly the same.
- 255
- 00:46:00.750 --> 00:46:13.710
- Crane Hassold : One of the things that they do is, you know, you know, based on what we do, what a Gari. Well, part of what we do is looking at D mark so know being able to protect one's an organization's domains against direct spoofing
- 256
- 00:46:14.190 --> 00:46:23.040
- Crane Hassold : And we know that in the, you know, for for universities and academic institutions all over the world, D. Mark adoption is not something that has been
- 257
- 00:46:23.730 --> 00:46:30.900
- Crane Hassold : Taken up at to a significant percentage. And so one of the things that song librarian does is that they will just directly spoof
- 258
- 00:46:31.410 --> 00:46:42.930
- Crane Hassold : University email addresses that look like they're coming from the library. So if a if a recipient receives one of these emails, it's going to look like it's coming from, you know, the actual library.
- 259
- 00:46:43.950 --> 00:46:47.880
- Crane Hassold : That, that, that is, is they're pretending to send it from
- 260
- 00:46:49.050 --> 00:46:59.280
- Crane Hassold : What are the other things that they do here is they will in some cases the fishing URLs are so similar that they'll actually embed the actual fishing URL in the email.
- 261
- 00:47:00.060 --> 00:47:06.510
- Crane Hassold : But that's a, you know, a small percentage of the time. Usually what they're doing is they're you're doing something like you still see here
- 262
- 00:47:06.810 --> 00:47:18.990
- Crane Hassold : Where they'll have a link that looks like it's going to, in this case the Carleton University Library. But when you actually look at where that link is going. It's either going to a to a shortened URL.
- 263
- 00:47:19.440 --> 00:47:31.980
- Crane Hassold : That is, could be a freely available service or it could be a university sponsored short URL shortener that we know that one of the things that this group is doing.
- 264
- 00:47:32.550 --> 00:47:43.320
- Crane Hassold : Is also compromising accounts to set up those shortened URLs as well, or it could be just another look alike URL that they that they embed in there that's going directly to the phishing site.
- 265
- 00:47:44.250 --> 00:47:53.160
- Crane Hassold : And you would see at the bottom of the screen here that the fishing URLs. They're using are extremely similar and look almost exactly the same as the legitimate URLs.
- 266
- 00:47:53.580 --> 00:48:13.980
- Crane Hassold : And this case, there are three sets here. One is for McGill University up in up in Canada, and you can see it's shibboleth.mcgill.ca whereas the actual fishing URL is shibboleth.mcgill.ca dot ifta TK. Same thing with this University of North Texas.
- 267
- 00:48:15.030 --> 00:48:25.230
- Crane Hassold : URL just ending just a pending it live.me to the end of that. And then the same thing with the Victoria University in Australia URL down at the bottom.
- 268
- 00:48:25.890 --> 00:48:34.680
- Crane Hassold : And you'll notice that one of the other things that they're doing is, you know, for the most part, while they have no they switch around to some of the top level domains.
- 269
- 00:48:35.250 --> 00:48:39.900
- Crane Hassold : Like the Emmys, the dot info is sometimes they'll even host
- 270
- 00:48:40.710 --> 00:49:01.200
- Crane Hassold : Their phishing sites on.ir domains, but for the most part they're using freely available free nom domain. So there's dot TK dot c f.ml the that can be obtained for no price. A lot of what they're doing is hosting their fishing their fishing pages on those free domains.
- 271
- 00:49:03.270 --> 00:49:11.040
- Crane Hassold : Now that was a look over at the at the attacks themselves. So one of the really interesting things that happened. And this is really where
- 272
- 00:49:11.310 --> 00:49:23.700
- Crane Hassold : Everything sort of came out in the open about what this group is doing is in March of 2018 the US Department of Justice indicted nine Iranian individuals connected to a group called the magnet Institute.
- 273
- 00:49:24.090 --> 00:49:29.550
- Crane Hassold : And even think of the map to institute very similar to a to a contractor that we might have here in the States.
- 274
- 00:49:29.820 --> 00:49:39.600
- Crane Hassold : Where you know they aren't directly affiliated or not working for or directly for a state government, but they're contracted by a government which in this case is the Iranian government
- 275
- 00:49:40.530 --> 00:49:49.200
- Crane Hassold : One of the really interesting aspects of this is the week before this indictment. I was actually giving a talk on sound librarian at a conference.
- 276
- 00:49:49.590 --> 00:49:57.270
- Crane Hassold : And the day this indictment came out, I got a message from one of the people who was who was at my at my talk, and
- 277
- 00:49:57.600 --> 00:50:03.780
- Crane Hassold : Said the guys that you just gave a presentation on last week are getting indicted right now. And I was like, what, what
- 278
- 00:50:04.110 --> 00:50:16.080
- Crane Hassold : Because we've been working with we've been passing information to to the FBI about what we had found but we didn't actually know this was coming. So this was this was really a shock to us and then we were able to actually talk about it publicly
- 279
- 00:50:17.580 --> 00:50:30.810
- Crane Hassold : But some of the interesting aspects of that indictment to show you how much of an impact this group has had is, you know, $3.4 billion of intellectual property has been lost, based on the assessment from the indictment.
- 280
- 00:50:31.530 --> 00:50:42.150
- Crane Hassold : More than 31 terabytes of data of academic data was stolen by this group they compromised almost 8000 University accounts almost 4000 in the States alone.
- 281
- 00:50:42.570 --> 00:50:48.210
- Crane Hassold : And what are the other interesting aspects of this and this is, I think, not surprising when you look at you know
- 282
- 00:50:48.600 --> 00:50:56.880
- Crane Hassold : Who the group is working for is they also targeted other government agencies private companies and international non government organizations.
- 283
- 00:50:57.330 --> 00:51:00.030
- Crane Hassold : With some of their attacks also credential phishing attacks.
- 284
- 00:51:00.750 --> 00:51:07.530
- Crane Hassold : And as we were you know as this came out, we were able to directly link sign librarian to the map to institute
- 285
- 00:51:07.800 --> 00:51:25.500
- Crane Hassold : Based on one of the actors. You can see on the sort of this wanted poster here, one of the actors on the far right most office sadeghi he we were able to link him to one of the websites that song librarian had set up to distribute some of these credentials for for financial gain.
- 286
- 00:51:29.430 --> 00:51:38.070
- Crane Hassold : So after the indictment came out. So one of the things that we continue to do is work with Red Ice ax. So the, the I sack. You know that runs
- 287
- 00:51:38.700 --> 00:51:45.990
- Crane Hassold : That partners with academic institutions we worked with them to mitigate phishing sites we set we had set up a
- 288
- 00:51:46.620 --> 00:51:59.460
- Crane Hassold : We had set up a an automated tracker for when this group had created new phishing sites which based on the fact that, you know, one of the reasons. One of the ways that we did this was by setting up an SSL certificate
- 289
- 00:51:59.940 --> 00:52:22.050
- Crane Hassold : Monitoring, which is, you know, publicly available to anyone. And because their URLs were were and still are today so unique and constructed it with the same similar patterns we were able to create a tracker that notified us every single time a new host was set up by sound librarian.
- 290
- 00:52:23.430 --> 00:52:33.660
- Crane Hassold : In April 2018 I testified at a House committee that was looking at foreign threats to us, research and academic institutions. This was a very interesting experience.
- 291
- 00:52:34.410 --> 00:52:45.180
- Crane Hassold : Primarily, one of the big takeaways I had from this from from this panel and we're all so there were there were four witnesses that were called test files, one of them.
- 292
- 00:52:45.600 --> 00:52:56.580
- Crane Hassold : And all of the three other witnesses looked at, you know, Chinese threats and Russian threats and what was really interesting is, all of them focused on physical threats.
- 293
- 00:52:56.940 --> 00:53:14.910
- Crane Hassold : To universities, none of them looked at the cyber threats to universities. So, and all. And most of the questioning that was coming from the House Committee members was actually at still asking about physical threats. And so one of the big thing takeaways I had from that.
- 294
- 00:53:16.500 --> 00:53:29.670
- Crane Hassold : From from that, from testifying at that committee was that there's still no this big focus on physical threats, whereas the cyber threats which far and large are the biggest threats to most institutions today.
- 295
- 00:53:30.690 --> 00:53:37.740
- Crane Hassold : Are still not being, you know, getting that much attention. And I think one of the biggest things and I think we've seen this a lot with
- 296
- 00:53:38.520 --> 00:53:53.790
- Crane Hassold : With a lot of the state sponsored state sponsored indictments that regardless of whether it's around or North Korea or China or Russia is that the indictments at the end of the day, had absolutely no attack no impact on deterring future attacks.
- 297
- 00:53:54.750 --> 00:54:10.860
- Crane Hassold : Sana librarian is still as active today as they were two years ago when a two and a half years ago when the indictments came out and really as we get into here in a couple of slides that really comes down to motivation of we know what the purpose of these attacks are
- 298
- 00:54:13.080 --> 00:54:19.860
- Crane Hassold : So that's a little bit of overview on some library and I'll come back to them. And just a few slides. But, you know, briefly also want to talk about sigh hub.
- 299
- 00:54:20.100 --> 00:54:30.810
- Crane Hassold : So as I, you know, as I mentioned, I'm sure most of the folks on this webinar are aware of what sigh hub is, you know, it was launched in 2011 by a student out of Kazakhstan.
- 300
- 00:54:31.560 --> 00:54:42.330
- Crane Hassold : Who had, you know, in her mind had had realized that there was a barrier to entry into into the distribution of, you know, academic knowledge.
- 301
- 00:54:42.840 --> 00:54:51.630
- Crane Hassold : Based on the paywalls that have been set up by by journals by academic journals and when you look at this is data from I believe it was April of this year.
- 302
- 00:54:52.530 --> 00:55:08.430
- Crane Hassold : Sigh hub currently contains more than 81 million journal articles and I think I even saw that that analysis that was done recently it was something like 95% of Elsevier journal articles are available on sigh hub.
- 303
- 00:55:09.060 --> 00:55:20.550
- Crane Hassold : When you look at who's using sigh hub. The top countries using it based on some some research that was done on India chat, China, the US Brazil and Iran.
- 304
- 00:55:21.570 --> 00:55:25.800
- Crane Hassold : And so that Iranian aspect really comes back to something we'll talk about here in just a second.
- 305
- 00:55:26.490 --> 00:55:31.950
- Crane Hassold : Which you know goes into know regarding the motivation. We'll talk about motivation here on the next few slides.
- 306
- 00:55:32.340 --> 00:55:41.250
- Crane Hassold : But how do they get these articles, you know, they, they'll say that the the articles are donated that they get donated credentials from students or other supporters
- 307
- 00:55:41.850 --> 00:55:51.630
- Crane Hassold : There's been a lot of talk that there is, there has been some, some of these companies credentials that are used to collect all of these
- 308
- 00:55:52.080 --> 00:56:04.380
- Crane Hassold : All of these journal articles are collected through phishing attacks, which I think is certainly possible. And then one of the really interesting aspects is because Iran has such a connection to sigh hub.
- 309
- 00:56:05.010 --> 00:56:11.490
- Crane Hassold : That there's a potential link here between sigh hub and sound library and and all i don't think that that link has been
- 310
- 00:56:12.120 --> 00:56:21.990
- Crane Hassold : Has a hard link by any means. Now there's some work that I did with that I did when I was researching saw library and a little bit more closely than I am now.
- 311
- 00:56:22.710 --> 00:56:29.010
- Crane Hassold : That sort of provided some some good insight into better understanding that link, so there there has been so
- 312
- 00:56:29.190 --> 00:56:44.190
- Crane Hassold : When you look at some solid library and campaigns. It was shortly after that some of the credentials that are compromised in those campaigns are then use to pull down information. So there is a potential link there. Even though I don't think that is a new a hard and fast link.
- 313
- 00:56:45.990 --> 00:56:54.570
- Crane Hassold : So that's an overview of sigh hub. If we look at sort of now want to pivot, a little bit into understanding motivations for cyber attacks. I think this
- 314
- 00:56:54.840 --> 00:57:06.120
- Crane Hassold : No really, this will give more clarification into know why sigh hub, you know exists, why Simon library and does what he does. And really when you look at a lot of other
- 315
- 00:57:06.870 --> 00:57:17.700
- Crane Hassold : state sponsored actors and other cyber criminals. You know why they do what they do. And there are three main buckets of motivations that you can link, you know, most cyber attacks to
- 316
- 00:57:18.180 --> 00:57:29.310
- Crane Hassold : One is economic that is by far the number one motivation for for cyber attacks and that is going to be most of the cyber criminals out there, regardless of whether it's business email compromise.
- 317
- 00:57:29.520 --> 00:57:41.460
- Crane Hassold : ransomware extortion other types of malware campaigns, almost all of those are going to be done for financial gain. And that is the number one incentive and motivation for for cyber attacks.
- 318
- 00:57:42.180 --> 00:57:48.000
- Crane Hassold : So there's the second motivation is political. And these are going to be where a lot of the state sponsored actors are going to be sitting
- 319
- 00:57:48.660 --> 00:57:53.490
- Crane Hassold : In the middle of economic and political is where you have those state affiliated contractors
- 320
- 00:57:53.760 --> 00:58:03.060
- Crane Hassold : And so that is someone like the magnet Institute. Whoo hoo isn't directly working for a government institution, but they are being contracted on their behalf.
- 321
- 00:58:03.480 --> 00:58:09.240
- Crane Hassold : In the US, this could be like a Booz Allen Lockheed Martin those big contractors that I'm sure most people know
- 322
- 00:58:09.870 --> 00:58:19.740
- Crane Hassold : It's the same deal there where they are, they're getting paid by a government to do work for them on their behalf, but they don't work directly for the government.
- 323
- 00:58:20.640 --> 00:58:33.150
- Crane Hassold : And then the last bucket of motivations. Here is social and this is social justice. A lot of the activism that we've seen that we've seen being done is done for for social motivations.
- 324
- 00:58:34.530 --> 00:58:44.010
- Crane Hassold : So let's look at you know where sigh hub and song librarian fit in these motivations, because it's really interesting, as in most a test for most attacks.
- 325
- 00:58:44.370 --> 00:58:52.740
- Crane Hassold : You can really just bucket attacks into one of these three classifications. But what's interesting about song librarian and sigh hub is that
- 326
- 00:58:53.070 --> 00:59:01.680
- Crane Hassold : They actually touch each one of these. There's a motivation linked to each one of these buckets. So let's look at each one of them. So on the economic side.
- 327
- 00:59:02.220 --> 00:59:12.450
- Crane Hassold : You know, as, as I mentioned, the reason that was given for setting up. Sigh How back in 2011 was to was in response to high paywalls
- 328
- 00:59:12.990 --> 00:59:25.470
- Crane Hassold : By by academic journals, you know, if you are a student at a university other academic institution. Most likely you're going to be able to have access to, to, to journal articles through the school.
- 329
- 00:59:25.770 --> 00:59:38.370
- Crane Hassold : But what if you're not. What if you aren't a student at a school. How do you get access. Then, and that's where this economic burden comes in is that there is a, you know, depending on where you're coming from.
- 330
- 00:59:38.880 --> 00:59:47.670
- Crane Hassold : The amount of money that needs to be paid for a single article for access to a single article has been high in the past, and I very much equate this
- 331
- 00:59:48.120 --> 00:59:56.730
- Crane Hassold : Sigh hub is essentially the Napster for journal articles. Right. So Napster came about in the late 90s around 2000
- 332
- 00:59:57.180 --> 01:00:06.120
- Crane Hassold : As a way because paying for, you know, $15 for a CD, even though you only want to listen to one or two songs was no
- 333
- 01:00:06.600 --> 01:00:16.890
- Crane Hassold : didn't make any economic sense. So Napster came out as a peer to peer as a peer to peer application that allows anyone to download music from anywhere, anytime they want for free.
- 334
- 01:00:17.430 --> 01:00:21.810
- Crane Hassold : Now what happened after Napster came out, which I thought was very interesting.
- 335
- 01:00:22.530 --> 01:00:29.460
- Crane Hassold : Was that no of course there were lawsuits Napster was based in the US. So Napster was essentially eventually taken down.
- 336
- 01:00:29.850 --> 01:00:45.780
- Crane Hassold : But the economic model of music distribution completely changed it moved from physical CDs to iTunes right where you could then by songs on demand, and now you have something like Spotify or Pandora.
- 337
- 01:00:46.230 --> 01:01:04.860
- Crane Hassold : Or Apple Music where you can now stream any music you want anytime and today. Today, something like Napster wouldn't be economically viable, there is no demand for something like Napster because so much has shifted in that in the music in the music landscape.
- 338
- 01:01:05.940 --> 01:01:16.740
- Crane Hassold : It's something very similar to what i think that you know what we would see in the academic journal landscape is if the subscription model was was adopted more widely.
- 339
- 01:01:17.370 --> 01:01:34.350
- Crane Hassold : There than you would probably see the same thing as the, the need for sigh have really isn't there anymore from an economic perspective on the other side for Simon librarian. It's very similar to to the reason why. So I have exists is that because of international sanctions for
- 340
- 01:01:35.430 --> 01:01:51.540
- Crane Hassold : For academic journals to not allow be audited distribute within Iran, there's a need to get those articles from from different places. And so that's why you see this this demand for something like
- 341
- 01:01:52.080 --> 01:01:53.940
- Crane Hassold : Like a sigh hub or other
- 342
- 01:01:54.870 --> 01:02:05.610
- Crane Hassold : Or other avenues of distribution. One of the things that sound librarian did is they would actually sell while some of this, as we'll see here on the next slide was done at the direction of the Iranian government
- 343
- 01:02:05.970 --> 01:02:25.170
- Crane Hassold : These actors also sold access sold credentials on a variety of different Farsi language websites to specific to specific universities and specific journals. So they were making sort of that sort of direct financial gain with with sound librarian.
- 344
- 01:02:26.700 --> 01:02:32.790
- Crane Hassold : There's certainly a political aspect to both of these solid brain is a little bit more direct
- 345
- 01:02:33.420 --> 01:02:43.830
- Crane Hassold : Basically indictment that came out from the Department of Justice. It was directly stated there that what the magnet Institute was doing was acting on at the behest of the Iranian government
- 346
- 01:02:44.190 --> 01:02:51.720
- Crane Hassold : And I think as I mentioned before, while there is, you know, I don't think there's been any public evidence for this yet. I think there's certainly potential
- 347
- 01:02:52.350 --> 01:03:01.170
- Crane Hassold : That some of this activity was done for for intelligence purposes to gather intelligence about academic research being done by some of these universities.
- 348
- 01:03:02.250 --> 01:03:07.380
- Crane Hassold : And then when you look at sigh hub, you know, this, again, I think there's something that is a little bit more indirect
- 349
- 01:03:07.830 --> 01:03:21.390
- Crane Hassold : But it's certainly been hinted at by a number of publications that I've seen is that there's potential backing within for for sigh have by Russian government entities. So that would be a political
- 350
- 01:03:22.560 --> 01:03:37.290
- Crane Hassold : Aspect there. And then the last one here, social, as I mentioned, there's a community need in Iran for access to academic research due to sanctions that have been put into place and then those on the side hub side of things.
- 351
- 01:03:37.950 --> 01:03:48.240
- Crane Hassold : This is much more of a social justice, there's, you know, when we look when you look at the defenders of sigh hub. A lot of them embrace this open access and the global right to knowledge.
- 352
- 01:03:48.780 --> 01:04:01.920
- Crane Hassold : Terminology that everyone has access to knowledge, regardless of whether where it's published and how it's published and that is sort of their justification rationalization to why. So I have exists right
- 353
- 01:04:04.830 --> 01:04:14.940
- Crane Hassold : So that into that looks the motivation here I'll close here at know a very brief look at no nation state actors state sponsored actors and some of the myths and some of the realities.
- 354
- 01:04:15.840 --> 01:04:24.270
- Crane Hassold : In there are, there's one big big big difference between cyber criminals and nation state actors, one is
- 355
- 01:04:24.660 --> 01:04:32.970
- Crane Hassold : The one side of it is cyber criminals are driven by profit, as I mentioned, economic incentives are what, you know, makes them go.
- 356
- 01:04:33.180 --> 01:04:41.490
- Crane Hassold : There in it for financial gain. So if you can minimize their profits. If you can impact their profits, you can make it a little bit more difficult for them to
- 357
- 01:04:42.150 --> 01:04:52.350
- Crane Hassold : To attack a specific target, they will move on to something else, because as I've something that I've said for years is art, you know, criminals are inherently lazy.
- 358
- 01:04:52.590 --> 01:04:57.180
- Crane Hassold : They're going to want to do the least amount of work to make the most amount of money.
- 359
- 01:04:57.660 --> 01:05:04.410
- Crane Hassold : And if you can do that, then, then they will go somewhere else. They will, they will adapt and they will evolve their tactics.
- 360
- 01:05:04.980 --> 01:05:21.840
- Crane Hassold : nation state actors. On the other hand, are driven by mission. You could put up as many roadblocks in their way, as you could. That to increase the, the financial the financial necessities for them to have to attack a specific target, but that doesn't matter to
- 361
- 01:05:21.840 --> 01:05:22.140
- Robert Boissy: Them.
- 362
- 01:05:22.380 --> 01:05:25.260
- Crane Hassold : For the most part they're going to be going after.
- 363
- 01:05:25.680 --> 01:05:33.870
- Crane Hassold : specific targets for a specific purpose and they will not stop until that mission has been successful. So that is one of the biggest
- 364
- 01:05:34.590 --> 01:05:45.000
- Crane Hassold : The biggest threats to nation state actors is that it's much more difficult to stop them from fulfilling their mission because they they're just going to get it done.
- 365
- 01:05:46.380 --> 01:05:59.400
- Crane Hassold : That being said, not all, I think one of the biggest myths with state sponsored actors is not all nation states attacks are technically sophisticated know one of the more recent indictments that came out was for
- 366
- 01:06:00.150 --> 01:06:09.420
- Crane Hassold : It was first what's called status and we're or forgot what the Panda name is for them but you know it's it's the Russian GR GRU
- 367
- 01:06:09.960 --> 01:06:23.970
- Crane Hassold : And these are for these word for indictments for things like not Petya which was, you know, a map the massive ransomware attacks that happened last year Olympic destroyer, which was for the Pyongyang Olympics black energy which is
- 368
- 01:06:24.330 --> 01:06:34.590
- Crane Hassold : Malware that's going after industrial control systems and electric system, the electric grid in the Ukraine, those are what I think most people think of when they think of
- 369
- 01:06:35.460 --> 01:06:43.740
- Crane Hassold : When they think of nation state attacks. But in reality, most nation state attacks are very non technically sophisticated
- 370
- 01:06:44.160 --> 01:06:53.580
- Crane Hassold : Take the DNC compromised back in 2016, for example, that which you can see on the right hand side of the screen. That was a basic Google accounts fishing campaign.
- 371
- 01:06:53.970 --> 01:07:03.540
- Crane Hassold : That was sending out a phishing email saying that someone has your password, you need to change it. You go to a scrape of a Google accounts page.
- 372
- 01:07:03.900 --> 01:07:10.650
- Crane Hassold : And their account was compromised at that time sound librarian is a great example of that. There's nothing technically like like
- 373
- 01:07:11.640 --> 01:07:14.280
- Crane Hassold : Like overly technically sophisticated with those attacks.
- 374
- 01:07:14.910 --> 01:07:27.030
- Crane Hassold : And one of the best examples that just came out I think this morning was the, the, what's been attributed to Iran as well are these these proud boy email campaigns trying to influence
- 375
- 01:07:27.510 --> 01:07:37.050
- Crane Hassold : The election this year and those again those are essentially psychological manipulations. There's no links no malware. It's just trying to
- 376
- 01:07:37.500 --> 01:07:46.680
- Crane Hassold : To manipulate behavior and and and be more psychological and so when we look at nations that attacks. They're not always going to be technically sophisticated
- 377
- 01:07:47.430 --> 01:07:56.490
- Crane Hassold : Like most attacks today where a lot of actors are going. It's just pure basic social engineering. And the reason. The reason that's happening is one
- 378
- 01:07:56.940 --> 01:08:03.900
- Crane Hassold : A lot of technical, you know, historically, a lot of technical defenses that are put in place have actually gotten very good at detecting
- 379
- 01:08:04.290 --> 01:08:13.080
- Crane Hassold : technically sophisticated attacks and at the other than that at the end of the day, social engineering is relatively easy as long as human beings have been on this earth.
- 380
- 01:08:13.410 --> 01:08:24.570
- Crane Hassold : interacting with one another. We've been social engineering each other. The only differences now is we're using computers to social engineer each other rather than doing it face to face or through the mail or something like that.
- 381
- 01:08:26.910 --> 01:08:36.390
- Crane Hassold : And with that, I thanks for everyone for for sticking around for my presentation. And if there any questions, I'd be happy to take them. Or I will also be around for the for the panel later this afternoon.
- 382
- 01:08:39.510 --> 01:08:49.140
- Daniel Ascher: Thank you created that was very informative and interesting. So we are a couple of minutes ahead of schedule here. We're going to go to the lunch break a little bit early.
- 383
- 01:08:51.000 --> 01:08:58.950
- Daniel Ascher: It just as a reminder, we're gonna be putting out a timer. If you'd like to continue the conversation in the chat box as we're on the break, please do so.
- 384
- 01:39:11.190 --> 01:39:13.320
- Okere, Kelechi N. (ELS-NYC): Awesome. Welcome back everyone.
- 385
- 01:39:14.910 --> 01:39:23.160
- Okere, Kelechi N. (ELS-NYC): I hope you all had a good break for those of us in the US, hope you had a good lunch and for those in Europe and other places hope.
- 386
- 01:39:24.270 --> 01:39:27.060
- Okere, Kelechi N. (ELS-NYC): It was a nice time to just grab some dinner.
- 387
- 01:39:28.680 --> 01:39:31.500
- Okere, Kelechi N. (ELS-NYC): So thanks for joining us again.
- 388
- 01:39:32.970 --> 01:39:37.470
- Okere, Kelechi N. (ELS-NYC): To get us going. I like to run. Now, second poll
- 389
- 01:39:38.970 --> 01:39:40.920
- Okere, Kelechi N. (ELS-NYC): So I just want you to in a second.
- 390
- 01:39:47.250 --> 01:40:02.250
- Okere, Kelechi N. (ELS-NYC): And again, the, the, the poll Jesus asks, how much do you know about the different kinds of security threats to the scholarly infrastructure by infrastructure we meet how peer reviewed literature and open access content is shared funded and trusted
- 391
- 01:40:43.770 --> 01:40:47.850
- Okere, Kelechi N. (ELS-NYC): Awesome. We have about 57 people have voted.
- 392
- 01:40:50.070 --> 01:40:53.010
- Okere, Kelechi N. (ELS-NYC): Maybe just a little bit more and then I'll end the poll
- 393
- 01:40:55.350 --> 01:40:57.300
- Okere, Kelechi N. (ELS-NYC): Want to give it a few more seconds.
- 394
- 01:41:05.280 --> 01:41:13.140
- Okere, Kelechi N. (ELS-NYC): Let's maybe match this mourners of 74% of participants haven't voted.
- 395
- 01:41:31.110 --> 01:41:35.310
- Okere, Kelechi N. (ELS-NYC): All right, 60% there we go 62%
- 396
- 01:41:40.440 --> 01:41:43.560
- Okere, Kelechi N. (ELS-NYC): All right one last chance to vote closer
- 397
- 01:41:46.230 --> 01:41:46.650
- Okere, Kelechi N. (ELS-NYC): Alright.
- 398
- 01:41:47.670 --> 01:41:48.450
- Okere, Kelechi N. (ELS-NYC): So,
- 399
- 01:41:50.700 --> 01:41:59.490
- Okere, Kelechi N. (ELS-NYC): On the question of how much do you know about a different kinds of cyber security 29% says have a thorough understanding of cyber security threats.
- 400
- 01:42:01.110 --> 01:42:05.640
- Okere, Kelechi N. (ELS-NYC): 53% the majority says have some information. But I might be
- 401
- 01:42:08.880 --> 01:42:10.230
- Okere, Kelechi N. (ELS-NYC): This is Cruyff here.
- 402
- 01:42:11.580 --> 01:42:26.940
- Okere, Kelechi N. (ELS-NYC): Think is. Yeah, but I am I might need more information and then we have a campus library task force our committee focus on these threats. So 3% and 16% says I let all this new administration worry about it.
- 403
- 01:42:28.080 --> 01:42:30.870
- Okere, Kelechi N. (ELS-NYC): Alright, so those are for our second poll
- 404
- 01:42:35.070 --> 01:42:37.470
- Okere, Kelechi N. (ELS-NYC): And I'll let Dan introduce our next speaker.
- 405
- 01:42:39.630 --> 01:42:49.830
- Daniel Ascher: Thank you culture. So our next two speakers will not be able to attend the roundtable later today, we will be doing Q and A's during their sessions.
- 406
- 01:42:50.220 --> 01:43:08.040
- Daniel Ascher: Our coast, Kathie Lee will be moderating the Q AMP. A at the end of Linda and then next session. So now we have Linda event, Karen, the assistant dean for resources and Access Management at the doll green Memorial Library
- 407
- 01:43:09.090 --> 01:43:17.670
- Daniel Ascher: At Georgetown University Medical Center. So put those questions in the q&a box as soon as you have them and I will pass it to it.
- 408
- 01:43:18.330 --> 01:43:22.320
- Linda Van Keuren : Thank you very much. I'm going to share my screen here.
- 409
- 01:43:26.460 --> 01:43:33.600
- Linda Van Keuren : So thank you very much. So my name is Linda being Karen and I'll be taking a few moments today to talk about library patrons security.
- 410
- 01:43:34.050 --> 01:43:39.600
- Linda Van Keuren : And why it's so important. So I'm the assistant dean for resources and Access Management
- 411
- 01:43:40.350 --> 01:43:44.130
- Linda Van Keuren : As Daniel setup dog Memorial Library at Georgetown University Medical Center.
- 412
- 01:43:44.490 --> 01:43:54.870
- Linda Van Keuren : I've been at Georgetown about nine years last position and prior to that, I was a systems librarian. So my general frame of references academic and how sciences libraries, but
- 413
- 01:43:55.140 --> 01:44:02.670
- Linda Van Keuren : Of course, the topic of library patrons security is important to all libraries public libraries academic and so on.
- 414
- 01:44:03.570 --> 01:44:11.250
- Linda Van Keuren : As a prelude in the context of this presentation, I'm taking kind of a broad look at patron security and at times.
- 415
- 01:44:11.910 --> 01:44:17.940
- Linda Van Keuren : will touch upon privacy issues. So I realized, security is more about having the controls in place to reduce the risk of
- 416
- 01:44:18.300 --> 01:44:30.300
- Linda Van Keuren : Personal or institutional information from falling into the wrong hands and privacy, you know, relates more to the rights to read and research and learn without excessive scrutiny.
- 417
- 01:44:31.260 --> 01:44:47.820
- Linda Van Keuren : And since user specific details can also be used to secure private data. There's definitely this relationship and sometimes it's a tension between privacy and security for me, I consider most security measures to be a tool to help protect our patron privacy's
- 418
- 01:44:49.710 --> 01:44:59.040
- Linda Van Keuren : And that's why I think this summit and group sentence, such as sensi or provide a really wonderful opportunity to discuss these topics and those tensions that might that might arise.
- 419
- 01:45:00.660 --> 01:45:12.810
- Linda Van Keuren : Patron information security isn't really a new concern to librarian. So, you know, for example, 20 years ago, many libraries many academic libraries in the US would have patron so security numbers as part of the patron records.
- 420
- 01:45:13.230 --> 01:45:20.640
- Linda Van Keuren : But as thinking about security patron data evolved most libraries determine there was really no need to use so security number.
- 421
- 01:45:20.910 --> 01:45:32.040
- Linda Van Keuren : And by storing it we were exposing potentials patrons to potential fraudulent activity so many libraries have stopped using that number within the patron record.
- 422
- 01:45:32.910 --> 01:45:38.700
- Linda Van Keuren : Even more recently in my library we had the patron physical address within the patron record.
- 423
- 01:45:39.120 --> 01:45:50.100
- Linda Van Keuren : And again, comparing the added value that the data brought to us as far as service we provide to the students. It didn't really justify the security risk of us having that data in our system.
- 424
- 01:45:50.460 --> 01:45:57.090
- Linda Van Keuren : And so we just we stopped in courting that data into the library system. So those are two very simple examples.
- 425
- 01:45:57.780 --> 01:46:10.110
- Linda Van Keuren : That reflects some of the concerns that libraries have about patron information security. And now, as many of us are in a virtual learning and research environment. Those concerns are even more profound
- 426
- 01:46:15.450 --> 01:46:28.650
- Linda Van Keuren : So as I said, I'm taking kind of a broad view patron security and why it's important in this slide just outline some of the areas of concern in regards to security within a library setting. I'm sure you can all think of others.
- 427
- 01:46:30.030 --> 01:46:39.120
- Linda Van Keuren : The first one is about keeping your credentials to use to log into online library resources secure. So for many of us in academia.
- 428
- 01:46:39.780 --> 01:46:46.530
- Linda Van Keuren : Or in health systems or corporate libraries library credentials are not just library credentials, their credentials that access
- 429
- 01:46:46.830 --> 01:46:57.720
- Linda Van Keuren : institutional resources and the libraries are just as one of those institutional resources. So the importance of keeping these credentials secure is to keep both library access
- 430
- 01:46:58.200 --> 01:47:14.970
- Linda Van Keuren : Secure and the institutional networks and services, secure, you know, we also have issues with Patreon sharing their username password with a friend or colleague, because they might not realize the ramifications of doing so. Or they may do it intentionally or of course they may accidentally
- 431
- 01:47:16.950 --> 01:47:28.950
- Linda Van Keuren : reveal their credentials via phishing scam or something like that, you know, and so many, many institutions have moved to some form of two factor authentication as as one way to combat this issue.
- 432
- 01:47:29.370 --> 01:47:36.540
- Linda Van Keuren : And many librarians encourage patrons and us to utilize best practices and keep their credentials secure
- 433
- 01:47:37.650 --> 01:47:50.490
- Linda Van Keuren : So not only can the misuse of credentials introduce a problem into the institutional network but library public computers many libraries provide some computers that can be used either by non affiliates.
- 434
- 01:47:51.630 --> 01:48:00.960
- Linda Van Keuren : Or anyone that walks into the library and those those like those clever computers could potentially introduce ransomware viruses into an institutional network.
- 435
- 01:48:01.410 --> 01:48:08.130
- Linda Van Keuren : You know there are libraries that have been hit with ransomware attacks and their entire infrastructure was hijacked and
- 436
- 01:48:08.760 --> 01:48:16.140
- Linda Van Keuren : Their patrons couldn't access any of their resources and until a ransom was was paid and no librarian wants to navigate that.
- 437
- 01:48:16.860 --> 01:48:36.600
- Linda Van Keuren : Through resolution with an IT security experts. Experts or law enforcement and so many libraries use things such as institutional kiosk images for public computers and other restrictive measures to try and minimize the security risk fellows by public Lee available computers.
- 438
- 01:48:38.160 --> 01:48:44.370
- Linda Van Keuren : The next item is personally identifiable information and confidentiality and this aspect of security is
- 439
- 01:48:44.940 --> 01:48:55.890
- Linda Van Keuren : Very important to library. And so the responsibility to keep patrons personally identifiable information such as name and phone number, as well as their library use information.
- 440
- 01:48:56.430 --> 01:49:13.350
- Linda Van Keuren : Confidential it deeply informs many library policies. So, you know, decisions about licensing and authentication and security almost always keep that in mind. So even if our patrons at times don't seem as concerned as the staff in regards to the protection of your data.
- 441
- 01:49:14.400 --> 01:49:17.400
- Linda Van Keuren : I think we think it's because they trust us to take care of it.
- 442
- 01:49:18.840 --> 01:49:25.530
- Linda Van Keuren : And have you know a form of this kind of responsibilities even built into the ethics of most library professional organizations.
- 443
- 01:49:26.010 --> 01:49:35.700
- Linda Van Keuren : And I feel that it's the security measures that we put into place that help maintain this patron data privacy in regards to online resource use
- 444
- 01:49:36.570 --> 01:49:47.130
- Linda Van Keuren : You know security measures can reduce who can take a look at what a patron is researching in the online environment and many times libraries make decisions, not even to to
- 445
- 01:49:48.720 --> 01:49:52.920
- Linda Van Keuren : To not save usage data because if it's not saved. It can't be exposed.
- 446
- 01:49:53.790 --> 01:49:59.340
- Linda Van Keuren : And of course it's not only professional ethics matter us libraries and institutions that are
- 447
- 01:49:59.730 --> 01:50:15.930
- Linda Van Keuren : Working within the educational field have to worry about regulations, such as FERPA for educational records and medical library is also need to sometimes also be concerned about HIPAA regulations that are concerned with medical records.
- 448
- 01:50:17.130 --> 01:50:24.600
- Linda Van Keuren : The security of the intellectual property is another important area to libraries so institutional data can be used.
- 449
- 01:50:25.050 --> 01:50:41.820
- Linda Van Keuren : You know, that was used for patent development or drug discovery may have significant monetary value to an organization and libraries often provide data management assistance to researchers and guide them on setting up a data organization plan that can consider
- 450
- 01:50:42.870 --> 01:50:54.420
- Linda Van Keuren : Good cyber security practices within that plan and you know it's not just the institutions intellectual property that librarians are concerned about as everyone is in this audience, I'm sure is aware
- 451
- 01:50:55.260 --> 01:51:08.010
- Linda Van Keuren : When librarians sign licenses for electronic resources part of those licenses often include an agreement to take reasonable efforts to protect the intellectual property of the publishers and, you know,
- 452
- 01:51:08.490 --> 01:51:16.650
- Linda Van Keuren : I understand that publishers also are implementing their own strategies to secure their intellectual property, but libraries can collaborate and helping these efforts.
- 453
- 01:51:17.010 --> 01:51:26.070
- Linda Van Keuren : You know, using secure login credentials and other security measures help combat the whiteboard sharing of licensed materials on sites such as sigh hub.
- 454
- 01:51:32.850 --> 01:51:43.530
- Linda Van Keuren : So I'm thinking about all these areas of concern. I want me to next discuss some things that libraries can do even if they're not directly responsible for their enterprises cyber security efforts.
- 455
- 01:51:44.430 --> 01:51:56.280
- Linda Van Keuren : This is true for many academic libraries, the libraries are partners in keeping the enterprise wide secure, but it usually is the responsibility lies with an IT department.
- 456
- 01:51:57.600 --> 01:52:04.590
- Linda Van Keuren : So the first thing that I think libraries can do and are doing now is they make it easy to access.
- 457
- 01:52:05.340 --> 01:52:17.940
- Linda Van Keuren : And use library resources in a secure way. So users that use sites such as I have sometimes say that they that it's easier. It's the site, ease of access as the rationale for doing so.
- 458
- 01:52:18.420 --> 01:52:25.770
- Linda Van Keuren : And so at my library and others, we try to focus on solutions that make it easier for users to securely access subscribed resources.
- 459
- 01:52:26.370 --> 01:52:33.210
- Linda Van Keuren : And we handle this in many ways. So curated content list installing federated authentication, which I'll talk about in a minute.
- 460
- 01:52:33.810 --> 01:52:41.610
- Linda Van Keuren : We embrace the seamless access initiative. We also provide a browser browser plugin that streamlines resource access
- 461
- 01:52:42.420 --> 01:52:50.130
- Linda Van Keuren : We also curate and encourage high quality open access content in all our finding tools for the library resources.
- 462
- 01:52:50.400 --> 01:53:05.040
- Linda Van Keuren : And we have librarians that are truly integrated into the curricular and in my case, the clinical endeavors of the institution. And so we can see firsthand where the access pain points are. And then we look for solutions to to reduce those pain points.
- 463
- 01:53:06.690 --> 01:53:17.400
- Linda Van Keuren : The next item is collaborate, so nobody can do this alone and many libraries nowadays are facing staffing and other budget restrictions.
- 464
- 01:53:17.790 --> 01:53:28.020
- Linda Van Keuren : And that results in less people and less resources to monitor security matters even in non covert times only the very largest of libraries will have a staff dedicated to security.
- 465
- 01:53:28.380 --> 01:53:34.470
- Linda Van Keuren : You know, at best, most libraries might have a systems librarian and that would be one of many, many job responsibilities.
- 466
- 01:53:34.710 --> 01:53:52.980
- Linda Van Keuren : So it's even more important now for libraries to seek out and partner with their IT departments or whoever's responsible for cyber security on these matters. So for example, if the light IT department wishes to enable a security message method method, such as two factor authentication.
- 467
- 01:53:54.240 --> 01:54:09.210
- Linda Van Keuren : My brands can partner with them on that and ensure that access to library resources use two factor authentication. So I don't think any library wants to be seen as the weak link in the enterprise security so partnering and understanding the
- 468
- 01:54:10.260 --> 01:54:14.130
- Linda Van Keuren : The what what is important to IT departments can really go far.
- 469
- 01:54:15.900 --> 01:54:24.840
- Linda Van Keuren : And collaborating with IT departments also can help is when if and when there is that tension between protecting patron use privacy.
- 470
- 01:54:26.190 --> 01:54:38.610
- Linda Van Keuren : Facilitating user experience and security risk mitigation come up, you can have these conversations because you've already built a trust a trusting collaboration with your IT department.
- 471
- 01:54:39.780 --> 01:54:43.020
- Linda Van Keuren : Library actually just collaborate with it provides you should collaborate with your
- 472
- 01:54:43.770 --> 01:54:52.740
- Linda Van Keuren : publishers that you're working with, have a good understanding of what's important to them in regards to the security of their content and of course if librarians are
- 473
- 01:54:53.640 --> 01:55:11.790
- Linda Van Keuren : Going to have a partner with a vendor that might have patrons personally identifiable information they should do a security audit to make sure that both the vendor and you have the same standards in regards to security measures such as Christian or whatever is important to your institution.
- 474
- 01:55:13.230 --> 01:55:25.800
- Linda Van Keuren : So education. Education is very integral to what librarians, do we spend a lot of time teaching patrons all aspects of utilizing information resources and certainly cyber security can be sprinkled throughout
- 475
- 01:55:26.400 --> 01:55:37.170
- Linda Van Keuren : That those education session. So we can help patrons, be careful about clicking links in emails and opening attach files from people. They don't know
- 476
- 01:55:38.010 --> 01:55:48.390
- Linda Van Keuren : And thereby reduce perhaps the possibility of some malware being introduced into the enterprise network, but we also can help them respect the intellectual property of others.
- 477
- 01:55:49.110 --> 01:56:04.560
- Linda Van Keuren : helping them understand copyright and that might also reduce the number of exposed institutional credentials or excessive download cases, it's not just see users of course library staff also need to have a good understanding of some basic cyber security principles.
- 478
- 01:56:06.420 --> 01:56:12.720
- Linda Van Keuren : And good policy. So having good policies that promote good cyber security. So it shouldn't be an afterthought.
- 479
- 01:56:13.260 --> 01:56:28.950
- Linda Van Keuren : These can be policies about restricting downloads on public computers or a policy about timely installation of software patches. So you want to consider maybe also having a cyber security emergency policy alongside a natural disaster policy. So if
- 480
- 01:56:30.540 --> 01:56:34.770
- Linda Van Keuren : That unfortunately occurs, you would be more ready to handle it.
- 481
- 01:56:35.910 --> 01:56:45.840
- Linda Van Keuren : And also, then, I feel that moving to a federated authentication system for for access can reduce the security risk of a
- 482
- 01:56:46.860 --> 01:56:49.410
- Linda Van Keuren : That a library library access may pose.
- 483
- 01:56:53.100 --> 01:57:00.930
- Linda Van Keuren : And to that last point I'd like to share with you a case study about how my library moved to federated authentication for library resource access
- 484
- 01:57:01.350 --> 01:57:09.330
- Linda Van Keuren : And we undertook this project. About five years ago and it helped us to become a much more thoughtful and deliberate in regards to security and patronage data.
- 485
- 01:57:09.720 --> 01:57:13.950
- Linda Van Keuren : And so for me to explain the project I do need to give you a few details about the library so
- 486
- 01:57:14.340 --> 01:57:21.510
- Linda Van Keuren : Dogger Memorial Library, or we call ourselves the amount we are the library from the medical center. So we serve a hospital a cancer center.
- 487
- 01:57:21.870 --> 01:57:31.230
- Linda Van Keuren : And schools of medicine nursing and biomedicine and that that is about 6500 f t have a larger University ft of 20,000
- 488
- 01:57:32.040 --> 01:57:39.960
- Linda Van Keuren : We are almost entirely online. So we say our collections are 99.9% online and we have them for many, many years.
- 489
- 01:57:40.740 --> 01:57:50.550
- Linda Van Keuren : So the project we undertook as I said is we moved our resource access from IP based authentication to a federated authentication system and we used open Athens to do so.
- 490
- 01:57:51.090 --> 01:58:03.240
- Linda Van Keuren : This project ended up having numerous benefits to us and our patrons and one of them was the implemented into implementation of a much more sophisticated identity management system and security measures.
- 491
- 01:58:07.860 --> 01:58:23.730
- Linda Van Keuren : So before this, we were using IP based authentication for library of useful resources. So we provided our affiliated IP numbers to vendors and anyone within that range could access library provided resources when they were on campus users didn't have to log in and
- 492
- 01:58:25.710 --> 01:58:32.730
- Linda Van Keuren : That's not to say resource access was completely open. Most of the campus computers did require login, just to use the computer.
- 493
- 01:58:33.120 --> 01:58:43.440
- Linda Van Keuren : And the proxy server for off campus required a login, but it was a much more porous environment as it relates to access and we wanted to tie access, not into the location.
- 494
- 01:58:44.040 --> 01:58:53.910
- Linda Van Keuren : We wanted to tie it into the identity of users. And in doing so, we envisioned we would make better security decisions better access decisions and acquisitions decisions.
- 495
- 01:58:54.150 --> 01:58:58.290
- Linda Van Keuren : So we partnered with our IT department. They're called the university information systems.
- 496
- 01:58:58.680 --> 01:59:04.770
- Linda Van Keuren : On this project and they brought with them their vast experience in cyber security and identity management.
- 497
- 01:59:05.100 --> 01:59:15.900
- Linda Van Keuren : So they shared with us that they felt that IP based authentication was a higher security risk than the Federated authentication model. So they were incredibly interested
- 498
- 01:59:16.260 --> 01:59:27.870
- Linda Van Keuren : And pleased with our interest in this model for access, as I said, we also wanted to change our acquisitions model. So part of the change we were purchasing resources for the entire community.
- 499
- 01:59:28.620 --> 01:59:38.160
- Linda Van Keuren : Rather than which is the FDA 20,000 rather than just the medical center community, even though all of our funding comes from the medical center community.
- 500
- 01:59:38.430 --> 01:59:50.370
- Linda Van Keuren : And so we needed to change that. So for clinical information resources or medical center users. Users had priority access and we could purchase and limit, just to those relevant users.
- 501
- 01:59:51.510 --> 02:00:09.840
- Linda Van Keuren : We also only had minimal statistics using IP based authentication and we really wanted demographic based usage statistics and we wanted the statistics because we thought it would be, we'd be able to provide better service and also have better conversations about library funding.
- 502
- 02:00:11.370 --> 02:00:21.420
- Linda Van Keuren : And we wanted to provide more consistent access to our hospital patrons. So our hospitals part of a multi hospital health system. We only serve
- 503
- 02:00:21.990 --> 02:00:29.760
- Linda Van Keuren : One hospital out of many and their IT infrastructure is handled by the health system IT infrastructure.
- 504
- 02:00:30.240 --> 02:00:36.990
- Linda Van Keuren : Those changes would be made to their network infrastructure that would temporarily cut off IP access to that user population.
- 505
- 02:00:37.290 --> 02:00:47.640
- Linda Van Keuren : And that's a user population that really needs information quickly. It is it is critical to patient care. And so we really needed something that was much more stable for our users.
- 506
- 02:00:48.240 --> 02:00:57.330
- Linda Van Keuren : Around the same time, this hospital system unfortunately had a very public ransomware attack and so cyber security was very much on everyone's mind.
- 507
- 02:00:58.350 --> 02:01:01.170
- Linda Van Keuren : As we were undergoing this this project.
- 508
- 02:01:04.830 --> 02:01:11.910
- Linda Van Keuren : So there are other speakers in this summit that will discuss more in depth about federated authentication. So I will leave the details to them.
- 509
- 02:01:12.300 --> 02:01:27.120
- Linda Van Keuren : But this is this slide demonstrates the steps we had to take to undergo the switch to federated authentication our IT department us that an open Athens. They have a security risk.
- 510
- 02:01:29.370 --> 02:01:39.840
- Linda Van Keuren : Checklist. And they also have an identity management checklist and they were incredibly happy with the methods used to protect the security of our patron data and the amount of data that we could
- 511
- 02:01:40.470 --> 02:01:48.510
- Linda Van Keuren : Choose to release if we if we so desire. So once the decision was made. We worked with the identity management team and we
- 512
- 02:01:49.740 --> 02:02:00.930
- Linda Van Keuren : Develop the logic to identify our medical center users that would have access and then that was then tied to an attribute that lived within their network their institutional network credentials.
- 513
- 02:02:02.520 --> 02:02:15.180
- Linda Van Keuren : Once we added the attribute. We then had to configure the connection between the university system and the open Athan system. So users could use their university credentials to log into our resources.
- 514
- 02:02:16.080 --> 02:02:23.070
- Linda Van Keuren : And then we have to configure the resources on the open Athens administration site and then inform our
- 515
- 02:02:23.580 --> 02:02:42.450
- Linda Van Keuren : Publisher partners that we were changing our, our, our authentication type to a federated authentication whenever possible. And then the last step was to update the resource URLs. So, this this took three years. This was not as simple a simple, quick thing to do, but it was it was
- 516
- 02:02:43.620 --> 02:02:51.810
- Linda Van Keuren : It was really worthwhile, you know, for our patrons access remained uninterrupted except now they were asked to log in at all times, regardless of location.
- 517
- 02:02:52.020 --> 02:02:57.270
- Linda Van Keuren : So we definitely gave this a lot of thought and a lot of consideration, knowing that we were moving to a system.
- 518
- 02:02:57.600 --> 02:03:04.710
- Linda Van Keuren : In which library access required the use of personal credentials, when in the past, they could generally search anonymously.
- 519
- 02:03:05.160 --> 02:03:15.750
- Linda Van Keuren : However federated authentication can be set up to have a system generated ID number that is provided them to the service providers to preserve public privacy.
- 520
- 02:03:16.650 --> 02:03:25.290
- Linda Van Keuren : And administrators can also choose to release additional attributes to service provider on a provider provider basis so
- 521
- 02:03:25.740 --> 02:03:46.920
- Linda Van Keuren : For example, we, we really wanted demographic based usage statistics. We wanted to do analysis on our use instead on broad categories of individuals and we chose not to release any of that information and we handle that completely within the university on an anonymized, aggregated basis.
- 522
- 02:03:52.710 --> 02:04:02.040
- Linda Van Keuren : So as I said, it took about three years to completely transition all our resources over using this method, but once completed, we were able to reap the benefits of
- 523
- 02:04:02.430 --> 02:04:10.950
- Linda Van Keuren : A better acquisitions model that gave us more flexibility anonymize demographic base usage statistics that are used to improve services and
- 524
- 02:04:11.340 --> 02:04:19.050
- Linda Van Keuren : Have better funding discussions, but I really want to talk about the security benefits that we feel we reaped from this project. So the first is
- 525
- 02:04:19.470 --> 02:04:28.380
- Linda Van Keuren : federated authentication for us utilizes both open Athens and institutional security monitoring systems of the university.
- 526
- 02:04:28.890 --> 02:04:32.700
- Linda Van Keuren : Both of which are staffed by individuals with much more security.
- 527
- 02:04:33.150 --> 02:04:45.390
- Linda Van Keuren : Expertise than lives in the library. So the library facilitates the security monitoring, but it's not directly responsible for it and that that frees us up to focus on other aspects of service.
- 528
- 02:04:46.260 --> 02:04:58.650
- Linda Van Keuren : And other benefit that was quickly apparent is we can have a precise response to misuse. So if there is saying excessive downloading issue rather than having it the whole IP address.
- 529
- 02:04:59.370 --> 02:05:15.600
- Linda Van Keuren : Turned off. Well, the matter is investigated, we can quickly identify a specific account that might be involved in the misuse and temporarily suspend it while it's being investigated and the whole campus doesn't feel the impact of that misuse.
- 530
- 02:05:17.190 --> 02:05:21.630
- Linda Van Keuren : We also have much better but identity management. So having the ability to provide and
- 531
- 02:05:22.650 --> 02:05:27.990
- Linda Van Keuren : Resource access to the entire medical center or just a single department or single major
- 532
- 02:05:28.440 --> 02:05:35.940
- Linda Van Keuren : Allows the library to much more finely tuned our acquisitions purchase and we just see that as being good stewards of our institutional resources.
- 533
- 02:05:36.570 --> 02:05:43.830
- Linda Van Keuren : And it's easier for us to implement license terms. So, for example, because we're providing content to
- 534
- 02:05:44.550 --> 02:05:53.790
- Linda Van Keuren : A MEDICAL CENTER. Some of our very clinical resources, the content should really only be used by licensed professionals and in the past, we would deal with that by
- 535
- 02:05:54.750 --> 02:05:59.730
- Linda Van Keuren : Having the licensed professionals kind of jumped through a few hoops before they could get to the content.
- 536
- 02:06:00.180 --> 02:06:08.370
- Linda Van Keuren : But now we handle that on the administration straight of level and the path for licensed professional as much more streamline
- 537
- 02:06:09.120 --> 02:06:18.840
- Linda Van Keuren : And then finally, we believe federated access billing brings library resources closer to the user workflow. They can log in from a publisher site. If the publisher has enabled that
- 538
- 02:06:19.260 --> 02:06:28.620
- Linda Van Keuren : And we hope it makes it easy for our patrons to make good decisions. Now, when in regards to respecting intellectual property of others and securing their credentials.
- 539
- 02:06:31.650 --> 02:06:39.510
- Linda Van Keuren : So thank you very much. I think there's a few minutes left. And I'm have left. And I'm happy to answer any, any questions that may have come up
- 540
- 02:06:41.340 --> 02:06:55.980
- Kathleen Neely : And when we have a question around when Georgetown Medical Center move to open Athens federated access. Are there any vendors who could not accommodate Open Office federated access
- 541
- 02:06:56.400 --> 02:07:02.130
- Linda Van Keuren : Yeah. So we did this five years ago and a federated authentication was still newer
- 542
- 02:07:02.640 --> 02:07:10.740
- Linda Van Keuren : At that time, especially in the US it was much more open office was much more well known in Europe. And so there were times where we would be
- 543
- 02:07:11.430 --> 02:07:23.370
- Linda Van Keuren : Connecting the publisher and open Athens. So the publisher who wouldn't be familiar about it could talk to open office directly and then they would, you know, they would get set up in that way.
- 544
- 02:07:26.370 --> 02:07:35.280
- Kathleen Neely : Okay, and I encourage the attendees. We still have some time left answer questions. So there's something else you'd like to know.
- 545
- 02:07:36.480 --> 02:07:37.710
- Kathleen Neely : Please don't be bashful.
- 546
- 02:07:42.360 --> 02:07:46.560
- Kathleen Neely : Let the you mentioned some policies that you put in place.
- 547
- 02:07:47.700 --> 02:07:57.540
- Kathleen Neely : And I just wondered how your patrons reacted to those policies where you're trying to protect them, especially when it comes to HIPAA compliance.
- 548
- 02:07:57.750 --> 02:08:09.240
- Linda Van Keuren : Right, I, you know, in some ways, I think it's easier for us to implement slightly more stringent security policies because most of our users are working or will work in a clinical environment.
- 549
- 02:08:09.600 --> 02:08:19.380
- Linda Van Keuren : And they have incredibly strict security measures there. So for things such as being required to log in the library resources when they didn't have to
- 550
- 02:08:19.800 --> 02:08:21.090
- Linda Van Keuren : Honestly, we didn't get
- 551
- 02:08:21.570 --> 02:08:31.470
- Linda Van Keuren : Many comments about it because our users were used to working in the hospital where it's it's used to login and record everything. So in silence. We're lucky.
- 552
- 02:08:32.970 --> 02:08:33.210
- Kathleen Neely : Okay.
- 553
- 02:08:40.200 --> 02:08:57.930
- Kathleen Neely : Okay, Linda. Can you speak to the issue of security for login credential access training Corey both spoken, the issue of fishing and other sophisticated passport mining. Are there specific strategies CML used to dress this concern.
- 554
- 02:08:59.220 --> 02:09:07.830
- Linda Van Keuren : So, you know, it's like super early on library library credentials are not library credentials, their institutional credentials.
- 555
- 02:09:08.190 --> 02:09:22.230
- Linda Van Keuren : And so we are just one part of that big institutional access point. And so we look to and work with our IT department as far as all the the sort of strategies about keeping those credentials, safe and so
- 556
- 02:09:22.860 --> 02:09:32.880
- Linda Van Keuren : We do things like we talked to patrons about, like I said, we talked to patients about respecting intellectual property we talked to patrons about don't care, your credentials.
- 557
- 02:09:33.630 --> 02:09:43.080
- Linda Van Keuren : Even with your friends. And so we do things sort of on the user by user level, but we really take guidance from the experts in our institution which is our IT department.
- 558
- 02:09:44.760 --> 02:09:45.000
- Okay.
- 559
- 02:09:47.610 --> 02:09:59.520
- Kathleen Neely : All right. Um, I don't think we have any other questions, we'll give it another moment to see if anybody has the last question, and then not, I will pass it back to Dan
- 560
- 02:10:04.770 --> 02:10:07.470
- Kathleen Neely : Okay, Dan, I think we're back to you.
- 561
- 02:10:08.880 --> 02:10:09.330
- Daniel Ascher: Thank
- 562
- 02:10:10.380 --> 02:10:17.520
- Daniel Ascher: You very much for that great talk. Linda, and thank you, Cathy. So for our next presenter.
- 563
- 02:10:18.450 --> 02:10:36.690
- Daniel Ascher: We will have Joseph DeMarco, who is a partner at before and DeMarco LLP and similar to Linda Joseph will be taking questions at the end of his talk. So if you have any questions throughout, please feel free to enter them into the Q AMP a box and I will pass it to you. So
- 564
- 02:10:37.800 --> 02:10:43.230
- Joseph DeMarco : Thanks very much, and I really appreciate it. Um, so I don't have any slides, and I'm going to speak.
- 565
- 02:10:43.740 --> 02:10:52.230
- Joseph DeMarco : For about 20 minutes and then I obviously invite any questions that you might have also available to answer questions offline if people would prefer
- 566
- 02:10:52.560 --> 02:11:00.210
- Joseph DeMarco : Um, let me just tell you, kind of, what I'm going to cover. First, I'll give you a little bit about my background and how I came to this particular event today.
- 567
- 02:11:01.020 --> 02:11:12.840
- Joseph DeMarco : Second, I'd like to talk about one aspect of the problem that we really haven't focused on yet, which is not just the theft of student credentials, but the theft of faculty credentials, because we've seen those as well.
- 568
- 02:11:14.010 --> 02:11:21.330
- Joseph DeMarco : And then applying the applying that and building off of that, I'd like to talk about the impact that the
- 569
- 02:11:22.140 --> 02:11:35.490
- Joseph DeMarco : The enemies of publishing and the institutions that are subscribers to various publishers publications on what their motivations are and what we believe is going on, you know, kind of behind the scenes.
- 570
- 02:11:36.420 --> 02:11:41.970
- Joseph DeMarco : You know there have been press reports out there which you know people. I'm sure have found or could find on the problem.
- 571
- 02:11:42.240 --> 02:11:48.570
- Joseph DeMarco : But I think it really does bear in mind, you know, kind of pulling everything together and try to understand the problem holistically.
- 572
- 02:11:49.020 --> 02:12:02.010
- Joseph DeMarco : As to how it was an is that foreign actors might be leveraging the issues we're talking about today to benefit themselves beyond just the collection of pirated academic journals.
- 573
- 02:12:03.120 --> 02:12:09.210
- Joseph DeMarco : First, a little bit about about myself. I'm a lawyer in private practice and I've been working with and representing Elsevier.
- 574
- 02:12:09.480 --> 02:12:16.920
- Joseph DeMarco : For several years now on its civil litigation against a Bach in Science Direct and the library Genesis projects, as many of you know
- 575
- 02:12:17.160 --> 02:12:23.940
- Joseph DeMarco : On the call that litigation resulted in the entry of permanent and preliminary injunctions against a rocky and and sigh hub.
- 576
- 02:12:24.300 --> 02:12:31.290
- Joseph DeMarco : Several years ago, and ultimately the entry of a default judgment for $15 million against her, and the other defendants
- 577
- 02:12:32.250 --> 02:12:45.960
- Joseph DeMarco : The problem, obviously, is quite permission pernicious what she's doing is quite sophisticated and we believe is, you know, part of a larger infrastructure and network that is targeting universities and publishers across the world.
- 578
- 02:12:47.340 --> 02:12:54.450
- Joseph DeMarco : Before starting my firm for about a decade. I was a federal prosecutor in New York, where I ran the cyber crime unit at the Department of Justice in New York.
- 579
- 02:12:54.750 --> 02:13:04.260
- Joseph DeMarco : And part of my job. There was to focus on intellectual property theft, whether it was committed by companies against companies faithless employees against their employers.
- 580
- 02:13:04.500 --> 02:13:09.720
- Joseph DeMarco : Or nation states directed against large producers of institutional intellectual property.
- 581
- 02:13:10.320 --> 02:13:19.650
- Joseph DeMarco : Um, obviously, this is the problem that you know Academic Publishers and IP producers have been grappling with for decades. And the problem is not going to go away. Even if a blocky and we're
- 582
- 02:13:20.100 --> 02:13:27.990
- Joseph DeMarco : Suddenly to reform her ways and shut down. Science Direct. Um, but I think the problem has become much more pernicious over the last few years.
- 583
- 02:13:28.620 --> 02:13:41.040
- Joseph DeMarco : And one particular area, which I'd like to spend a little bit of time on focus is not just on the problem that can arise when student credentials are compromised. But the problem that can arise when faculty credentials are compromised.
- 584
- 02:13:41.550 --> 02:13:50.220
- Joseph DeMarco : As prior speakers have noted today the credentials that students and also the credentials that faculty use to log on to their systems.
- 585
- 02:13:50.460 --> 02:14:00.210
- Joseph DeMarco : Provide access, not only to the university libraries and systems, but also provide access to other parts of the computing environment of academic institutions.
- 586
- 02:14:01.020 --> 02:14:09.630
- Joseph DeMarco : I'm I'm also in addition to, you know, my, my practice as a lawyer. I'm also an adjunct professor of law at Columbia University School of Law.
- 587
- 02:14:10.020 --> 02:14:13.620
- Joseph DeMarco : Where I teach the internet crime seminar and as a faculty member
- 588
- 02:14:14.220 --> 02:14:26.490
- Joseph DeMarco : You know I'm aware of the types of data that are available to me that may not necessarily be available to students. I also, as you might imagine, do my very best to secure my credentials to the Columbia environment.
- 589
- 02:14:27.180 --> 02:14:35.100
- Joseph DeMarco : I'm in preparation for the talk today, I asked one of the analysts that our law firm, whose it was a student at an Ivy League school
- 590
- 02:14:36.060 --> 02:14:46.680
- Joseph DeMarco : To just tell me what information he could access as a student and I coupled that with my access permissions as a faculty member and here's a list of information that
- 591
- 02:14:47.490 --> 02:14:54.960
- Joseph DeMarco : People who have access to a student's login credentials, which again at the same typically log on credentials to university library.
- 592
- 02:14:55.800 --> 02:15:04.290
- Joseph DeMarco : System as to the rest of the network in a non federated non authenticated, you know, modality. Here's some of the information that's available.
- 593
- 02:15:05.160 --> 02:15:12.360
- Joseph DeMarco : If you have those credentials. Well, obviously you have access. If you're a student to student submissions and works.
- 594
- 02:15:13.200 --> 02:15:23.550
- Joseph DeMarco : If your access to the system is that of a faculty member, you also, of course, have access to faculty teaching files class discussions Silla by
- 595
- 02:15:23.880 --> 02:15:32.970
- Joseph DeMarco : Class recordings, you know, in this world of coven and remote teaching a lot of lectures are being recorded. That includes the Q AMP. A between the students and a teacher.
- 596
- 02:15:33.570 --> 02:15:47.220
- Joseph DeMarco : You have the ability to extract upload and delete course files give access to grades academic records student evaluations reports of faculty faculty misconduct reports.
- 597
- 02:15:47.610 --> 02:16:01.830
- Joseph DeMarco : You have access to contact information inside the university past student lists recommendations for students, you have the ability to access account and password settings within the university system.
- 598
- 02:16:03.330 --> 02:16:13.680
- Joseph DeMarco : You also, again, if you are able to obtain student and or faculty credentials to university platform have access to faculty contact information.
- 599
- 02:16:14.160 --> 02:16:31.050
- Joseph DeMarco : names, addresses, phone numbers birthdays email addresses pictures and emergency contacts for faculty and students incredibly valuable information if you are engaged or want to be engaged in some type of identity theft or social engineering crime.
- 600
- 02:16:32.040 --> 02:16:37.560
- Joseph DeMarco : Obviously you have access to terabytes of intellectual property. We've spoken about the theft of that already. With regard to the uranium hacking group.
- 601
- 02:16:38.250 --> 02:16:45.900
- Joseph DeMarco : You also have the ability at the technical level to register network cards to connect devices to the university networks to be authenticated devices.
- 602
- 02:16:46.620 --> 02:17:05.610
- Joseph DeMarco : You obviously have, in many cases, access to email systems, the course and the school student provided in faculty provided email systems which can contain a treasure trove of highly sensitive highly personal and highly granular information again all for the taking.
- 603
- 02:17:07.200 --> 02:17:14.100
- Joseph DeMarco : Obviously you have access to a great deal of financial information paychecks. If you are a faculty member or a staff of the university.
- 604
- 02:17:14.400 --> 02:17:21.030
- Joseph DeMarco : Or if you're a student who's working on campus payroll records relating to your work on campus that, of course, along with it.
- 605
- 02:17:21.600 --> 02:17:35.100
- Joseph DeMarco : Involves bank information W two information loan information. And, of course, a whole range of other HR information as well. Also included in that our health information related to the faculty at the student members.
- 606
- 02:17:36.120 --> 02:17:43.410
- Joseph DeMarco : Campus services information is also available security alerts events maps housing information.
- 607
- 02:17:44.160 --> 02:18:03.600
- Joseph DeMarco : And access to internal calendars and events information, all of which provide for essentially a nearly complete picture of what's going on on a university campus and or the life of that particular student or group of students or faculty or group of faculty members, I'm
- 608
- 02:18:04.800 --> 02:18:06.630
- Joseph DeMarco : In my experience as a prosecutor.
- 609
- 02:18:08.100 --> 02:18:15.690
- Joseph DeMarco : I never once encountered a criminal who was engaged in a theft of one particular item.
- 610
- 02:18:16.140 --> 02:18:27.720
- Joseph DeMarco : who knowingly and intentionally passed up the opportunity to steal a second item you know people who break into someone's someone's house to steal jewelry.
- 611
- 02:18:28.200 --> 02:18:34.740
- Joseph DeMarco : If they see other valuable information that's out there will steal the other valuable information.
- 612
- 02:18:35.250 --> 02:18:42.870
- Joseph DeMarco : Um, and I think what we've seen recently in the last few years in the area of intellectual property theft hacking and cybercrime
- 613
- 02:18:43.590 --> 02:18:58.860
- Joseph DeMarco : Is that confluence events between criminal groups organized crimes individual criminals individual hackers and foreign state sponsors of economic crime and in some cases terrorism come together.
- 614
- 02:18:59.250 --> 02:19:10.890
- Joseph DeMarco : In loose or sometimes not so loose affiliations of organizations that are operating online to hack into organizations databases and create a range of crimes.
- 615
- 02:19:11.940 --> 02:19:22.080
- Joseph DeMarco : You know, there was a very good example of this, about three weeks ago, United States Government brought a criminal indictment against members of a PT 41
- 616
- 02:19:22.470 --> 02:19:25.200
- Joseph DeMarco : Which is a Chinese government sponsored hacking group.
- 617
- 02:19:25.560 --> 02:19:35.490
- Joseph DeMarco : Which had broken into a number of computer networks of online services providers and used those break ins to then further effectuate
- 618
- 02:19:35.730 --> 02:19:46.650
- Joseph DeMarco : Downstream crimes to entities that had subscriptions at those online service providers and platforms, essentially the end user customers get a businesses or individuals.
- 619
- 02:19:46.920 --> 02:19:55.260
- Joseph DeMarco : Of those platforms to gain access to the platforms and in gaining access to the platforms they gained access to the end user customer accounts and information.
- 620
- 02:19:55.830 --> 02:20:08.760
- Joseph DeMarco : And what are the bad guys do. Well, that guy's just didn't just steal intellectual property belonging to the subscribers of those institutions, those, those platforms. They didn't just engage in
- 621
- 02:20:09.390 --> 02:20:23.460
- Joseph DeMarco : cryptocurrency mining, that is to say, using the computing power of those companies to solve the complex equations and algorithms that are necessary to be solved in order to mine new bitcoin, they didn't just do that.
- 622
- 02:20:24.210 --> 02:20:34.350
- Joseph DeMarco : They didn't just steal a password information log on information and information that could be used in identity theft schemes, they didn't just do that.
- 623
- 02:20:35.040 --> 02:20:42.450
- Joseph DeMarco : They didn't just engage in fraud fraud schemes, the theft of funds and the theft of other valuable information.
- 624
- 02:20:42.960 --> 02:20:51.990
- Joseph DeMarco : They engaged in all of those things thank each and all of those things at the same time, wherever they could whether the whenever they could
- 625
- 02:20:52.380 --> 02:21:00.210
- Joseph DeMarco : opportunistically looking to make the most money in the shortest amount of time based on the access that they had
- 626
- 02:21:00.870 --> 02:21:09.210
- Joseph DeMarco : Now what's interesting is if you go back and and find that in Diamond. It's on the DOJ web pages. Google abt 41 and, you know, DOJ hacking charges.
- 627
- 02:21:10.110 --> 02:21:16.470
- Joseph DeMarco : What you'll find is a number of the compromised organizations and entities, happened to be universities.
- 628
- 02:21:17.160 --> 02:21:28.170
- Joseph DeMarco : Now in the diamond that the DOJ brought down the access credentials to those universities weren't necessarily obtained in the same way that of Aki and and her Confederates have obtained the
- 629
- 02:21:28.620 --> 02:21:42.330
- Joseph DeMarco : Log on informations that they use to perpetrate the size of scheme those credentials were obtained and another way, but the example underscores, I think the point that once the bad guys are in
- 630
- 02:21:43.500 --> 02:21:55.110
- Joseph DeMarco : There in and once they're in the odds are quite high. In fact, extraordinarily high that they're going to use that access for a range of mayhem and misconduct.
- 631
- 02:21:55.680 --> 02:21:58.710
- Joseph DeMarco : And when we know from the prior indictments that have been brought
- 632
- 02:21:59.070 --> 02:22:07.110
- Joseph DeMarco : By the Department of Justice and United States and other foreign law enforcement agencies against some of the groups that have been involved in this.
- 633
- 02:22:07.410 --> 02:22:16.140
- Joseph DeMarco : When we know that the information that they're taking not only relates to information that can be used. You know, for fraud purposes or piracy purposes.
- 634
- 02:22:16.710 --> 02:22:24.420
- Joseph DeMarco : When we know that all of that is going on. But in addition to that. What's also going on is the theft of intellectual property.
- 635
- 02:22:24.690 --> 02:22:35.970
- Joseph DeMarco : The theft, for example of covert treatment information therapeutics vaccine information that we've seen recently, we have to ask ourselves what's really going on behind the scenes.
- 636
- 02:22:36.960 --> 02:22:49.680
- Joseph DeMarco : Look, when you put together that fat with the fact that some of the more sophisticated organizations, including but not limited to sigh hub require a fair amount of internet and technical backbone.
- 637
- 02:22:50.250 --> 02:23:00.840
- Joseph DeMarco : I would submit that the evidence is very, very compelling that the people that are involved in piracy are not just stopping at piracy.
- 638
- 02:23:01.290 --> 02:23:09.630
- Joseph DeMarco : They're engaged in other crimes as well. Now, will they ever admit to that. No, will they go to great lengths to hide that fact, of course, they will
- 639
- 02:23:10.080 --> 02:23:24.870
- Joseph DeMarco : They can't do anything other than that, and it's important for them to hide that because if they don't hide it, what would otherwise be a simple issue of copyright law then becomes something much more severe.
- 640
- 02:23:25.470 --> 02:23:46.320
- Joseph DeMarco : But we know for example from, you know, Hawkins own interviews that she knows the credential. She's using are stolen. We have anecdotal evidence that when credentials or stolen as part of the sigh of piracy scheme, they appear on the dark web for sale barter or or just to be given away.
- 641
- 02:23:47.760 --> 02:23:51.720
- Joseph DeMarco : We're dealing with a sophisticated audience here today. We're dealing with people that understand
- 642
- 02:23:52.380 --> 02:23:59.130
- Joseph DeMarco : What's going on with regards to the attacks upon their systems, the vulnerabilities that they face if they're not properly secured.
- 643
- 02:23:59.370 --> 02:24:09.420
- Joseph DeMarco : We have actual indictments but the Department of Justice has brought with incredibly detailed descriptions of what the wrongdoers are doing what they're after.
- 644
- 02:24:09.810 --> 02:24:23.190
- Joseph DeMarco : And it hasn't stopped and it hasn't stopped because intellectual property producers keep producing intellectual property right. I mean, you know, earlier on today. We've heard about how 95% of the contents of else of years.
- 645
- 02:24:24.030 --> 02:24:33.810
- Joseph DeMarco : Science Direct platform have been stolen. Well, it'll never get to, you know, 100% all in one moment because new publications are being added all the time.
- 646
- 02:24:34.260 --> 02:24:49.860
- Joseph DeMarco : My guess is will always hover between 95 and 99% because as new publications are added the fest will go on and the stuff will go on. I believe until you know participants in this discussion increase security raise awareness.
- 647
- 02:24:50.880 --> 02:24:56.130
- Joseph DeMarco : You know, obviously things need to be done in the legal context as well to bring pressure bear on the problem.
- 648
- 02:24:56.850 --> 02:25:04.920
- Joseph DeMarco : But I think that to simply confined the problem to the narrow box of copyright infringement or piracy, or open access
- 649
- 02:25:05.190 --> 02:25:11.400
- Joseph DeMarco : Or, you know, kind of the freedom of information is, I think, to miss what really is the elephant in the room.
- 650
- 02:25:11.700 --> 02:25:19.050
- Joseph DeMarco : You know, the elephant in the room is that there's a lot more going on behind the scenes and that there are powerful forces in play.
- 651
- 02:25:19.320 --> 02:25:29.610
- Joseph DeMarco : Designed to perpetrate this problem, to the detriment of academic institutions around the world and universities and schools and other institutions around the world.
- 652
- 02:25:29.970 --> 02:25:40.080
- Joseph DeMarco : And I would just again point to the fact of you know what what what may have could result from faculty credentials being stolen, which would, which we know they are being stolen. In addition to
- 653
- 02:25:40.590 --> 02:25:47.550
- Joseph DeMarco : In addition to student credentials. So let me pause there, see if there are any questions. I see a couple of buttons on the chat buttons.
- 654
- 02:25:50.100 --> 02:25:50.910
- Joseph DeMarco : And
- 655
- 02:25:52.140 --> 02:26:00.990
- Joseph DeMarco : One comment says seems that no matter the approach usernames and passwords are the vulnerable vulnerable point. You know, I would agree with that.
- 656
- 02:26:01.470 --> 02:26:14.040
- Joseph DeMarco : I think that as long as we only have usernames and passwords that are the means of access and absent, you know, the policing of those credentials, you know, complex requirements.
- 657
- 02:26:14.520 --> 02:26:27.180
- Joseph DeMarco : You know prohibitions against concurrent logins geo filtering and other kinds of behavior analytics that we've spoken about today, which are parcels partial solutions not complete solutions.
- 658
- 02:26:27.600 --> 02:26:37.530
- Joseph DeMarco : As long as we have kind of the username and password as the modality with nothing more, you know, with no other two factor authentication whatever format that authentication comes in.
- 659
- 02:26:38.400 --> 02:26:44.640
- Joseph DeMarco : The, the, the greater the vulnerabilities going to be. I do think there is one reason for optimism.
- 660
- 02:26:45.570 --> 02:27:01.530
- Joseph DeMarco : And that is that I think increasingly just the user base of computers are beginning to use multi factor authentication more seamlessly and with less resistance as time goes on.
- 661
- 02:27:02.040 --> 02:27:10.770
- Joseph DeMarco : You know today having an authenticator app downloaded onto your iPhone. It's not a, you know, weird freakishly paranoid, you know, super secure
- 662
- 02:27:11.640 --> 02:27:20.910
- Joseph DeMarco : Thing to do many people have authenticator apps which will provide them with one time codes to log on to a platform st with, you know, receiving a text message.
- 663
- 02:27:21.360 --> 02:27:31.140
- Joseph DeMarco : In connection with logging on those are not, you know, kind of unusual things and I think as you know computer users generally become more attuned to that they will be more
- 664
- 02:27:31.770 --> 02:27:41.070
- Joseph DeMarco : Willing to do that. And there'll be less resistance to that and hopefully you know that will be rolled out on a on a on a greater and greater basis.
- 665
- 02:27:42.000 --> 02:27:52.230
- Joseph DeMarco : We have to increase security, we have to raise awareness, we have to increase training. The problem is not going to go away. I think there will always be kind of this you know cat and mouse game.
- 666
- 02:27:52.470 --> 02:28:11.550
- Joseph DeMarco : Between the content producers and the content thieves, but understand the content. These are not just content. These either they are themselves or they're working with people groups or states that are interested in far more than piracy of copyrighted academic journals.
- 667
- 02:28:14.640 --> 02:28:20.340
- Kathleen Neely : Let's encourage the attendees. If there's any other questions for Joe to Cheryl.
- 668
- 02:28:22.830 --> 02:28:32.040
- Kathleen Neely : And I think you're right, the authentication means are getting much stronger and we're all getting used to those across the board in our day to day lines.
- 669
- 02:28:33.870 --> 02:28:47.760
- Kathleen Neely : We do have another comment, is it not too much. Is it not so much about resistance and more to do with accessibility, should a personal phone be a requirement to have access to work resources.
- 670
- 02:28:48.360 --> 02:28:58.650
- Joseph DeMarco : Look, it's a great question and and you know i'm i'm not on the technical end or the business end. Um, so I would encourage that as a point of discussion.
- 671
- 02:28:59.760 --> 02:29:09.000
- Joseph DeMarco : But I but I totally TAKE YOUR POINT AND GET YOUR POINT AND IT IS. It is a valid point. I mean, we, we, I think as an industry wants to strive
- 672
- 02:29:09.300 --> 02:29:23.400
- Joseph DeMarco : To make our content as available and as seamlessly and easily viewable as humanly possible. And I think that is that is a noble goal you know i think that i think i just think there's room for improvement. I guess is what I'm saying.
- 673
- 02:29:24.510 --> 02:29:24.840
- Kathleen Neely : Okay.
- 674
- 02:29:26.310 --> 02:29:35.610
- Kathleen Neely : All right, and you don't seem to have any other questions, we'll give it another moment, since there's a last burning question from somebody
- 675
- 02:29:36.630 --> 02:29:45.510
- Kathleen Neely : Joe, thank you so much for your presentation. It was fabulous. I've learned a lot. Myself and Dan. I'll leave it to you to take us on
- 676
- 02:29:46.470 --> 02:29:47.160
- Joseph DeMarco : Thank you for having me.
- 677
- 02:29:48.180 --> 02:29:50.250
- Daniel Ascher: Thank you very much. Joe, thank you Kathy.
- 678
- 02:29:51.540 --> 02:30:06.630
- Daniel Ascher: And so with the conclusion of Joe's presentation. We are now going into our 15 minute breaks in here. And if you'd like to continue the conversation in the chat box, while we're on break. Please feel free to stop teasing.
- 679
- 02:45:07.410 --> 02:45:24.450
- Daniel Ascher: Okay. Welcome back everyone, hope you had a good break there and we enter the final portion of today's Security Summit. So for our final featured speaker before the round table, we will have Tim like the CEO of lip likes
- 680
- 02:45:25.500 --> 02:45:27.750
- Daniel Ascher: And whenever you're ready to take it away.
- 681
- 02:45:38.280 --> 02:45:40.500
- Tim Lloyd : Hi. Can you see me, Daniel.
- 682
- 02:45:42.810 --> 02:45:43.530
- Daniel Ascher: Yes, perfect.
- 683
- 02:45:43.980 --> 02:45:44.790
- Tim Lloyd : Great. Okay.
- 684
- 02:46:01.410 --> 02:46:02.010
- Tim Lloyd : Okay, great.
- 685
- 02:46:04.110 --> 02:46:11.100
- Tim Lloyd : So hi, everyone. Hi. Good evening. Good afternoon, or good morning, depending on where you are. My name is Tim Lloyd.
- 686
- 02:46:11.940 --> 02:46:19.260
- Tim Lloyd : By way of a brief introduction. I spent the last six years, focusing on identity and access in relation to Stoli content.
- 687
- 02:46:19.920 --> 02:46:24.450
- Tim Lloyd : I previously worked in publishing developing Scalia resources in collaboration libraries.
- 688
- 02:46:25.230 --> 02:46:31.350
- Tim Lloyd : And a member of the governance committee of seniors access to dog and a co Chair of the outreach committee not talk a little bit about that later.
- 689
- 02:46:32.130 --> 02:46:39.090
- Tim Lloyd : And I spent a lot of my life, managing both sides of resource access. So this is a very comfortable cemetery part of unread delighted to be here.
- 690
- 02:46:40.860 --> 02:46:48.720
- Tim Lloyd : I'm going to talk about four topics today in my heart. Our first I'm going to review how federated authentication works at using a simple analogy.
- 691
- 02:46:49.350 --> 02:46:55.710
- Tim Lloyd : Apologies. If you've already seen me present this before, but it's just really hard to talk about federated authentication and there's some
- 692
- 02:46:56.340 --> 02:47:01.020
- Tim Lloyd : There's some base level of knowledge about how it actually works. And this is just the quickest and easiest way to do that.
- 693
- 02:47:01.740 --> 02:47:09.120
- Tim Lloyd : A second, I'm going to talk about the basics of how identity is managed and federated authentication and so time well to some of the comments that Linda made earlier.
- 694
- 02:47:10.050 --> 02:47:15.600
- Tim Lloyd : Third, I'll briefly talk about the thing, the facts of project and how it relates to the security federated authentication.
- 695
- 02:47:16.590 --> 02:47:25.560
- Tim Lloyd : And then finally, I'm going to compare a security federated authentication to the most common use methods to authenticate access to scholarly resources which is IP authentication.
- 696
- 02:47:28.230 --> 02:47:38.430
- Tim Lloyd : So federated authentication. So a popular misconception about is that this is really just the same as single sign on when you're using it on your phone. And it's really not the same.
- 697
- 02:47:38.910 --> 02:47:45.540
- Tim Lloyd : It's an extension single sign on. It's designed to allow users to use the organizational credentials to authenticate access
- 698
- 02:47:46.110 --> 02:47:53.490
- Tim Lloyd : To a wide variety of online resources that are provided by third parties outside their organization. Sounds pretty similar. It's normalcy why
- 699
- 02:47:54.240 --> 02:48:06.360
- Tim Lloyd : If you're unfamiliar with the term better X authentication. You may recognize the name Shibboleth instead shoplifters open source software commonly used to implement Federation authentication in research and education institutions.
- 700
- 02:48:07.740 --> 02:48:08.040
- Tim Lloyd : So,
- 701
- 02:48:09.720 --> 02:48:27.930
- Tim Lloyd : simple analogy is Bob runs a conference booth. He provides books. Anyone who studies that he's describing institution. Amy comes up to the booth and says, Hi, I have a book also show and asked her if she's other subscribing institution. Amy says, yep. I'm a student at ABC college
- 702
- 02:48:29.070 --> 02:48:41.670
- Tim Lloyd : However boggling to me. So he needs to verify. She's actually registered with ABC college. Luckily he has a phone book where you can look up someone who can help him in the case of ABC College, the person to talk to if Carol.
- 703
- 02:48:42.900 --> 02:48:49.740
- Tim Lloyd : both coasts Carol asked if she can confirm the person that his booth is students at ABC college
- 704
- 02:48:51.270 --> 02:48:54.810
- Tim Lloyd : care a lot about deposit owns the student so she can talk to her directly.
- 705
- 02:48:57.210 --> 02:49:01.650
- Tim Lloyd : Carol. Talk to me. And it's able to confirm that she's a valid students at ABC college
- 706
- 02:49:02.790 --> 02:49:08.850
- Tim Lloyd : And then Amy part of the phone back to Bob. So Carol can tell him directly. Yep. The student in front of us at ABC college
- 707
- 02:49:10.500 --> 02:49:16.410
- Tim Lloyd : Now, Bob. But ideally like to know students name so we can learn more about your interests and recommend other books for future
- 708
- 02:49:18.090 --> 02:49:25.200
- Tim Lloyd : But ABC colleges policy is not to really student names. And so, Carol calm provide both with any additional information on the student
- 709
- 02:49:27.270 --> 02:49:31.080
- Tim Lloyd : So, okay, but it's verified that the students in front of them is that ABC college
- 710
- 02:49:32.280 --> 02:49:45.660
- Tim Lloyd : gives her a book and you also get very bright green badge where that said, I'm with ABC college and motels or other booth. See that patch. It'll save some time she wrote me tell every booth which institutions, you study that
- 711
- 02:49:47.340 --> 02:49:51.660
- Tim Lloyd : So this simple snow is pretty close to help federated authentication works the high level.
- 712
- 02:49:52.980 --> 02:50:03.930
- Tim Lloyd : So we've got Bob as a service provider or sometimes SP is referred to the needs to check if VISTAs institutional affiliation before providing access to services.
- 713
- 02:50:05.730 --> 02:50:21.720
- Tim Lloyd : The phone book he consulted as an identity Federation trusted list the details how to talk to a set of vetted institutions and vendors. So examples of identity Federation's in higher education include in common in the United States and the UK access management iteration.
- 714
- 02:50:23.430 --> 02:50:32.370
- Tim Lloyd : Carol is the identity provider IDP. So it's the institutions federated authentication service confirms a business entity.
- 715
- 02:50:33.570 --> 02:50:45.630
- Tim Lloyd : And while you know in this simple analogy, everyone speaking English. In reality, Bob, Carol. The Federation are communicating using a language called security Assertion Markup Language or SAML for short.
- 716
- 02:50:48.120 --> 02:51:02.640
- Tim Lloyd : And that badge. The green badge that is an improvement to federated authentication that enables me to avoid having tell every service provider that she visits, what institution choose from and it's enabled by this new initiative called seamless access now to briefly about later.
- 717
- 02:51:04.260 --> 02:51:13.590
- Tim Lloyd : So it's important to note that Carol as the identity provider was in control of Amy's identity, she opted not to share any information about Amy with Bob, such as a name.
- 718
- 02:51:14.280 --> 02:51:24.030
- Tim Lloyd : Or pop God was confirmation emails definitely affiliated with ABC college and because Bob trust the phone book trust the carers, the right person to confirm that
- 719
- 02:51:24.780 --> 02:51:37.200
- Tim Lloyd : So in federated authentication identity providers control user identities by deciding whether or not to share extra information and has attributes for the service provider. But, in this example, no attributes for shared
- 720
- 02:51:38.190 --> 02:51:47.100
- Tim Lloyd : So that's a very quick introduction to service providers identity providers Federation's and attributes and I'm going to talk a bit more about attributes now.
- 721
- 02:51:52.110 --> 02:51:56.580
- Tim Lloyd : Attributes. So the term used to describe the data about an authenticated user
- 722
- 02:51:57.120 --> 02:52:09.360
- Tim Lloyd : An attribute release the process by which that data is shared by an identity provider, such as a research, education institutions, but the service provider, but to the publisher as part of the authentication process.
- 723
- 02:52:10.260 --> 02:52:17.790
- Tim Lloyd : For mathematically takes depends on the underlying technology. So, for example, family is a technology that underpins Shibboleth and open happens
- 724
- 02:52:18.270 --> 02:52:26.610
- Tim Lloyd : But there are other technologies that support federated authentication on. So an example is Open ID Connect, which is used by consumer facing services like Facebook and Google
- 725
- 02:52:28.320 --> 02:52:35.400
- Tim Lloyd : So some key things to understand about attributes in federated authentication firstly attribute release is not required.
- 726
- 02:52:36.060 --> 02:52:44.880
- Tim Lloyd : So an identity provider can simply assert that a user is an authorized member of their organization and do nothing more. Just what happened in the simple analogy I showed earlier.
- 727
- 02:52:45.690 --> 02:52:50.310
- Tim Lloyd : So in this case, the identity provider would just share an anonymous assertion identify
- 728
- 02:52:50.850 --> 02:53:05.490
- Tim Lloyd : The technical name, there'll be associated by the service provider with the authentication response. And you can see an example of one on that slide. It's uniquely generated for each authentication contains no personally identifiable information is ensures that user privacy is preserved.
- 729
- 02:53:07.680 --> 02:53:12.630
- Tim Lloyd : So here's some examples. The types of attributes that can be passed as a result of a successful user authentication.
- 730
- 02:53:13.320 --> 02:53:28.410
- Tim Lloyd : So first off, we've got affiliation attributes. So this defines the organizational association between the user and their home institution. It could be through employment membership enrollment in an educational program, for example, to users a faculty member
- 731
- 02:53:29.820 --> 02:53:41.220
- Tim Lloyd : Next one is an entitlement attribute that confirms the users right access it given resource based on criteria previously agreed with a service provider. So that might be a URL for licensing contract.
- 732
- 02:53:43.230 --> 02:53:49.350
- Tim Lloyd : As to dominate pseudonymous identify can be shared. So that's unique to each person and for each service provider.
- 733
- 02:53:50.010 --> 02:54:00.000
- Tim Lloyd : So it masks the true identity, personally, then for information is just alone alphanumeric string, but it does enable that use it to be identified by the same service provider, the next time they visit
- 734
- 02:54:01.140 --> 02:54:13.830
- Tim Lloyd : But it can't be used to go to patent of usage across service providers. So this is the means to personalize a user's experience. And we'll come back to this later. And then there's obviously also personally identifiable attributes such as the name and email address.
- 735
- 02:54:16.440 --> 02:54:23.400
- Tim Lloyd : So attributes are really important that this whole crux of this because they give both sides of this authentication transaction greater control.
- 736
- 02:54:24.180 --> 02:54:34.260
- Tim Lloyd : That control can be valuable in a variety different ways. For example, to access control CUSTOMERS, DON'T BE AS WELL, MAYBE. So an institution can choose to make a resource available only to users who are
- 737
- 02:54:34.710 --> 02:54:42.000
- Tim Lloyd : Say full time staff and students and prevent say alumni or contractors from access attributes could use that could enable that.
- 738
- 02:54:42.510 --> 02:54:48.180
- Tim Lloyd : I cost control. So if library could limit resource access to users with a certain role from a certain department.
- 739
- 02:54:49.140 --> 02:55:00.720
- Tim Lloyd : And then risk control so synonymous ID allows users to benefit from personalization without exposing them to the risks and hassle separately registering yet another username and password.
- 740
- 02:55:01.830 --> 02:55:13.410
- Tim Lloyd : Service provider can recognize a returning pseudonymous ID, they can personalize that user's experience accordingly. They don't receive personally identifiable information. They don't need to store an email address, they don't need to ask for a password.
- 741
- 02:55:16.950 --> 02:55:27.180
- Tim Lloyd : So how's it work so attribute release only happens after a users authenticated a service provider a publisher can't pull the attributes there and you receive what the identity provider chooses to send
- 742
- 02:55:28.410 --> 02:55:38.220
- Tim Lloyd : Attribute releases configured or an identity provider by institution which category of service provider. Typically when they can do it for each individual service provider itself a lot more effort.
- 743
- 02:55:38.970 --> 02:55:45.810
- Tim Lloyd : And library access as any one of a number of valuable use cases but federated authentication. So other ones will be research collaborations.
- 744
- 02:55:46.290 --> 02:55:53.340
- Tim Lloyd : Where you've got researchers collaborating across different institutions and might typically share more personal data, such as name and email addresses.
- 745
- 02:55:54.000 --> 02:56:09.930
- Tim Lloyd : Or institutional workflows. So that might require users to confirm their institutional affiliation with a third party to access some sort of service that might be safe faculty authorizing the use of institutional funds to pay an open access article published in charge.
- 746
- 02:56:11.460 --> 02:56:18.540
- Tim Lloyd : Because the identity providers in control any special needs or attributes must be agreed in advance so that the attribute release.
- 747
- 02:56:18.930 --> 02:56:25.590
- Tim Lloyd : Can be configured appropriately a service provider or publisher can't just, you know, after you decide, you know what, I think we want email addresses. It's not going to happen.
- 748
- 02:56:28.650 --> 02:56:40.320
- Tim Lloyd : So let's look at some how the use of attributes translates into the real world. So this is some example publishing use cases just ground those concepts into how's that play out in reality it's like a result of access.
- 749
- 02:56:40.950 --> 02:56:46.980
- Tim Lloyd : So in the first scenario. We've got users accessing full text articles on a platform where there's no option for personalization.
- 750
- 02:56:47.580 --> 02:56:55.920
- Tim Lloyd : They just need to confirm their members of your organization. So in this case, will the vendor needs as this anonymous token anonymous assertion identify that will be fine.
- 751
- 02:56:57.030 --> 02:57:02.460
- Tim Lloyd : And scenario to youth can get content recommendations in the user interface based on the price search history.
- 752
- 02:57:02.880 --> 02:57:11.310
- Tim Lloyd : So, to enable that a vendor will need to recognize them when they return. So a synonymous identify would do this. And again, there's no personally identifiable information being transmitted
- 753
- 02:57:12.630 --> 02:57:21.750
- Tim Lloyd : It's not a tree. We've got a special feature that's only available to certain users. So in this case, the ability to tap into prepaid funds to buy say eBooks for department.
- 754
- 02:57:22.560 --> 02:57:31.140
- Tim Lloyd : Live we doesn't want everyone to be able to do this to especially students. So in this case, an attribute for a user's role could be used in addition to a synonymous ID.
- 755
- 02:57:32.580 --> 02:57:37.920
- Tim Lloyd : And finally, it's not a for has clinicians doing online training learning continuing education credits.
- 756
- 02:57:38.400 --> 02:57:49.860
- Tim Lloyd : And then need to receive a certificate by email and have the accreditation officially associated with them. So in this case, use the consent to be sought to pen an email address. In addition to the pseudo anonymous ID.
- 757
- 02:57:53.190 --> 02:58:02.340
- Tim Lloyd : So we talked a little bit about the basics of federated authentication, how it identity management manage their let's briefly segue into seamless access
- 758
- 02:58:03.240 --> 02:58:11.070
- Tim Lloyd : So seamless access grew out of a project. Some of you may have heard of called resource access in the 21st century or or a 21 for short.
- 759
- 02:58:11.580 --> 02:58:21.810
- Tim Lloyd : It was initiated in 2016 initially to explore the challenge of remote access users within those stakeholders from the publishing library software and identity communities.
- 760
- 02:58:22.440 --> 02:58:32.940
- Tim Lloyd : Took input from 60 organizations over three years and it didn't fight a federated authentication health and most promise for a robust and scalable solution for remote access the scholarly content.
- 761
- 02:58:33.750 --> 02:58:45.300
- Tim Lloyd : Investigated barriers to take up develop some ideas of best practices pilots typical approaches and it's conclusions were published as a nicer recommended practice in June 2019 last year.
- 762
- 02:58:46.140 --> 02:58:55.320
- Tim Lloyd : That then led to seeing the factors which was created in July 2019 as a community driven effort to enable seamless access to information resources.
- 763
- 02:58:55.770 --> 02:59:03.750
- Tim Lloyd : Scholarly collaboration tools and shared research infrastructure. So the goal is a broader than just library access them really focusing on that for this talk.
- 764
- 02:59:04.590 --> 02:59:12.360
- Tim Lloyd : It's a coalition of for organizations. So we've got the National Information standards organization life. Oh, the International Association of STM publishers
- 765
- 02:59:12.990 --> 02:59:21.360
- Tim Lloyd : Internet to choose the US Research and Education Network. It also operates the US identity Federation in common amongst many other activities.
- 766
- 02:59:21.930 --> 02:59:33.570
- Tim Lloyd : And Jay, on which is a European Research and Education Network that operates a service called as you gain some of you might have heard of that connects about 60 or so research and education that identity Federation around the world.
- 767
- 02:59:35.280 --> 02:59:43.980
- Tim Lloyd : So think of seamless access as the operational successor to the RA 21 project delivering an operational service plus and best practices and standards.
- 768
- 02:59:45.540 --> 02:59:54.270
- Tim Lloyd : So why Athena factors. Why do we need this simply because access Brechtian deters usage. We've heard this from several speakers already you know we're all very aware
- 769
- 02:59:54.960 --> 03:00:03.120
- Tim Lloyd : That when you develop scholarly resources are you trying to make them available to users that ease of access is critical and barriers and people's ways and then alternative places.
- 770
- 03:00:04.020 --> 03:00:11.190
- Tim Lloyd : And by access friction. I mean, the extra effort required to navigate the access barriers that we put in front of pay ward scholarly resources.
- 771
- 03:00:12.660 --> 03:00:21.810
- Tim Lloyd : So, you know, Harris. Some examples are not intended to name and shame anyone I mean pretty much all publishers have had some interfaces are just very, very inconsistent.
- 772
- 03:00:22.530 --> 03:00:29.010
- Tim Lloyd : In a federated authentication currently generates friction because of the need to identify a user's institutional affiliation.
- 773
- 03:00:29.610 --> 03:00:37.350
- Tim Lloyd : And traditionally have done by having them selected their organization from a list. And the problem is that there's little to no consistency across the way the publishers do this.
- 774
- 03:00:37.920 --> 03:00:44.430
- Tim Lloyd : So you have different visual find posts. Am I clicking on login or signing or access PDF or access for tech
- 775
- 03:00:45.000 --> 03:00:50.940
- Tim Lloyd : There are different user journeys are different visual layouts to institutional access. And there's different terminology
- 776
- 03:00:51.330 --> 03:01:02.430
- Tim Lloyd : You know, there's lots of jargon in this business Shibboleth federated authentication open up, then you can access management Federation IDP Discovery Service. Now, most of that means nothing to users.
- 777
- 03:01:03.330 --> 03:01:10.740
- Tim Lloyd : And then if you add back all the other authentication methods that publishers are allowing you really can get a easy to get a confusing array of choices for users.
- 778
- 03:01:11.970 --> 03:01:18.240
- Tim Lloyd : So seamless access addresses this in three ways. Firstly, it has a standard visual cue.
- 779
- 03:01:18.690 --> 03:01:25.680
- Tim Lloyd : How a user accesses resources required institutional affiliation and that these two screenshots both have the same
- 780
- 03:01:26.040 --> 03:01:40.680
- Tim Lloyd : Thing, the facts. The bottom in them. So this button either display the generic access for your institution message to prompt you to select your institution or a custom message listing your most recent institutional choice relevant and users always have the option to change that.
- 781
- 03:01:41.880 --> 03:01:50.070
- Tim Lloyd : Secondary thing the facts. That's office a standard method for finding our institution. So if you're thinking of the screenshots I show it. Everyone's just coming up with different in faith.
- 782
- 03:01:50.940 --> 03:01:58.380
- Tim Lloyd : Flows and looks and feels for doing this. So they offer a standard way that features best practice design so dynamic search results as you type
- 783
- 03:01:58.710 --> 03:02:08.460
- Tim Lloyd : Will turn to spelling and acronyms institutional logos to supply collection and in technical terms. This is called an identity provider discovery services, how you discover
- 784
- 03:02:08.940 --> 03:02:19.350
- Tim Lloyd : Which organization you're finding in through. And thirdly, and most powerfully seen attack that stores your institutional choices on your computer and local browser storage.
- 785
- 03:02:20.310 --> 03:02:26.820
- Tim Lloyd : So this information can only be accessed by applications coming from the senior factors.org domain. It's not stored remotely anywhere.
- 786
- 03:02:27.360 --> 03:02:39.270
- Tim Lloyd : You can opt out, which in practice just means you make your choice. Every single time. And there's nothing personally identifiable is just saying that the last time you logged in using federated authentication you logged in as you know as people say
- 787
- 03:02:42.930 --> 03:02:44.820
- Tim Lloyd : There's also a couple of other important things
- 788
- 03:02:45.870 --> 03:02:52.710
- Tim Lloyd : That seem to practice of doing one is working on some important best practices to simplify access to federated authentication.
- 789
- 03:02:53.010 --> 03:03:00.870
- Tim Lloyd : So the first is the development of standardized entity categories and associated attribute release bundles of it sounds like jargon.
- 790
- 03:03:01.290 --> 03:03:07.920
- Tim Lloyd : But you may recall a few slides ago, I talked about fact that libraries can configure attribute release what data to share about users.
- 791
- 03:03:08.430 --> 03:03:17.910
- Tim Lloyd : At the category level, sort of like if you're managing your outlook contacts, rather than going through each one you can just say, all of these are personal all these work and and treat them that way.
- 792
- 03:03:19.380 --> 03:03:21.750
- Tim Lloyd : But there's no standardization for these categories are
- 793
- 03:03:23.160 --> 03:03:30.720
- Tim Lloyd : So if you're a library. This makes it much more complex and more prone to error. So to address this seamless accessibility three standard
- 794
- 03:03:31.320 --> 03:03:39.090
- Tim Lloyd : Again entity categories, with the help of across the industry working group. So those categories are firstly authentication only
- 795
- 03:03:39.540 --> 03:03:49.530
- Tim Lloyd : So like that first scenario talked about slides ago. And so we used by a service provider. It doesn't need any user attributes at all just confirmation of that organizational affiliation.
- 796
- 03:03:50.940 --> 03:04:03.990
- Tim Lloyd : Next one's called anonymous authorization. So this will be used when the service provider needs to filter access based on the user's affiliation or entitlements, so it will be an anonymous identifier plus something so it might be your faculty member
- 797
- 03:04:05.130 --> 03:04:18.150
- Tim Lloyd : And then the two documents authorization category will be used by service provider needs to personalize the service and will also allow for additional entitlements or affiliation data. So you can provide more control. Never access
- 798
- 03:04:19.620 --> 03:04:30.450
- Tim Lloyd : The second important development is contract language templates for library US based on these proposed entity categories. This we could libraries, a mechanism to ensure attribute release compliance.
- 799
- 03:04:30.930 --> 03:04:42.180
- Tim Lloyd : And just to note there's nothing here which stops libraries sharing more data. The key point is that that should be a conversation had between the library, the service provider and it should be reflected in the conditions.
- 800
- 03:04:48.600 --> 03:04:58.860
- Tim Lloyd : So what about security and privacy so seamless access has adopted the giant data protection code of conduct might record jr was the European Research and Education provider. I mentioned earlier.
- 801
- 03:04:59.610 --> 03:05:06.840
- Tim Lloyd : So this code of conduct provide specific guidance to service providers and how they should handle personal data in the context of federated authentication.
- 802
- 03:05:07.470 --> 03:05:15.330
- Tim Lloyd : It covers the four principles, don't bother reading them out, but in a nutshell in plain English. What this means is it should only use attributes that are necessary for access
- 803
- 03:05:15.840 --> 03:05:22.320
- Tim Lloyd : Should use a little later as possible, wherever possible, you should not do anything but provide access with this data.
- 804
- 03:05:22.860 --> 03:05:33.750
- Tim Lloyd : And you should delete or anonymize it and it's no longer needed. Um, it is a remarkably readable documents, feel free to Google giant data protection code of conduct is it's a few pages and it's it's
- 805
- 03:05:34.500 --> 03:05:44.580
- Tim Lloyd : The joy to read when you're going through a lot of technical documents is a great one and also aligns very closely with the American Library Association library privacy guidelines that are found in the code of ethics.
- 806
- 03:05:46.020 --> 03:05:48.090
- Tim Lloyd : So I'm going to pivot. Now back to
- 807
- 03:05:49.260 --> 03:05:54.360
- Tim Lloyd : The aim of my presentation, which was to talk about security in the context of federated authentication.
- 808
- 03:05:55.980 --> 03:06:06.450
- Tim Lloyd : So I've set it up front. I'm going to compare it to IP authentication and I'm going to look at two aspects of security that particular concern just got leaking engine we've touched on both of these today.
- 809
- 03:06:07.110 --> 03:06:14.160
- Tim Lloyd : So the first one is the security access. How can we be sure that a person accessing a scholarly resources properly authorized
- 810
- 03:06:15.540 --> 03:06:21.450
- Tim Lloyd : The second is the security of identity. How can we be sure that the users privacy is perfectly safe God
- 811
- 03:06:22.470 --> 03:06:28.590
- Tim Lloyd : I'm not going to talk to the wealth of security issues that arise within applications off the users and authenticated.
- 812
- 03:06:30.750 --> 03:06:34.650
- Tim Lloyd : So let's start with security of access and IP authentication.
- 813
- 03:06:36.270 --> 03:06:39.060
- Tim Lloyd : So IP addresses are actually quite hard to fake
- 814
- 03:06:39.480 --> 03:06:50.460
- Tim Lloyd : That built into the fabric of how the internet works right IP or internet protocol. So the complexity arises from the fact that users don't have IP addresses. Obviously, it's the devices and networks that they use.
- 815
- 03:06:50.850 --> 03:06:58.320
- Tim Lloyd : That provide the IP address that are published ultimately sees so simple analogy of the layers of an onion, the user sits at the core
- 816
- 03:06:59.040 --> 03:07:04.620
- Tim Lloyd : But would interact with a variety of devices that each assign IP addresses, starting with the device that using
- 817
- 03:07:05.220 --> 03:07:08.040
- Tim Lloyd : Then devices that manage access on their local or home network.
- 818
- 03:07:08.610 --> 03:07:17.730
- Tim Lloyd : They're accessing remotely and then likely be using some form of proxy service that presents yet another IP address, which is the VPN or a web proxy service like Ed proxy.
- 819
- 03:07:18.660 --> 03:07:23.370
- Tim Lloyd : So the first security concern is how easily can use it access by registered IP address.
- 820
- 03:07:24.180 --> 03:07:37.680
- Tim Lloyd : Or best practice would require all users to enter individual credentials before being given access to a registered on campus IP address or to rich proxy address on and Linda mentioned earlier, that's exactly what they're doing in her institution.
- 821
- 03:07:39.240 --> 03:07:49.800
- Tim Lloyd : However, there are scenarios where users can access on campus IP addresses simply through physical presence or with generic credentials, such as walk in login not create loopholes that can be exploited.
- 822
- 03:07:51.480 --> 03:07:55.500
- Tim Lloyd : There's also the problem compromised credentials, which speaks have spoken about a lot.
- 823
- 03:07:56.850 --> 03:08:01.500
- Tim Lloyd : Now, while this is equally shared across IP authentication and federated authentication.
- 824
- 03:08:02.010 --> 03:08:09.180
- Tim Lloyd : As Linda mentioned the challenges that publishers are very limited options to do with fraudulent access on the IP authentication.
- 825
- 03:08:09.780 --> 03:08:18.990
- Tim Lloyd : Or users are anonymous and so they either have to disable access to register the IP addresses shutting out pilot users as well or asked the institutional customer to investigate.
- 826
- 03:08:20.400 --> 03:08:35.220
- Tim Lloyd : And as Corey said at the beginning, my presentation I normally say days, he said, from our two weeks. And it's true painstaking analysis to trace the access back from an IP address through a proxy server to a physical computer and back to a specific login
- 827
- 03:08:36.660 --> 03:08:41.580
- Tim Lloyd : The second security concern is the accuracy of the lists are registered IP addresses held by publishers
- 828
- 03:08:42.330 --> 03:08:50.460
- Tim Lloyd : And I made this whole system for human error. So, psi, the business that specializes IP address or it's find that on average 58%
- 829
- 03:08:51.180 --> 03:08:55.200
- Tim Lloyd : Of IP ranges held by publishers to authenticate libraries or in accurate.
- 830
- 03:08:55.920 --> 03:09:07.830
- Tim Lloyd : Having worked with a publisher, I can testify to the number of problems that arise when IP ranges and manually communicated with Mary at opportunities for error and it's not surprising when into the. How many people touch this data.
- 831
- 03:09:08.910 --> 03:09:15.540
- Tim Lloyd : So, for example, it felt much by the library about old IP addresses no longer being used when new ones being added.
- 832
- 03:09:16.230 --> 03:09:26.370
- Tim Lloyd : The library fails to communicate those changes to a publisher. In some cases, as some sort of distributing intermediary in between. So it's through purchasing agent or purchasing consortium distributor.
- 833
- 03:09:27.000 --> 03:09:30.150
- Tim Lloyd : The service provider fails to record those changes in his records.
- 834
- 03:09:30.690 --> 03:09:39.360
- Tim Lloyd : And this process just means that stuff's passing through people's hands all the time, and each step up the chain, there's an opportunity to inaccurately transcribers addresses.
- 835
- 03:09:40.110 --> 03:09:46.950
- Tim Lloyd : Throw in IPv6 as a completely new format for these dresses and you know it's easy to see how complex this can get
- 836
- 03:09:47.730 --> 03:09:57.450
- Tim Lloyd : And and what makes makes it particularly pernicious is that the impact can often be really hidden so users turned away because their IP address isn't recognized simply go elsewhere.
- 837
- 03:09:58.560 --> 03:10:04.200
- Tim Lloyd : They don't notify you maybe because they're unaware, the library actually provides access or because it's seen as too much effort.
- 838
- 03:10:04.740 --> 03:10:15.210
- Tim Lloyd : unauthorized users can access when they shouldn't valid use has got access but they usage attributed to another library because the data is incorrect or juicer overlapping IP ranges.
- 839
- 03:10:16.050 --> 03:10:23.850
- Tim Lloyd : So there are solutions that make this better online registry, such as the IP registry significantly reduce the level of accuracy.
- 840
- 03:10:24.990 --> 03:10:34.710
- Tim Lloyd : But the issue arises from the inherent need to actually communicate large volumes of dynamic formation. So the system's ultimately only as good as the information put into it.
- 841
- 03:10:41.700 --> 03:10:44.520
- Tim Lloyd : So let's look at the security of access on the Federated authentication.
- 842
- 03:10:45.060 --> 03:10:52.890
- Tim Lloyd : So there's a very different authentication process going on as we saw earlier. So rather than publisher trusting a credential passed by the user's computer
- 843
- 03:10:53.310 --> 03:11:02.340
- Tim Lloyd : Such as an IP address the publisher instead relies on that institutional customer to authenticate users individual credentials. So to recap from the analogy earlier.
- 844
- 03:11:02.790 --> 03:11:08.760
- Tim Lloyd : user request access to pay for content, the publisher, ask the user to confirm that institutional affiliation.
- 845
- 03:11:09.450 --> 03:11:24.960
- Tim Lloyd : The publisher looked up at institution by our trusted Federation, that tells them where to send the user to login user logged in, by the institutional Identity Service and then that institution confirm back to the publisher, whether the user has successfully authenticated or not.
- 846
- 03:11:26.340 --> 03:11:35.010
- Tim Lloyd : The head of the parties involved user their institution, the publisher know that the counterparty they're dealing with the right ones and can trust their responses.
- 847
- 03:11:35.460 --> 03:11:41.550
- Tim Lloyd : So federated authentication has a concept called a trust fabric both into it is based around the role of the Federation.
- 848
- 03:11:42.210 --> 03:11:49.860
- Tim Lloyd : So you're a course, my left side. The Federation acts as a trusted phone book list the names and contact details of the publishers institutions involved.
- 849
- 03:11:50.700 --> 03:11:58.110
- Tim Lloyd : So when users share that institutional affiliation. The Federation that confirms the publisher. Here's where you send them about the login
- 850
- 03:11:58.710 --> 03:12:07.800
- Tim Lloyd : When institution receives a request authenticate the user the federation data enable them to validate the digital signature presented by the publisher as part of that request.
- 851
- 03:12:08.730 --> 03:12:20.760
- Tim Lloyd : When a publisher receives an authentication response from institution. Again, the federation data helps them validate the source of the response and tie it back to original request. So someone just can't make up a request as question.
- 852
- 03:12:21.810 --> 03:12:28.020
- Tim Lloyd : So unlike IP authentication identity of all the organizations is known involved is known and validated.
- 853
- 03:12:28.890 --> 03:12:36.810
- Tim Lloyd : As to how about the user. How do we know we can trust their credentials. Well, the beauty of this method, the credentials only exist in one place.
- 854
- 03:12:37.290 --> 03:12:45.300
- Tim Lloyd : under the control of the organization that supplies them. So unlike IP addresses which can change unpredictably and need to be propagated throughout the scholarly system.
- 855
- 03:12:45.840 --> 03:12:56.070
- Tim Lloyd : User always locked in by their own institution at the institution controls this credentials can easily update them as a user situation changes so on and off boarding changes in role.
- 856
- 03:12:57.030 --> 03:13:03.000
- Tim Lloyd : And you know if the credentials are in currently stored. It's a pretty easy thing to correct by the institution concern.
- 857
- 03:13:04.200 --> 03:13:12.510
- Tim Lloyd : And what about stolen credentials. Well, again, the beauty of federated authentication is that the institution will always know the density of user logging in at their end
- 858
- 03:13:13.080 --> 03:13:22.740
- Tim Lloyd : And can delete or reset compromised credentials without impacting other users and because every SAML authentication have that anonymous assertion identify that was in West Side earlier.
- 859
- 03:13:23.340 --> 03:13:29.010
- Tim Lloyd : This is something that a publisher can quote back to institutions, they don't need to know the identity of the person, but it can say
- 860
- 03:13:29.430 --> 03:13:37.800
- Tim Lloyd : This event. We're concerned about can you look into it. And so it's much easier for the institution to trace that back to a specific login and take whatever actions necessary.
- 861
- 03:13:39.540 --> 03:13:46.590
- Tim Lloyd : Now let's get back in and consider the security of the users identity. So IP authentication. It's inherently anonymous its privacy protecting
- 862
- 03:13:47.070 --> 03:13:53.490
- Tim Lloyd : Proxy servers, make it more so because they obscure a patient's underlying IP address to kind of identify them in certain situations.
- 863
- 03:13:54.000 --> 03:13:58.290
- Tim Lloyd : So if your policies, never to provide personal data, under any circumstances, then this fits the bill.
- 864
- 03:13:59.130 --> 03:14:08.400
- Tim Lloyd : But you know, I chose the words appropriately safeguarded that deliberate in the flight because it can depend on your circumstances, it can vary by application by user by library so
- 865
- 03:14:09.330 --> 03:14:19.590
- Tim Lloyd : Based on the popularity of mobile device that's most users value some level of personalization even that simply to remember the topics I'm interested in, so I didn't have to rediscover them every time I use your interface.
- 866
- 03:14:20.370 --> 03:14:26.280
- Tim Lloyd : Real Estate valid reasons why personal data needs to be shared some resources such as the example I gave earlier of accreditation.
- 867
- 03:14:27.480 --> 03:14:39.960
- Tim Lloyd : But by Anonymizing access IP authentication forces users wanting personalization to register directly with service providers, which made him personally harm their privacy more federated authentication.
- 868
- 03:14:40.920 --> 03:14:49.980
- Tim Lloyd : Their options are to reuse social login further increase exposure their life to Facebook and Google will store yet more usernames and passwords with third parties.
- 869
- 03:14:50.400 --> 03:15:00.720
- Tim Lloyd : We know from research that most users tend to reuse existing credentials. So this just exposes both their home and work passwords and creeks increases the general security risks around it.
- 870
- 03:15:02.550 --> 03:15:10.710
- Tim Lloyd : In contrast, on the Federated authentication, you have flexibility. It's one of the appeals of the process. It offers libraries and managing privacy.
- 871
- 03:15:11.130 --> 03:15:19.860
- Tim Lloyd : So institutions are always in control of the information shared under federated authentication and they affect you have a sliding scale of privacy, they can apply. So one and
- 872
- 03:15:20.400 --> 03:15:32.190
- Tim Lloyd : They can simply confirm a user's organizational affiliation provide new information completely anonymous or they can share that affiliation entitlement information allow more granular control over the experience
- 873
- 03:15:33.300 --> 03:15:43.650
- Tim Lloyd : It personalization is needed, you can move the slider further and share those two documents identify and find me in cases where it's really appropriate and you can choose to share personal data, such as a name and email address.
- 874
- 03:15:45.330 --> 03:15:46.740
- Tim Lloyd : And that is it.
- 875
- 03:15:47.970 --> 03:15:48.720
- Tim Lloyd : Back to you. Thanks.
- 876
- 03:15:53.820 --> 03:16:03.510
- Daniel Ascher: Thank you very much to it was very informative. I liked your chart in the beginning, there was a native simplified way of explaining something that can get very complicated quickly.
- 877
- 03:16:07.320 --> 03:16:17.280
- Daniel Ascher: So now we are going to move on to the roundtable discussion moderated by Rick Anderson university librarian at Brigham Young University.
- 878
- 03:16:26.310 --> 03:16:29.790
- Rick Anderson : Everybody, I am not sure whether you can see me.
- 879
- 03:16:30.810 --> 03:16:31.620
- Tim Lloyd : Yep, I can see
- 880
- 03:16:32.040 --> 03:16:33.960
- Rick Anderson : I'm also not sure whether it matters.
- 881
- 03:16:35.370 --> 03:16:36.870
- Rick Anderson : Not being able to see me is not the
- 882
- 03:16:36.870 --> 03:16:38.490
- Rick Anderson : Worst problem in the world to have
- 883
- 03:16:39.120 --> 03:16:45.090
- Rick Anderson : So thanks so much to all of our presenters. This has been an incredibly interesting and informative.
- 884
- 03:16:46.980 --> 03:16:48.240
- Rick Anderson : Morning or
- 885
- 03:16:49.380 --> 03:16:51.630
- Rick Anderson : Afternoon, depending on where you are evening.
- 886
- 03:16:53.040 --> 03:16:58.410
- Rick Anderson : I I have gathered some of the questions that that people submitted.
- 887
- 03:16:59.550 --> 03:17:07.740
- Rick Anderson : In the Q AMP a box and I've also added a couple of my own, just in case they're needed.
- 888
- 03:17:08.550 --> 03:17:23.460
- Rick Anderson : I did want, and I'm not sure whether Cory Roche has been able to make it back. I know that he had a meeting that was supposed to end at about 1230 so he may join us a couple of minutes late, but he privately sent me a note that
- 889
- 03:17:24.480 --> 03:17:30.630
- Rick Anderson : Comment that he wanted to make sure was communicated to everyone. So I'm going to go ahead and read it, he said.
- 890
- 03:17:31.230 --> 03:17:40.770
- Rick Anderson : I worry that the emphasis on Federation and MFA slash to FA in the sessions may leave attendees the wrong impression
- 891
- 03:17:41.490 --> 03:17:48.990
- Rick Anderson : Unfortunately, I have to drop off during the next session and the roundtable I'd suggest that a discussion about the limits of those technologies might be a good topic.
- 892
- 03:17:49.710 --> 03:17:59.730
- Rick Anderson : In my view, Federation and multifactor authentication should be quote unquote table stakes to enter the game. They don't eliminate risk they reduce it.
- 893
- 03:18:00.300 --> 03:18:07.650
- Rick Anderson : The security industry has used that tech on lots of other resources and those resources still battle unauthorized access
- 894
- 03:18:08.100 --> 03:18:20.670
- Rick Anderson : Exhibit A would be the report on the recent Twitter hack. There's an entire industry around Identity and Access Management, the University of Utah's Identity and Access Management team is a quarter of the total ISO staff.
- 895
- 03:18:22.620 --> 03:18:33.150
- Rick Anderson : So let's, let's just throw that out there and see if our panelists have anything they'd like to add or or say in response to that comment from Corey.
- 896
- 03:18:35.640 --> 03:18:48.060
- Tim Lloyd : No, I totally agree with that comment. It's, it's a base level. And I think one of the threads that you can see throughout the whole of today's summit is, you know, major weakness is credentials and all these systems are aligned credentials and
- 897
- 03:18:49.170 --> 03:18:59.070
- Tim Lloyd : As I see people putting up barriers to that, like, two factor authentication. I see us as humans, trying to get around those barriers that we don't always use it. We complain about it forces publishers to drop it.
- 898
- 03:19:00.450 --> 03:19:07.740
- Tim Lloyd : So yes, I, this isn't the be all and end all, but I think it is a scaling up of our abilities as an industry.
- 899
- 03:19:08.940 --> 03:19:10.590
- Tim Lloyd : My like the use of the phrase table stakes.
- 900
- 03:19:11.700 --> 03:19:16.260
- Rick Anderson : Yeah, you've got to at least have MFA to get in the game.
- 901
- 03:19:18.420 --> 03:19:23.940
- Rick Anderson : Anybody else have additional comments on on coreys observation there.
- 902
- 03:19:28.170 --> 03:19:32.220
- Tim Lloyd : I've got a follow up. Just another comment. He made in relation to that he was taking out some of the obstacles.
- 903
- 03:19:32.760 --> 03:19:39.210
- Tim Lloyd : And now there are some real obstacles here in one he mentioned his privacy and I agree with him that in many cases institutions.
- 904
- 03:19:39.510 --> 03:19:43.530
- Tim Lloyd : Already either have to stay tuned, we'll have the ability to log it anonymously, if that's what they want to do.
- 905
- 03:19:44.400 --> 03:19:54.900
- Tim Lloyd : But, you know, customer experiences and trivial. You know, this is an upscaling of infrastructure and you know I see this happening on both sides of the coin publishers are also
- 906
- 03:19:55.590 --> 03:20:04.140
- Tim Lloyd : Struggling with dealing with upgrading systems that were built, you know, a decade ago when people were really just relying on IP authentication and username password.
- 907
- 03:20:04.770 --> 03:20:11.730
- Tim Lloyd : And now there's a multitude of different ways that users can authenticate and especially if you're a publisher who's selling to different channels.
- 908
- 03:20:12.240 --> 03:20:19.440
- Tim Lloyd : And it's not just academia, trying to do with its government. It might be medical and healthcare might be public libraries and they all have different technologies and so
- 909
- 03:20:19.800 --> 03:20:29.010
- Tim Lloyd : You know, everyone involved in this needs to recognize that there's going to be investment required to up everyone's game and it's not always obvious where that's going to come from.
- 910
- 03:20:31.020 --> 03:20:32.190
- Excellent. Thanks, Tim.
- 911
- 03:20:35.730 --> 03:20:42.540
- Rick Anderson : All right, let's let's move on to a question that was posed by one of the attendees.
- 912
- 03:20:45.720 --> 03:20:57.750
- Rick Anderson : How do publishers train their staff to not be tricked by strategies to compromise their staff accounts. I know what universities do but what, how can publishers do this.
- 913
- 03:21:02.730 --> 03:21:10.440
- Kathleen Neely : Kathleen, I'm happy to jump in here and talk about that a little bit. So from a security standpoint.
- 914
- 03:21:11.670 --> 03:21:24.720
- Kathleen Neely : I guess I should go on camera to here. So everybody sees me apologies, but I'm from a security standpoint I and the rest of the team goes through probably about every six months.
- 915
- 03:21:25.440 --> 03:21:37.740
- Kathleen Neely : Security training and it is not, you know, optional. Everybody has to do it and it needs to be done and that goes through all the different types of ways that
- 916
- 03:21:39.030 --> 03:21:50.760
- Kathleen Neely : You could be potentially compromising your security passwords or just potentially compromising the business as a whole. So I hope that helps.
- 917
- 03:21:53.400 --> 03:21:55.440
- Okere, Kelechi N. (ELS-NYC): Yeah. I'll also add to that.
- 918
- 03:21:57.000 --> 03:22:10.320
- Okere, Kelechi N. (ELS-NYC): I know that you know at Elsevier, we have these trainers that come up periodically. Right. And these are very strict you're sort of chased around by you're given a deadline. And if you don't
- 919
- 03:22:11.250 --> 03:22:23.520
- Okere, Kelechi N. (ELS-NYC): Take them you're constantly and if you keep ignoring them, then your boss's boss's boss's boss is alerted that you haven't taken them and recently they started doing a very clever one on fishing.
- 920
- 03:22:24.570 --> 03:22:39.960
- Okere, Kelechi N. (ELS-NYC): And I admit fell in there twice right where I got a, you know, an email and it was very like it looked okay you know K ish, you know, and I just clicked on it.
- 921
- 03:22:40.680 --> 03:22:54.000
- Okere, Kelechi N. (ELS-NYC): And it said this was a an intentional email a test on fishing, you know, and then it is, you know, obviously, you failed it and here's a link to, you know, for training.
- 922
- 03:22:55.200 --> 03:23:03.990
- Okere, Kelechi N. (ELS-NYC): And then a week later I mean it was so clever. It was a different form of it the same thing happen I clicked on what I shouldn't have clicked on.
- 923
- 03:23:06.690 --> 03:23:14.550
- Okere, Kelechi N. (ELS-NYC): And then the same thing and it says, you know, obviously you felt the test. And so, and then I and then I went through a training.
- 924
- 03:23:15.750 --> 03:23:20.790
- Okere, Kelechi N. (ELS-NYC): And then I think it was earlier this week. I got a third one I said haha
- 925
- 03:23:21.720 --> 03:23:22.650
- Okere, Kelechi N. (ELS-NYC): Now you know
- 926
- 03:23:23.160 --> 03:23:24.780
- Okere, Kelechi N. (ELS-NYC): You're not going to catch me a third time.
- 927
- 03:23:25.980 --> 03:23:32.550
- Okere, Kelechi N. (ELS-NYC): So, I mean, I think this is something that, you know, with Elsevier happens you know continuously right about
- 928
- 03:23:33.750 --> 03:23:48.120
- Okere, Kelechi N. (ELS-NYC): You know, these phishing attacks and also what to do with data of users or customers that you come in contact with on a routine basis of of doing business. And also when GDPR was
- 929
- 03:23:48.690 --> 03:24:03.750
- Okere, Kelechi N. (ELS-NYC): being implemented back in 2018 there was extensive training on you know on GDP are and how you manage our user data. If you are a staff member who comes in contact with customer and also use a data.
- 930
- 03:24:05.550 --> 03:24:11.220
- Rick Anderson : You know, collect. Yeah, I would suggest the fact that you failed that test twice is actually very encouraging.
- 931
- 03:24:11.730 --> 03:24:19.890
- Rick Anderson : Because I think all of us, I mean. Well, certainly. I know I don't think I've ever encountered a corporate training module that was not a complete joke.
- 932
- 03:24:20.760 --> 03:24:28.650
- Rick Anderson : Where you know where you had any any reasonable likelihood of failing the quiz at the end if you had paid even 20% attention.
- 933
- 03:24:29.010 --> 03:24:44.340
- Rick Anderson : And what we're talking about something as important and and as impactful as network security. I'm glad to hear that, that your employer is is actually creating challenging training experiences for the staff. So that's it.
- 934
- 03:24:44.340 --> 03:24:47.340
- Okere, Kelechi N. (ELS-NYC): Was very clever very, very clever.
- 935
- 03:24:48.720 --> 03:24:51.300
- Kathleen Neely : Say, we've done the same thing to our staff.
- 936
- 03:24:51.660 --> 03:25:05.250
- Kathleen Neely : And I almost did the same thing as you policy and I just happened to glance back one more time at the email address and thought, I think this is really right and I sent it to
- 937
- 03:25:05.670 --> 03:25:15.180
- Kathleen Neely : One of our security guys. And he said, oh, this is a test to see if people fail. No. No. Okay. So yeah, we're using it as well.
- 938
- 03:25:17.010 --> 03:25:25.230
- Tim Lloyd : I think there's a more serious point though here, which is the you know the examples here of all big global publishers and I think there's a risk that
- 939
- 03:25:25.770 --> 03:25:28.710
- Tim Lloyd : There's a fracturing within the publishing industry as well as
- 940
- 03:25:29.370 --> 03:25:38.010
- Tim Lloyd : Our institutional partners, where you have organizations that have the ability to fund information security departments and clearly Korea's organization has done a great job there.
- 941
- 03:25:38.640 --> 03:25:44.580
- Tim Lloyd : Linda's one sounds like doing a great job there. But there is a lot of organizations in our industry, both on the
- 942
- 03:25:45.240 --> 03:25:55.050
- Tim Lloyd : Vendor publisher side as well as an institutional side where they simply don't have anywhere near the money. And if you start looking outside of science tech you know SDN publishing to other areas.
- 943
- 03:25:55.710 --> 03:26:03.690
- Tim Lloyd : Who's helping them you know they're there, they're a generation behind and some of the systems and numbers of the loopholes will be much harder to close.
- 944
- 03:26:05.700 --> 03:26:06.300
- Great points.
- 945
- 03:26:08.760 --> 03:26:12.030
- Rick Anderson : Any other comments on this this particular issue before I move on.
- 946
- 03:26:14.850 --> 03:26:15.360
- Rick Anderson : Alright.
- 947
- 03:26:17.580 --> 03:26:24.810
- Rick Anderson : Here's another another question or comment. I've worked at multiple academic institutions and for a major publisher.
- 948
- 03:26:25.350 --> 03:26:32.790
- Rick Anderson : And my question to the panel relates to the responsibility of researchers and librarians regarding cyber intrusions
- 949
- 03:26:33.090 --> 03:26:44.490
- Rick Anderson : Computer Security at virtually all universities. I work out was frankly at this I worked at was frankly abysmal with sticky notes with usernames and passwords in plain view and rampant credential swapping
- 950
- 03:26:44.850 --> 03:26:49.170
- Rick Anderson : For many years, there is either a naive tea or indifference about these issues from many
- 951
- 03:26:49.710 --> 03:27:04.680
- Rick Anderson : But what ethical obligations to researchers and librarians have to keep research data generated mostly by government funding and or copyrighted material secure given recent developments and more knowledge and sophistication around these matters.
- 952
- 03:27:06.930 --> 03:27:08.670
- Tim Lloyd : I think you should have stopped answering that one, Rick.
- 953
- 03:27:10.890 --> 03:27:23.190
- Rick Anderson : Well yeah i mean i i would i would certainly start by saying that as as librarians when we're, of course, you're asking very different questions. When you talk about keeping research data.
- 954
- 03:27:24.330 --> 03:27:27.090
- Rick Anderson : Secure and keeping copyrighted material secure
- 955
- 03:27:28.110 --> 03:27:37.560
- Rick Anderson : In libraries access to copy to online copyrighted materials typically governed by license agreements, which are contracts to which the library is a signatory
- 956
- 03:27:37.950 --> 03:27:53.970
- Rick Anderson : And that create a legal obligation on us to manage access to the content. And to the degree that we fail to do that. We're, we're breaching the terms of our licenses. So just at the most at the strictest most
- 957
- 03:27:56.070 --> 03:28:00.960
- Rick Anderson : Sort of rabbinical level, you know, we need to abide by the terms of the contracts. We are signed
- 958
- 03:28:02.040 --> 03:28:13.290
- Rick Anderson : On a on a deeper ethical, moral level, we have to think about the degree to which we believe it's it's incumbent upon us to protect the legal rights of others.
- 959
- 03:28:13.830 --> 03:28:23.010
- Rick Anderson : This is the question that is much more controversial in the library world right now where the legal rights of copyright holders are
- 960
- 03:28:24.270 --> 03:28:27.570
- Rick Anderson : Not always top priority for us.
- 961
- 03:28:28.620 --> 03:28:36.810
- Rick Anderson : This is a departure from where we were. I'd say 2025 years ago when we used to say, oh, librarians are, you know, great champions of copyright. Now, I find that
- 962
- 03:28:37.230 --> 03:28:46.650
- Rick Anderson : My colleagues tend to be more great skeptics of copyright in the realm of scholarly information that's topic for a whole other conversation.
- 963
- 03:28:47.430 --> 03:28:59.130
- Rick Anderson : When we're talking about research data. Boy, that that's where, that's where it gets I speaking as a librarian our obligations with regard to keeping research data secure
- 964
- 03:28:59.730 --> 03:29:09.000
- Rick Anderson : Really vary from situation to situation we are not always in fact we're not usually stewards of research data, though in some cases we may be
- 965
- 03:29:10.710 --> 03:29:17.850
- Rick Anderson : So I can't really speak very well to the to the ethical obligations of researchers for to keep their data secure
- 966
- 03:29:18.360 --> 03:29:31.140
- Rick Anderson : Another complicating factor is the fact that, in some cases, researchers may be under an ethical obligation to keep their research to keep their research data publicly available. So it all depends on the terms under which they conducted the research and accepted the funding.
- 967
- 03:29:32.820 --> 03:29:36.060
- Rick Anderson : What are other other other people's thoughts on those questions.
- 968
- 03:29:39.540 --> 03:29:50.340
- Tim Lloyd : My experience has been that open access, as in a boat and the muddy the waters, and this is a topic that is endless conversation with our industry. I know, but the idea that people who do not understand that open access is
- 969
- 03:29:50.790 --> 03:30:00.840
- Tim Lloyd : Publishing with a different model, but somehow is disintermediation need the publishers and and view that you know if everything's going open access, why do we need to worry about controlling access to anything.
- 970
- 03:30:01.320 --> 03:30:08.940
- Tim Lloyd : And this is very wide I think misunderstanding of what an open access publishing model actually means. But authors and publishers and users.
- 971
- 03:30:10.320 --> 03:30:15.180
- Rick Anderson : I know that that's a conversation. I've had with colleagues on multiple occasions where they said, look, the
- 972
- 03:30:15.390 --> 03:30:24.960
- Rick Anderson : The answered all these network security problems is not to lock down the information more effectively. The answer is to make the information free and make site hub unnecessary.
- 973
- 03:30:25.770 --> 03:30:33.870
- Rick Anderson : Which is, okay, fine, to the degree that you're talking strictly about access to content, but it certainly doesn't address any of these network security issues themselves.
- 974
- 03:30:36.930 --> 03:30:39.180
- Rick Anderson : Any other thoughts from from the panelists.
- 975
- 03:30:39.930 --> 03:30:43.560
- Crane Hassold : One thing that I'll say is, so you mentioned some examples of
- 976
- 03:30:44.160 --> 03:30:53.790
- Crane Hassold : You know what types of security measures should be taking place and what and what type of stream it should not be taken. So I know one of the examples that was there is having sticky notes with passwords.
- 977
- 03:30:54.090 --> 03:30:59.910
- Crane Hassold : No, that's that's available to libraries. I'll tell you what I'm fine with that as a as a cyber security person.
- 978
- 03:31:00.210 --> 03:31:09.930
- Crane Hassold : That is totally fine with in my book. I know that there are a lot of folks in, you know, information technology that looked down on things like hard copy password books.
- 979
- 03:31:10.320 --> 03:31:18.780
- Crane Hassold : Those are great in my mind because it allows like the general hygiene that's necessary. The, you know, having different passwords for different websites.
- 980
- 03:31:19.200 --> 03:31:33.240
- Crane Hassold : You can do that. And the primary threat to credentials is not someone coming to your desk and stealing your password. It's going to a malicious website and getting your credentials stolen there.
- 981
- 03:31:33.630 --> 03:31:38.130
- Rick Anderson : And so for an Iranian hacker to get into my physical notebook of passwords.
- 982
- 03:31:38.430 --> 03:31:46.980
- Crane Hassold : Yeah, exactly. Like, I love me, and especially when you think about the expectations of, you know, especially, you know, I'm not. I don't mean to stereotype librarians.
- 983
- 03:31:47.640 --> 03:31:53.280
- Crane Hassold : But they're probably not the types of people who are going to be knowledgeable in the cybersecurity. We're on anyway.
- 984
- 03:31:53.730 --> 03:32:02.670
- Crane Hassold : And so you need to at least set the expectations that we need to be doing enough like a like a base level of, you know, protecting
- 985
- 03:32:03.000 --> 03:32:13.800
- Crane Hassold : Their data and everyone else's data they have access to and not thinking that everyone should be locked down 100% all the time because that's just going to end up in failure every single time.
- 986
- 03:32:17.400 --> 03:32:18.420
- Rick Anderson : Great, thank you Craig.
- 987
- 03:32:21.300 --> 03:32:22.770
- Rick Anderson : Other thoughts or questions.
- 988
- 03:32:24.930 --> 03:32:25.200
- Rick Anderson : Okay.
- 989
- 03:32:26.640 --> 03:32:30.180
- Rick Anderson : Here's another longest question and then I've got a handful of shorter ones.
- 990
- 03:32:32.430 --> 03:32:42.120
- Rick Anderson : One attendee says I'd like coreys reference to the chain and the weakest link problem. Let me. I'm not sure we've got Corey back yet. I don't think we do.
- 991
- 03:32:42.780 --> 03:32:49.920
- Rick Anderson : But others may be able to address this comment as well. I like coreys reference to the chain and the weakest link problem.
- 992
- 03:32:50.490 --> 03:33:01.740
- Rick Anderson : Obviously robust long term solutions to security threats, while important to pursue vigorously are costly and time consuming to effectively implement on a global scale.
- 993
- 03:33:02.370 --> 03:33:12.600
- Rick Anderson : If major universities struggle to contend with economics priorities and scarcity of resources. What about the 10s of thousands of libraries around the world for which this would be but a pipe dream.
- 994
- 03:33:13.020 --> 03:33:16.200
- Rick Anderson : This may be goes to some of Tim's comments about smaller publishers to
- 995
- 03:33:17.130 --> 03:33:22.620
- Rick Anderson : For publishers as their content is distributed worldwide that represents many, many weak links.
- 996
- 03:33:22.980 --> 03:33:39.210
- Rick Anderson : Can the panel discuss what can be done in the short term, to address that immediate problem. For example, encouraging truly widespread adoption and participation in the development of known block lists, even if that sort of approach isn't perfect, in and of itself.
- 997
- 03:33:40.560 --> 03:33:56.490
- Rick Anderson : So it sounds like this is kind of a question about, you know, less sub sub optimal solutions that are achievable in the short term, as opposed to optimal solutions that are unavailable to many organizations and maybe only practically available in the long term.
- 998
- 03:33:59.580 --> 03:34:02.640
- Tim Lloyd : I've got one thought, which is just to start building these into infrastructure.
- 999
- 03:34:03.180 --> 03:34:11.490
- Tim Lloyd : And one of the challenges if you're a small publisher or a small institution is that it's expensive and hard for you to make changes to your own infrastructure, especially upgrades.
- 1000
- 03:34:11.880 --> 03:34:24.210
- Tim Lloyd : But to the extent we use a shared infrastructure in a building in security into that as much easier. So things like the block list could be applied as an infrastructure level and to extend that we have shared infrastructure that makes it easier
- 1001
- 03:34:27.360 --> 03:34:30.180
- Rick Anderson : You're talking about industry is shared infrastructure within the industry.
- 1002
- 03:34:30.210 --> 03:34:30.630
- Yeah.
- 1003
- 03:34:33.600 --> 03:34:41.490
- Tim Lloyd : You know either existing ones or potential new ones. I mean, I could imagine a scenario where so Shibboleth is an open source software.
- 1004
- 03:34:42.360 --> 03:34:50.190
- Tim Lloyd : What if there was a project to take Shibboleth and upgraded. So the featured much better security options that you know had
- 1005
- 03:34:50.760 --> 03:34:54.450
- Tim Lloyd : Can be turned on and off by different institutions, depending on their level of security need
- 1006
- 03:34:54.870 --> 03:35:07.650
- Tim Lloyd : But then became available to the community. I mean, the problem with open source software is is like puppies for Christmas. You still need to look after it, but it would at least sold the software problem and an overload institution to use open source software solutions like Shibboleth
- 1007
- 03:35:09.990 --> 03:35:10.590
- Tim Lloyd : Now his Cory
- 1008
- 03:35:11.400 --> 03:35:13.980
- Rick Anderson : Cory, he came in just in time to miss that question.
- 1009
- 03:35:15.000 --> 03:35:16.500
- Corey Roach: Of timing sorry everyone
- 1010
- 03:35:17.040 --> 03:35:25.710
- Rick Anderson : No, no worries. Um, let me just since we do have some extra time, I'm going to go ahead and read it again, really quick because I think Korea will probably have some good thoughts.
- 1011
- 03:35:27.570 --> 03:35:37.350
- Rick Anderson : The question was obviously robust long term solutions to security threats, while important to pursue vigorously are costly and time consuming to effectively implement on a global scale.
- 1012
- 03:35:37.710 --> 03:35:47.220
- Rick Anderson : If major universities struggle to contend with economics priorities and scarcity of resources. What about the 10s of thousands of libraries around the world for which this would be about a pipe dream.
- 1013
- 03:35:47.700 --> 03:35:52.680
- Rick Anderson : For publishers as their content is distributed worldwide that represents many, many weak links.
- 1014
- 03:35:53.010 --> 03:36:06.960
- Rick Anderson : Can the panel discuss what can be done in the short term, to address that immediate problem. For example, encouraging truly widespread adoption and participation in the development of known block lists, even if that sort of approach isn't perfect, in and of itself.
- 1015
- 03:36:08.550 --> 03:36:14.880
- Corey Roach: Like caught the tail end of Tim's answer and I think the question itself actually kind of leads into somewhat of an answer and that is
- 1016
- 03:36:15.390 --> 03:36:31.440
- Corey Roach: It's not an all or nothing effort by any means. There are many different things we can do, some of which are very expensive and some of which are not block lists are an example of something that it's fairly easy to implement, and it's something that we can do fairly inexpensively.
- 1017
- 03:36:32.460 --> 03:36:39.510
- Corey Roach: The efficacy of it is kind of the low hanging fruit. I mean, if it's someone who is sophisticated, they're going to get around that.
- 1018
- 03:36:39.960 --> 03:36:50.670
- Corey Roach: So in its most security controls are that way. They are layered one on top of the other, because any one individual one doesn't really take care of the questions for the threat entirely by itself.
- 1019
- 03:36:52.470 --> 03:36:55.080
- Corey Roach: I, I agree. It's turning the Titanic.
- 1020
- 03:36:56.280 --> 03:37:01.050
- Corey Roach: But I think there are there are tools that are out there and I I mentioned in my my talk that
- 1021
- 03:37:01.620 --> 03:37:11.160
- Corey Roach: Some of the open source tools are not up to par with commercial tools, but they are coming along and, you know, even if they're not 100% 30% and
- 1022
- 03:37:11.460 --> 03:37:17.880
- Corey Roach: Tim's point about, you know, feeding a puppy is absolutely true. They are not free, if anybody tells you open sources for you it's not
- 1023
- 03:37:18.300 --> 03:37:31.800
- Corey Roach: But it is less expensive. So I think there's kind of a graduated scale there. I also mentioned in the presentation about building community. And I think that is one of the biggest resources in my mind would be
- 1024
- 03:37:33.000 --> 03:37:34.890
- Corey Roach: Really, making sure that
- 1025
- 03:37:36.000 --> 03:37:50.070
- Corey Roach: We can share that information between organizations, because the risk absolutely is shared between 10s of thousands of organizations. So getting the word out getting ideas out there that can be done relatively inexpensively. I think would be a big help.
- 1026
- 03:37:51.120 --> 03:38:02.190
- Rick Anderson : So core you your response in your response, you've talked about building community and Tim's response he talked about shared infrastructure, both of you, or both of you are pointing at
- 1027
- 03:38:02.880 --> 03:38:25.560
- Rick Anderson : Community sorts of responses that would require collaboration and coordination between entities, some of whom are competitors do you guys or anybody else have any thoughts on what what could we do to foster that kind of that kind of Community action in a way that
- 1028
- 03:38:27.180 --> 03:38:42.750
- Rick Anderson : That sort of gets us around the both the inertia, because it nourishes is always the biggest enemy of Community action and also that gets us around the sort of competitive complicating factors that we might encounter. Sure.
- 1029
- 03:38:43.860 --> 03:38:58.950
- Corey Roach: Um, so my first whack at that would be I, although I think very much. We need to build community for this group as well. I would also recommend looking around and making sure that we're not reinventing the wheel anywhere, particularly our
- 1030
- 03:38:58.980 --> 03:39:01.110
- Rick Anderson : Agent agent sites that already exists.
- 1031
- 03:39:01.140 --> 03:39:07.590
- Corey Roach: Right. And on the education side, in particular, there's things like Renee sec, I think that was mentioned in another one of the presentations.
- 1032
- 03:39:08.970 --> 03:39:19.620
- Corey Roach: Where some of that community has already built there's already vetting processes in place. There's already sharing guidelines in place, those kinds of things. And, you know, even if we don't use those we can model from them.
- 1033
- 03:39:20.700 --> 03:39:31.350
- Corey Roach: But as an industry. It's not uncommon in security for competitors to collaborate on the technical side of security.
- 1034
- 03:39:33.570 --> 03:39:41.880
- Corey Roach: I do that, both within pure our organizations on the education side but also on the healthcare side here in Utah, we are
- 1035
- 03:39:43.380 --> 03:39:46.440
- Corey Roach: Neck and neck with one other health care provider Intermountain Healthcare
- 1036
- 03:39:46.830 --> 03:39:55.380
- Corey Roach: And they are one of my biggest collaborators, you know, in the middle of an incident. Am I going to call them up and give them information about, you know, things that are at risk in my organization. No, but
- 1037
- 03:39:56.340 --> 03:40:04.530
- Corey Roach: On a day to day basis, as far as sharing threats sharing approaches sharing to ebooks. Absolutely. We collaborate, and I think we both gained from it.
- 1038
- 03:40:06.120 --> 03:40:08.130
- Rick Anderson : Excellent to what are your thoughts on them.
- 1039
- 03:40:09.090 --> 03:40:22.770
- Tim Lloyd : I think my whole experience of the seamless access project in the last few years has been one where organizations from across the industry have come together because there's a shared concerned that they have an I think security is absolutely a share concern.
- 1040
- 03:40:24.330 --> 03:40:30.090
- Tim Lloyd : I didn't see any reason why competitors will be concerned about trying to build a better security infrastructure, because it Floats all boats.
- 1041
- 03:40:30.420 --> 03:40:39.090
- Tim Lloyd : You know, if we all want more use these resources. Doesn't matter what side of the authentication selection we are, we recognize the leakage of usage is to what our detriment. So I think there's
- 1042
- 03:40:39.840 --> 03:40:47.190
- Tim Lloyd : There's everything to play for there and you know whether that gold is open source software or just better education.
- 1043
- 03:40:48.060 --> 03:41:01.140
- Tim Lloyd : You know, some sort of cloud based solutions that can help part time security experts that can be loaned out the foreign institution you know there's there's all these opportunities, I think, I think the competitive concerns are probably the least concerns.
- 1044
- 03:41:02.460 --> 03:41:14.520
- Tim Lloyd : But I can I just throw a question back, which is if you know one of the thread throughout this summit has been that the costs of fraudulent access can be much greater than just stolen content.
- 1045
- 03:41:16.770 --> 03:41:32.010
- Tim Lloyd : I maybe this is for you. Curious if that's the case, why aren't institutions more concerned about this and maybe, you know, putting higher up than a securities security infrastructure mean yours obviously has. But do you think enough institutions recognize this.
- 1046
- 03:41:32.760 --> 03:41:35.490
- Tim Lloyd : Or the problem that they don't think it's in libraries that cells were
- 1047
- 03:41:35.910 --> 03:41:52.710
- Corey Roach: To be fair, my institution does have a fairly sophisticated security group, however, I would, if I'm being perfectly honest, say that our secure security around our library infrastructure is probably not up at the top 10 places. I'm worried about securing
- 1048
- 03:41:53.490 --> 03:42:09.690
- Corey Roach: And that was actually brought up as I think one of the comments or questions during the presentations of, you know, why did I make an argument for most of the risk being on the publisher side for this and it really has to do with the consequence of a breach.
- 1049
- 03:42:10.830 --> 03:42:20.550
- Corey Roach: In my organization, as I mentioned, there's graduated security controls, depending on the risk for that particular area. So if a student were to give away their
- 1050
- 03:42:20.550 --> 03:42:24.840
- Corey Roach: Credential certainly is not going to allow access to my medical record system.
- 1051
- 03:42:26.850 --> 03:42:35.070
- Corey Roach: If that's used to scrape Elsevier or another publisher, the losses on their side and you know as much as I want to help prevent that.
- 1052
- 03:42:35.490 --> 03:42:42.750
- Corey Roach: At the end of the day, if I have to spend the dollars. I'm going to spend it on the regulated data that's over here in the healthcare space that I'm required to by law.
- 1053
- 03:42:43.590 --> 03:42:52.800
- Corey Roach: Then protecting those resources that belong to somebody else. But, you know, we also have a contractual obligation to do our best and not be negligent either
- 1054
- 03:42:53.850 --> 03:43:02.970
- Corey Roach: And I think some of the controls that we're talking about today probably are table stakes. I mean we really ought to be doing these just to be playing the game we ought to be doing them.
- 1055
- 03:43:04.560 --> 03:43:10.890
- Corey Roach: To be a you know a good member of the community and not be spreading that risk without reason
- 1056
- 03:43:12.120 --> 03:43:21.780
- Corey Roach: So our, our access to our resources is tied to our Identity and Access Management System. Ours is for all matters. It's sale point but
- 1057
- 03:43:23.610 --> 03:43:42.450
- Corey Roach: It is a full time job to do that to doing Federation doing two factor assigning roles doing all the things that come along with identity management is not easy. So I, I would caution, just that, not to think that doing Federation or doing two FA is the end of the road.
- 1058
- 03:43:43.950 --> 03:43:46.620
- Corey Roach: Again, I'd say that's that's the minimum we ought to be doing.
- 1059
- 03:43:49.740 --> 03:43:55.470
- Rick Anderson : Do we have, do we still have Linda with us. I do have a question that's directed to her, but she's not with us.
- 1060
- 03:43:55.860 --> 03:43:56.910
- Okere, Kelechi N. (ELS-NYC): No, no, she had to leave.
- 1061
- 03:43:57.270 --> 03:43:57.660
- Okay.
- 1062
- 03:43:59.760 --> 03:44:10.920
- Rick Anderson : The question, and she really may be the best one to answer it. But I'll throw it out there in case anybody and Corey actually may have some comments on this because he's he's working closely with a medical
- 1063
- 03:44:12.630 --> 03:44:20.640
- Rick Anderson : Health Sciences facility. The question is, is anonymity necessary for all researchers for all subjects.
- 1064
- 03:44:23.220 --> 03:44:36.780
- Corey Roach: I would actually I would pitch that one back over to the library folks to give a stronger opinion on in, in my opinion, probably not, but it is kind of a foundational principle behind things like libraries.
- 1065
- 03:44:38.370 --> 03:44:42.300
- Corey Roach: So I don't see that going away anytime soon.
- 1066
- 03:44:42.930 --> 03:44:45.720
- Tim Lloyd : Oh, I see that anonymity, the library.
- 1067
- 03:44:46.140 --> 03:44:47.340
- Tim Lloyd : Will externally, Rick.
- 1068
- 03:44:47.580 --> 03:44:48.060
- Rick Anderson : I'm sorry.
- 1069
- 03:44:48.570 --> 03:44:51.150
- Tim Lloyd : If I anonymity internally or externally.
- 1070
- 03:44:51.420 --> 03:44:53.370
- Rick Anderson : Well, I'm not sure. And actually,
- 1071
- 03:44:53.580 --> 03:44:54.480
- Tim Lloyd : That's a big difference.
- 1072
- 03:44:54.840 --> 03:45:03.630
- Rick Anderson : Yeah. And yeah, when I read the question originally I understood it to mean a medical researchers, not people conducting research in the library.
- 1073
- 03:45:05.070 --> 03:45:11.460
- Corey Roach: Well, and I guess the way I interpreted it was if they are a student or an academic of some kind, doing research.
- 1074
- 03:45:11.910 --> 03:45:21.330
- Corey Roach: The library is always going to know who they are, even if that's a, you know, punch out card on when you've got to return a resource, they're going to know. That's part of what they are obligated to protect
- 1075
- 03:45:22.050 --> 03:45:29.970
- Corey Roach: Whether that gets passed on to third party partners, including people like publishers nuts and more interesting question for the librarians.
- 1076
- 03:45:30.360 --> 03:45:45.300
- Rick Anderson : Well, actually, that's a pretty simple question for the librarians as a standard rule we we don't pass along information to publishers about patrons. And not only that, but we actually don't keep information about about. So, for example, at
- 1077
- 03:45:46.890 --> 03:45:55.650
- Rick Anderson : The University of Utah. I know when a patron returns a book that has been checked out. Certainly the library of retains the information about who has the book at a, at a given moment.
- 1078
- 03:45:56.010 --> 03:46:10.860
- Rick Anderson : But 30 days after that book is returned. That information as expunged from the system so that if somebody were to come to us in the future and say, who checked out this book from, you know, 2015 to 2020. We can't tell them, because we don't know.
- 1079
- 03:46:11.250 --> 03:46:21.120
- Corey Roach: And much of and I kind of went over this a little bit in the presentation, but much of the controls and the data we're talking about in order to improve the security posture can be treated the same way. Yeah.
- 1080
- 03:46:21.780 --> 03:46:27.630
- Corey Roach: You know, I'm not doing modeling on events that happened 18 months ago. I'm doing it in the last 30 days.
- 1081
- 03:46:28.320 --> 03:46:39.210
- Corey Roach: And, you know, much of the information that I would use for context is information that my organization already has, you know, I know what your major is I know where you've caught home you know I know when you're in class. And when you're not
- 1082
- 03:46:40.530 --> 03:46:48.450
- Corey Roach: So that that I'm already safeguarding things that we create new or synthesize things that might be sensitive, like what material you are researching
- 1083
- 03:46:49.140 --> 03:47:02.430
- Corey Roach: You know, we can set the parameters around. Do we tokenism anonymize it. Do we delete it. How long do we keep it. What do we use it for now. I think those are definitely worthwhile discussions, even within this community, you know, pull up holding some community standards.
- 1084
- 03:47:03.420 --> 03:47:13.320
- Rick Anderson : Yeah, but the more the more difficult controversial question among librarians historically has been, what do we do if a content provider offers to make
- 1085
- 03:47:14.340 --> 03:47:20.610
- Rick Anderson : Research material available to our patrons, but only if our patrons agree to provide an email address.
- 1086
- 03:47:22.680 --> 03:47:36.210
- Rick Anderson : To do we as a library. Take the stance that we are not going to enter into an agreement with this publisher, because we, we think that that they are encroaching on your privacy.
- 1087
- 03:47:36.780 --> 03:47:43.860
- Rick Anderson : Or do we say when it comes to something like giving away your email address, your privacy is up to you.
- 1088
- 03:47:44.190 --> 03:47:51.570
- Rick Anderson : And if you're telling me I want access to this content and I'm willing to share my email address in exchange for getting that access
- 1089
- 03:47:51.870 --> 03:47:58.500
- Rick Anderson : Is it up to us as librarians to say no, that's not a wise privacy decision. So we're not going to broker that
- 1090
- 03:47:58.980 --> 03:48:06.600
- Rick Anderson : There's a lot of disagreement or historically has been a lot of disagreement among librarians on what the right balance of those two
- 1091
- 03:48:07.200 --> 03:48:17.850
- Rick Anderson : Of those two issues is those with a more libertarian leaning tend to say hey you know it's your email address you can do what you want. Our job is to get you the information you need those with a more
- 1092
- 03:48:19.650 --> 03:48:30.900
- Rick Anderson : I don't know, activists leaving tend to say we are not going to insert ourselves into into an exchange that we think is fundamentally improper
- 1093
- 03:48:31.950 --> 03:48:32.340
- Corey Roach: I guess.
- 1094
- 03:48:33.060 --> 03:48:40.710
- Corey Roach: Not being in that field. I don't have a strong opinion one way or the other, although I would add to the conversation.
- 1095
- 03:48:42.180 --> 03:48:48.240
- Corey Roach: In my experience, a lot of time when people make those decisions. They're not fully informed about what the consequences are.
- 1096
- 03:48:48.630 --> 03:49:01.230
- Corey Roach: So for me to feel good about it. I would want to explain to you why are you giving them this email address, does it link to your, your actual usage of their resources. How long are they going to keep it. Are they going to sell it to third parties. What's going to be done with it.
- 1097
- 03:49:02.490 --> 03:49:05.940
- Corey Roach: A lot of times the internet. We don't think about that until it's far too late. It's a great point.
- 1098
- 03:49:06.390 --> 03:49:19.890
- Tim Lloyd : I think it varies by segment as well. I mean when we talk about libraries if we're talking about academic libraries. And that's definitely the case if we're talking about corporate libraries, very different. We deal with lots of corporate libraries, who don't give a second thought to privacy.
- 1099
- 03:49:20.490 --> 03:49:22.260
- Corey Roach: Well, while you're writing
- 1100
- 03:49:22.710 --> 03:49:34.800
- Tim Lloyd : But privacy, they didn't care. You know, defendant knows which person called up the article. Now they don't want those articles share with competitors who are doing research, but the individuals that just employees. It's a very, very different conversation, but then language as well.
- 1101
- 03:49:35.160 --> 03:49:38.910
- Corey Roach: And while you're operating as an employee. The expectation for privacy is very different.
- 1102
- 03:49:39.690 --> 03:49:51.960
- Corey Roach: You know, research firms so Gartner research. Every time I download a paper it is watermark and stamped with my login for the same reason they don't want me to share that information outside of the license.
- 1103
- 03:49:54.630 --> 03:50:05.310
- Tim Lloyd : It makes an interesting scenario because often you have these two circles that intersect where you've got corporate libraries and academic libraries and then you have these medical libraries that sits in between.
- 1104
- 03:50:05.820 --> 03:50:13.080
- Tim Lloyd : Where they're part of institution and you know I in my day job I deal with a lot of libraries that are in that intersection
- 1105
- 03:50:13.500 --> 03:50:23.370
- Tim Lloyd : And it's very interesting because the people within the hospital unit spend a little time dealing with commercial hospitals and sort of act the same way. But there within an institution that's got very different privacy approaches.
- 1106
- 03:50:23.880 --> 03:50:30.870
- Tim Lloyd : And, you know, almost leads to a split personality and, you know, what should we do to and that's where you see it most start with differences between those two sectors.
- 1107
- 03:50:31.410 --> 03:50:40.200
- Corey Roach: And I can even see that stuff maybe straddling that line for different roles you know if I'm providing clinical care as a pharmacist. I really don't care what you look at for
- 1108
- 03:50:40.680 --> 03:50:49.890
- Corey Roach: When I'm looking up interactions or reference material, but in my research and I'm, what I'm going to publish. I mean, I want everybody to see everything I'm looking up.
- 1109
- 03:50:50.190 --> 03:50:50.490
- Right.
- 1110
- 03:50:52.320 --> 03:50:57.240
- Okere, Kelechi N. (ELS-NYC): I have a question for you. Cory, just as maybe as a follow up to one of the things you said
- 1111
- 03:50:58.710 --> 03:51:08.970
- Okere, Kelechi N. (ELS-NYC): And that when you were up against security threats, you know, maybe, historically, you know, breaching to let's say student records or medical records.
- 1112
- 03:51:09.450 --> 03:51:25.320
- Okere, Kelechi N. (ELS-NYC): As opposed to, you know, reach coming through potentially a library resources, you know, you wake up, you're going to go with you're going to spend efforts on on the first one. And I wonder, is that because of a historical thing that may be
- 1113
- 03:51:26.490 --> 03:51:39.420
- Okere, Kelechi N. (ELS-NYC): There, there's not enough evidence that breaches on library resources are that come through that channel, aren't you know there's not enough evidence that they go beyond
- 1114
- 03:51:40.140 --> 03:51:41.250
- Corey Roach: You know that says no.
- 1115
- 03:51:41.850 --> 03:51:51.810
- Corey Roach: I don't think that's the case. I think that's a fantastic question, but I don't think that's the case, I think it is and I should probably have qualified this first time, but I think it's somewhat particular to my organization.
- 1116
- 03:51:52.290 --> 03:52:00.660
- Corey Roach: Because we do have a lot of graduated controls based on risk. So having that credential by itself doesn't buy you a whole lot
- 1117
- 03:52:01.170 --> 03:52:11.310
- Corey Roach: Whereas, you know, if I were a less mature organization or, you know, even the University of Utah 10 years ago that username and password would have gotten you into a whole lot more than it does today.
- 1118
- 03:52:12.780 --> 03:52:20.310
- Corey Roach: So yeah, then, then that profile changes those risks change a lot if that is your only control over your data.
- 1119
- 03:52:21.540 --> 03:52:24.660
- Corey Roach: But that it does kind of depend on what you have in place.
- 1120
- 03:52:29.430 --> 03:52:37.890
- Rick Anderson : Here's, here's a question that came through. There are many pros to federated and seamless access. Are there any cons.
- 1121
- 03:52:42.150 --> 03:52:46.770
- Corey Roach: I'll give my two second answer, but that's not really my specialty. But I'm
- 1122
- 03:52:48.150 --> 03:52:55.380
- Corey Roach: The only thing I would particularly say as it needs to be done. Well, it does have a lot of overhead. But it's also you are joining an ecosystem.
- 1123
- 03:52:56.190 --> 03:53:05.430
- Corey Roach: You are sharing those credentials with other systems, you know, so if if my login only ever gets me into library resources, then
- 1124
- 03:53:06.060 --> 03:53:11.760
- Corey Roach: You know that risk is contained within one little ecosystem. If I start changing it into other things, and that you know
- 1125
- 03:53:12.120 --> 03:53:20.100
- Corey Roach: Kind of goes to Chelsea's point, just a minute ago, is if that if that credential in one place gets me into another you're you're joining a greater area and
- 1126
- 03:53:20.730 --> 03:53:28.830
- Corey Roach: Honestly Federation by itself is not a control. It just gives more uniformity and allows you to plug controls better across the board.
- 1127
- 03:53:30.270 --> 03:53:32.040
- Corey Roach: I'd love to hear somebody supposing have been
- 1128
- 03:53:34.890 --> 03:53:36.060
- Tim Lloyd : So I can talk to this one.
- 1129
- 03:53:37.440 --> 03:53:41.190
- Tim Lloyd : I think the biggest con is simply the effort involved in setting it up.
- 1130
- 03:53:42.720 --> 03:53:50.580
- Tim Lloyd : It can be expensive. If you don't have people with appropriate experience that increasingly hard to find an expensive to hire
- 1131
- 03:53:51.570 --> 03:54:01.740
- Tim Lloyd : It involves a wholesale change in attitude. Typically the systems cuts across your campuses. So it's not something that the library implements not something that just it implements and involves collaboration across the board.
- 1132
- 03:54:02.850 --> 03:54:12.540
- Tim Lloyd : And you know as Corey hinted if you get it wrong, you know, you can do a lot more damage than, you know, a traditional system which is based on older style methods.
- 1133
- 03:54:13.950 --> 03:54:15.690
- Tim Lloyd : So, you know, you don't don't go into it.
- 1134
- 03:54:16.740 --> 03:54:30.570
- Tim Lloyd : Thinking, it's going to be a simple thing you need to have people that know what they're doing, set it up. But I would say that you know someone that maintains these one set set up the maintenance is it's much lower the setup. Well, and you've got people in place to maintain it.
- 1135
- 03:54:30.960 --> 03:54:33.570
- Corey Roach: If you can get people to stop integrating stuff. Yeah.
- 1136
- 03:54:34.770 --> 03:54:35.040
- Tim Lloyd : Yeah.
- 1137
- 03:54:37.350 --> 03:54:38.700
- Tim Lloyd : presale wants want to buy because we're
- 1138
- 03:54:40.260 --> 03:54:44.790
- Tim Lloyd : Taking. We do this every time we bring a new product on board pretty much anywhere in my institution, it gets
- 1139
- 03:54:45.000 --> 03:54:52.980
- Corey Roach: Integrated into the Identity and Access Management, a quarter of my staff, our Identity and Access Management Specialist. So yeah, absolutely.
- 1140
- 03:54:53.880 --> 03:55:08.040
- Rick Anderson : Crazy crane you're coming from a originally coming from a law enforcement slash national security type of perspective what what what's your take on the question of, of what the cons of federated and seamless access are
- 1141
- 03:55:09.000 --> 03:55:18.300
- Crane Hassold : The biggest the biggest downside is that you have a single point of failure. The more like it's the court was saying, the more things I can get access to by entering
- 1142
- 03:55:18.870 --> 03:55:31.230
- Crane Hassold : A little bit of information, the more valuable. It is to me. So, you know, if I can get into one thing i mean sort of course check if I can get into one thing with set of credentials. That's great. If I can get into 10 things
- 1143
- 03:55:31.890 --> 03:55:37.530
- Crane Hassold : Then that's going to be significantly more valuable and I'm going to you know put a bit more effort into actually
- 1144
- 03:55:38.430 --> 03:55:45.540
- Crane Hassold : Getting access to those. And so, you know, we're going through something similar with single sign on right now across three different products and
- 1145
- 03:55:46.110 --> 03:55:52.530
- Crane Hassold : We've gone through the same issue that the security that has to be in place for our products has to
- 1146
- 03:55:52.980 --> 03:56:03.720
- Crane Hassold : Has to be completely fail safe because you now have one set of credentials has access to three different things. So I think that's, to me, that's, you know, that's, you know, from a risk perspective, that's the biggest downside.
- 1147
- 03:56:04.470 --> 03:56:13.350
- Corey Roach: The other thing I would point out is that federated identity is not purely a security function. It's kind of the way the world is going at this point.
- 1148
- 03:56:14.160 --> 03:56:24.810
- Corey Roach: I have all sorts of different constituents within my environment that have logins to the University of Utah, not all of them are students they not they shouldn't all fall under the student license with a publisher.
- 1149
- 03:56:25.350 --> 03:56:35.160
- Corey Roach: I have to be applying roles and attributes to be able to figure out who gets access to what applying only an IP address or only a username doesn't give you that level of insight.
- 1150
- 03:56:36.930 --> 03:56:43.080
- Crane Hassold : I give you a good example of this sort of not in the, in the, not in the library world is social media.
- 1151
- 03:56:43.530 --> 03:56:51.180
- Crane Hassold : Like how many I mean all of us, most people probably have smartphones today and everyone has apps. How many people have logged in to something using your Facebook account.
- 1152
- 03:56:51.480 --> 03:56:59.190
- Crane Hassold : Or your Twitter account like that's, you know, I now have I probably have a dozen or more different apps that are tied to my social media profile.
- 1153
- 03:56:59.580 --> 03:57:09.270
- Crane Hassold : Simply because that's an easy and seamless way to access things, and yet from a risk perspective, you know, I certainly wouldn't do that for like my banking.
- 1154
- 03:57:09.810 --> 03:57:18.660
- Crane Hassold : My banking app. But, you know, for if anyone wanted to get access to something that was tied to one of those to my social media profiles, you know, it's
- 1155
- 03:57:18.690 --> 03:57:24.750
- Corey Roach: What your comment right there is interesting because you're doing that Federation for applications that are the equal risk profile. Yeah.
- 1156
- 03:57:24.780 --> 03:57:27.480
- Corey Roach: You're choosing to do a different credential for things that are higher risk.
- 1157
- 03:57:27.540 --> 03:57:27.900
- Yep.
- 1158
- 03:57:30.030 --> 03:57:38.340
- Tim Lloyd : But that that is a great example of what can go wrong with Federation authentication, because there's there's plenty of approaches to solve that problem crane.
- 1159
- 03:57:38.910 --> 03:57:44.970
- Tim Lloyd : But if it's not implemented well and people apply the same thing across the board, though, there's a great example.
- 1160
- 03:57:45.390 --> 03:57:52.740
- Tim Lloyd : I've cited on the conferences of a major US research institution that was using federated authentication for research collaborations.
- 1161
- 03:57:53.250 --> 03:58:00.930
- Tim Lloyd : And zoom research collaborations, you've got different scientists across different organizations collaborating with each other. So they're sharing attributes like names and email addresses.
- 1162
- 03:58:01.500 --> 03:58:06.630
- Tim Lloyd : And the it campus it people on campus just applied that same model.
- 1163
- 03:58:07.110 --> 03:58:14.520
- Tim Lloyd : To library resources. So they switched on a whole bunch of libraries sources Federation temptation and all the publishers concerned got oodles of personally identifiable data.
- 1164
- 03:58:15.360 --> 03:58:23.850
- Tim Lloyd : Not a problem with the technology, it probably isn't understanding technology and configuring it properly, which you need some expertise to make sure your voice on
- 1165
- 03:58:25.290 --> 03:58:29.910
- Crane Hassold : The other side of it is, you know, depending on how you set up authentication.
- 1166
- 03:58:30.420 --> 03:58:39.480
- Crane Hassold : Across different applications. You know, if you're using a third party your trust is now being then put into that third party so like today.
- 1167
- 03:58:39.900 --> 03:58:59.640
- Crane Hassold : Do I feel comfortable that Facebook has access to a dozen or so applications that you know that I'm using now. But, you know, that was something that that I that I ended up doing, and none of those applications have control over how Facebook uses any of that data.
- 1168
- 03:59:05.610 --> 03:59:07.140
- Rick Anderson : Okay, um,
- 1169
- 03:59:08.850 --> 03:59:19.590
- Rick Anderson : here's a, here's a, here's another longish question of this is a question in response to Korea's remarks regarding stolen student credentials.
- 1170
- 03:59:20.400 --> 03:59:28.890
- Rick Anderson : Not posing that much of a risk. What perplexed me as why universities don't view a publishers report of suspicious activity.
- 1171
- 03:59:29.340 --> 03:59:43.470
- Rick Anderson : As a potential security breach that warrants immediate investigation, not from a library slash publisher contract perspective, but from a university risk perspective, it seems just as likely as the fish credentials publishers
- 1172
- 03:59:46.260 --> 04:00:00.030
- Rick Anderson : It. I think that's meant to say. It seems just as likely that the fished credentials publishers might help you detect could be for one of your medical researchers who have access to regulate a data as fished student credentials.
- 1173
- 04:00:01.140 --> 04:00:06.990
- Corey Roach: So two part answer. And actually, I like this one because it was similar to another one that I saw go by in the chat and that was
- 1174
- 04:00:07.320 --> 04:00:18.600
- Corey Roach: I was actually shocked to hear that there are universities who don't take those reports. Seriously. My biggest problem with them as they come very, very late but we absolutely take them seriously those accounts are suspended. Second, we see him.
- 1175
- 04:00:20.790 --> 04:00:27.870
- Corey Roach: But if there are organizations that are not I am a little perplexed as to why they would do that, although the second part of that answer is
- 1176
- 04:00:28.620 --> 04:00:38.670
- Corey Roach: It doesn't matter as much if they're a medical researcher and a student, because in, in my case all they've got to do to get to the research.
- 1177
- 04:00:39.300 --> 04:00:49.440
- Corey Roach: Resources is put in their username and password in order to get into our medical records they either have to be on site or coming through our VPN, and they have to two factor to be able to get in.
- 1178
- 04:00:50.010 --> 04:01:00.480
- Corey Roach: Excuse me. So having that password alone doesn't get them very far. But we also if I'm brutally honest. I think we somewhat use it as a canary in a coal mine.
- 1179
- 04:01:00.960 --> 04:01:09.390
- Corey Roach: I mean we scan the internet for people posting our credentials out on dark websites and other places. We want to know if they've gotten compromised.
- 1180
- 04:01:10.920 --> 04:01:20.010
- Corey Roach: So it I, as I say, I'm a little stunned that simply this might not take that seriously. But if they're not, they're definitely missing out on a potential resource.
- 1181
- 04:01:20.940 --> 04:01:40.560
- Rick Anderson : I think one point of failure might, you know, honestly, might be in the library because the the reports of the suspicious activity reports in, in my experience, are typically sent to the library and its role as the licensee rather than sent directly to campus it and so
- 1182
- 04:01:42.240 --> 04:01:49.110
- Rick Anderson : And and and libraries are, you know, we are typically very good about passing those along and in part because
- 1183
- 04:01:50.010 --> 04:02:04.680
- Rick Anderson : In compliance with our licenses. We have to get those we have to get those IP addresses or or accounts shut down and we can only do that by going to it. But if that if that communication link breaks that would be one of the things that would
- 1184
- 04:02:05.940 --> 04:02:06.180
- Rick Anderson : That
- 1185
- 04:02:07.650 --> 04:02:16.410
- Corey Roach: So several poor steps in that interface, though. One is by only allowing the publisher to see the proxy IP address.
- 1186
- 04:02:17.430 --> 04:02:23.130
- Corey Roach: Their controls are much more coarse grained they have to see a huge spike in activity to realize as something crazy went on.
- 1187
- 04:02:24.360 --> 04:02:32.010
- Corey Roach: Whereas, if you're looking at each individual user, you can get a lot more fine grain. This guy suddenly looked up 100 PDFs and five minutes, what's going on.
- 1188
- 04:02:34.020 --> 04:02:35.820
- Rick Anderson : So that varies from publisher to publisher.
- 1189
- 04:02:36.450 --> 04:02:36.930
- Has
- 1190
- 04:02:38.220 --> 04:02:48.390
- Corey Roach: Some of them seem to come back pretty quick, and some of them seem to come back really slow, but then to go to our back for conversation about Federation and tying some of these more sophisticated controls in
- 1191
- 04:02:49.590 --> 04:02:57.540
- Corey Roach: Right now as a library you receive that complaint. You go back into your, your proxy logs and you're lining up okay this date and time with this resource and
- 1192
- 04:02:57.750 --> 04:03:11.100
- Corey Roach: Oh, that's this user logged in, and you got to go down the line and hand by hand figure that stuff out, if that's part of a larger monitoring system that's all automated. So you you get rid of that time lag as well. Yeah, good point.
- 1193
- 04:03:12.960 --> 04:03:14.370
- Rick Anderson : Other thoughts in response to that.
- 1194
- 04:03:15.480 --> 04:03:15.900
- Question I
- 1195
- 04:03:17.580 --> 04:03:25.680
- Tim Lloyd : Think it goes back to the extent to which the institution has people that it can fund to do this sort of work. I mean, Korea's what sounds like
- 1196
- 04:03:26.700 --> 04:03:28.320
- Tim Lloyd : A fairly large and experience team.
- 1197
- 04:03:30.120 --> 04:03:38.670
- Tim Lloyd : A lot of institutions don't have any. And so even if the librarian is on the board and forwards it, they may just be forwarding it to a campus IT person whose role is mainly just
- 1198
- 04:03:39.180 --> 04:03:46.740
- Tim Lloyd : Basic things like going to check the IP addresses are correct on campus. And, you know, maybe there isn't someone around who's paying particular attention to this.
- 1199
- 04:03:47.070 --> 04:03:55.920
- Tim Lloyd : Or they just view it as okay you know a credential hack this reset the credential and move on. Rather than, you know, digging deeper into what's the cause of this and what else could have happened.
- 1200
- 04:03:57.510 --> 04:04:11.340
- Corey Roach: And that I thought about that a lot, actually. As I was putting together my presentation in the I realized if I was designing controls that only fit my organization that's a very small fraction of the problem.
- 1201
- 04:04:12.180 --> 04:04:23.850
- Corey Roach: But it goes back to, you know, if we can get some low cost tools and we can get some rudimentary training and we can get some community resources where librarians can ask questions and, you know, maybe we can raise all boats.
- 1202
- 04:04:24.810 --> 04:04:36.930
- Rick Anderson : Yeah, this. Yeah, this goes. This goes to something that Tim just had touched on, which is that, you know, Cory. Cory has this amazing team and and facility in large part because he oversees
- 1203
- 04:04:37.950 --> 04:04:46.920
- Rick Anderson : He oversees network security at an institution that operates, not only a major research medical research facility, but also a major healthcare network.
- 1204
- 04:04:47.760 --> 04:05:03.360
- Rick Anderson : So, and so that generates a lot of revenue and that that not only generates a lot of revenue to support this kind of infrastructure, but also creates an enormous risk profile that makes this kind of infrastructure absolutely essential if you're at, you know, Greenbrier college
- 1205
- 04:05:04.440 --> 04:05:06.750
- Rick Anderson : It's going to be, it's going to be more of a struggle.
- 1206
- 04:05:07.770 --> 04:05:11.580
- Rick Anderson : To shake loose the kinds of resources necessary to put to put really
- 1207
- 04:05:12.990 --> 04:05:24.090
- Rick Anderson : really effective and and and pervasive security and well and this, and this goes to one of the questions that I had that I prepared as a as a pump primer if necessary.
- 1208
- 04:05:25.500 --> 04:05:37.830
- Rick Anderson : So if an institution were to come to you and say, look, we want to increase our network security as much as possible, but we have no money. What solution would give us the most benefit at the least cost.
- 1209
- 04:05:40.410 --> 04:05:43.770
- Rick Anderson : And I realized that question may be too broad. But, but, you know,
- 1210
- 04:05:44.760 --> 04:05:47.460
- Rick Anderson : Pretend somebody comes up to you at a cocktail party and asked you that
- 1211
- 04:05:48.270 --> 04:05:56.070
- Corey Roach: My answer as a C level executive rather than a, you know, technical security person would be you don't get anything for free.
- 1212
- 04:05:57.120 --> 04:06:02.010
- Corey Roach: If you are making major structural changes and you think it comes for free. You're disillusioned.
- 1213
- 04:06:03.720 --> 04:06:04.980
- Corey Roach: You're going to be disillusioned.
- 1214
- 04:06:08.340 --> 04:06:10.050
- Corey Roach: But that said,
- 1215
- 04:06:10.710 --> 04:06:12.900
- Corey Roach: There are ways to go about it.
- 1216
- 04:06:13.170 --> 04:06:24.930
- Corey Roach: I mean, I think you can do things like use open source tools like train you know most it people that I interact with in the library space or elsewhere. They're fascinated by security they want to learn about it. They
- 1217
- 04:06:25.530 --> 04:06:30.540
- Corey Roach: Many of them want to move their career that way because there is a gap in skills there and it's an opportunity
- 1218
- 04:06:31.080 --> 04:06:44.220
- Corey Roach: So, you know, I think we can upscale some of the people that are already doing some of that work. I was pleased to see that somebody pasted in the chat earlier that easy proxy is incorporating security controls into their, their product which
- 1219
- 04:06:44.880 --> 04:06:53.670
- Corey Roach: To be clear, I didn't mean to pick on easy proxy. I even thought about whether to put them in my presentation at all. But I realized such a large number of people use them. It was probably an important thing to talk about.
- 1220
- 04:06:55.830 --> 04:07:03.720
- Corey Roach: And the problem there is that their product does exactly what it was designed to do when it was designed but now it appears, they're putting security controls into it, which is great.
- 1221
- 04:07:04.470 --> 04:07:18.690
- Corey Roach: I did go and look at the the product release for it and they're pretty rudimentary right now but you know it's a first step. So that's great. And you know I wouldn't necessarily want them to put super complex controls in there until there's a sport and infrastructure but
- 1222
- 04:07:20.250 --> 04:07:24.270
- Corey Roach: Hopefully, things like that, things like you know they're there are
- 1223
- 04:07:26.790 --> 04:07:41.580
- Corey Roach: Open Source intrusion detection systems. For example, there's one called Zeke that started out as an academic project called bro, it's free, you know, and it scales to size of institutions like mine. You do have to put some hardware behind it, but the product is free.
- 1224
- 04:07:43.140 --> 04:07:47.460
- Corey Roach: So, you know, there are creative ways to make stretch your dollar and get some security in there.
- 1225
- 04:07:49.830 --> 04:07:52.860
- Rick Anderson : Good, thanks. Other other thoughts about low cost, high yield.
- 1226
- 04:07:55.470 --> 04:07:56.310
- Rick Anderson : Solutions.
- 1227
- 04:07:57.600 --> 04:08:01.620
- Tim Lloyd : Which made the point about a puppy again. So yeah, software, but if you don't
- 1228
- 04:08:01.770 --> 04:08:08.520
- Tim Lloyd : Figure it correctly, you know, you think you've got security and actually what's happening is just horrible, but you don't even know it because you don't
- 1229
- 04:08:09.420 --> 04:08:17.430
- Tim Lloyd : Have the right people managing it and maybe it could be bad. I think we've all heard about the example that sees gala right where campus it get products on to
- 1230
- 04:08:17.790 --> 04:08:24.090
- Tim Lloyd : Block of IP addresses. No one mentions to it that live your life and IP authentication and all actors get shut off.
- 1231
- 04:08:24.510 --> 04:08:36.030
- Tim Lloyd : And eventually. Someone figured out. Oh, it's just new thing that people put in quotes. These gala that random ideas IP addresses. And that's a perfect example of getting in a solution that no one really understood, you talked about
- 1232
- 04:08:39.420 --> 04:08:41.340
- Tim Lloyd : So I think, yeah, there's no much free here. There really isn't
- 1233
- 04:08:41.580 --> 04:08:41.910
- Rick Anderson : Yeah.
- 1234
- 04:08:41.970 --> 04:08:46.950
- Tim Lloyd : I mean, the free solutions are very dodgy and you know you get what you get when you pay for free.
- 1235
- 04:08:47.070 --> 04:08:50.280
- Corey Roach: They, they tend to take a higher level of expertise. If I'm perfectly
- 1236
- 04:08:50.280 --> 04:08:50.760
- Tim Lloyd : Honest.
- 1237
- 04:08:50.850 --> 04:08:55.770
- Corey Roach: I mean, Zeke is an amazing tool, you almost have to be a data scientist to use it. So yeah.
- 1238
- 04:08:55.830 --> 04:09:00.900
- Rick Anderson : It's like any other open source solution that the cost. The cost comes in the back end.
- 1239
- 04:09:01.770 --> 04:09:05.820
- Tim Lloyd : And that's why the concept of shared infrastructure makes sense. You know, whether it's a
- 1240
- 04:09:06.660 --> 04:09:16.830
- Tim Lloyd : Fast service that know provided by a private business or whether it's a community shared service. You know, there are common costs incurred in building security infrastructure.
- 1241
- 04:09:17.220 --> 04:09:27.330
- Tim Lloyd : We can always to incur them individually, one by one, or the industry can try and share them. There's lots of models for sharing it, but that's just an obvious, a type of solution, but it sort of problem.
- 1242
- 04:09:27.600 --> 04:09:35.220
- Corey Roach: Many of those information sharing groups I mentioned for a sec. But there's our organization probably five or six of them were many members of
- 1243
- 04:09:35.820 --> 04:09:39.630
- Corey Roach: Many of them have automated sharing mechanisms where, you know,
- 1244
- 04:09:40.620 --> 04:09:52.980
- Corey Roach: Get a little nerdy about. It's called one on ones. It's called sticks and taxi. It's a standardized format for those threats to become into my organization and those get plugged into the tools automatically. That's a bunch of research and work that my guys don't have to do
- 1245
- 04:09:55.500 --> 04:10:03.900
- Tim Lloyd : So one of the points that you made courage. I thought was fascinating. Was this issue of, you know, on the level of the threats that you worry about to say so.
- 1246
- 04:10:04.290 --> 04:10:13.020
- Tim Lloyd : Now the library is very low. And I just wonder whether, you know, the problem is underlying this whole conversation is that yes, there are people there who
- 1247
- 04:10:13.380 --> 04:10:25.320
- Tim Lloyd : Focus on security. There are tools out there to address security, but in the grand scheme of things, the library use case is just not that important, and there just doesn't seem to be a clear enough tie between
- 1248
- 04:10:25.860 --> 04:10:31.650
- Tim Lloyd : The losses incurred by the library and bigger losses within the institution to you know make it right.
- 1249
- 04:10:31.980 --> 04:10:32.550
- Tim Lloyd : So we look
- 1250
- 04:10:33.120 --> 04:10:37.470
- Corey Roach: At and I'm not sure if I'm pitching toward my own interests or not in this particular statement, but
- 1251
- 04:10:39.780 --> 04:10:48.420
- Corey Roach: One of the things I mentioned toward the very tail end of the presentation was. I agree. I think there should be probably some risk sharing and incentivizing
- 1252
- 04:10:49.110 --> 04:10:59.790
- Corey Roach: Between the publishers and the organizations, you know, I think if some of these publishers came back and said look, we're going to knock five points off your license.
- 1253
- 04:11:00.270 --> 04:11:08.190
- Corey Roach: And we're going to give you this community and we're going to help you set up these concerts security controls and we're going to give you three compromises in a year.
- 1254
- 04:11:08.640 --> 04:11:15.570
- Corey Roach: But every compromise after that we're going to put a point back on your license, you're going to have an increased cost for the next cycle.
- 1255
- 04:11:15.900 --> 04:11:26.430
- Corey Roach: If you have security compromises. Well, now is the sea so money comes into it, I gotta go. Well, is it worth offsetting that with some controls and effort so that I get a better price.
- 1256
- 04:11:27.570 --> 04:11:38.910
- Corey Roach: You know, it's, it's not a regulatory control. I'm not getting slapped with a fine by Health and Human Services. But, you know, a few points off for the, the publisher could have a pretty good return
- 1257
- 04:11:39.600 --> 04:11:46.380
- Okere, Kelechi N. (ELS-NYC): Yeah so bit of, I don't know if social engineering is the right thing, but I bet if I creativity around that.
- 1258
- 04:11:46.740 --> 04:11:50.520
- Corey Roach: It just creates a shared interest. I mean, I'm getting a better deal. So I'm happy.
- 1259
- 04:11:50.640 --> 04:11:53.940
- Corey Roach: Now, the publisher is getting better security. So they're happy.
- 1260
- 04:11:54.240 --> 04:11:54.510
- Yeah.
- 1261
- 04:11:55.590 --> 04:12:05.340
- Crane Hassold : That's the whole you know with with any I've seen some cyber security that's that's from a vendor's perspective, that's what you have to sell like you're selling an ROI like
- 1262
- 04:12:06.060 --> 04:12:11.850
- Crane Hassold : A cost associated with something, then I have to figure out, well, is the risk, you know,
- 1263
- 04:12:12.360 --> 04:12:23.790
- Crane Hassold : Am I, am I willing to accept this risk based on what it could cost me if I get exploited, if I am. Then I'm not going to pay a ton of money for security, if I'm not
- 1264
- 04:12:24.180 --> 04:12:39.540
- Crane Hassold : Then I'm going to want to pay and prioritize it over other things. And so that's that's the whole name of the game, regardless of whether you're at a massive hundred thousand dollar hundred thousand employee company or a library with, you know, one it person.
- 1265
- 04:12:40.710 --> 04:12:40.890
- Crane Hassold : Yeah.
- 1266
- 04:12:41.160 --> 04:12:54.000
- Okere, Kelechi N. (ELS-NYC): And crane one question for you just kind of like taken Tim's question a step further, you said that congressional investigations on threats to universities often focus on physical threats.
- 1267
- 04:12:54.960 --> 04:13:04.470
- Okere, Kelechi N. (ELS-NYC): But not cyber threats. Is that a historical within where they may be thing that the cyber threats don't exist or and do you think that's changing
- 1268
- 04:13:04.980 --> 04:13:17.940
- Crane Hassold : So that was my experience when I testify on that house committee and that was it was we honestly was weird to me because it felt like everyone was acting like we're still like in the 1980s. Cold War.
- 1269
- 04:13:18.240 --> 04:13:29.490
- Crane Hassold : Where it like the cyber threats didn't exist and every like all the threats were were Chinese students and Russian students coming from overseas, like it was very strange to me.
- 1270
- 04:13:30.090 --> 04:13:44.760
- Crane Hassold : I haven't seen you know a there were there were a couple of congressmen who were calling for have understood what the problem was. But that was really my experience when you know, two years ago, when I testified in front of that on that house committee.
- 1271
- 04:13:46.320 --> 04:13:56.460
- Crane Hassold : Honestly, I haven't, haven't really seen much to show me that they don't think like that because, you know, just on from, you know, legislative perspective there hasn't been a push.
- 1272
- 04:13:56.700 --> 04:14:14.310
- Crane Hassold : Regardless of whether it's the academic community or anywhere else to really substantially increase cyber security in anything. So yeah, I mean, I think that's sort of the, the thought process for for a lot of the folks that control the purse purse purse strings on Capitol Hill.
- 1273
- 04:14:14.790 --> 04:14:25.140
- Corey Roach: Yeah, and I don't really have enough experience to speak to the legislative level of that. I do think there is a growing interest kind of more at the regional and tactical level. I mean, I
- 1274
- 04:14:25.800 --> 04:14:35.010
- Corey Roach: I've got my cyber security FBI office for their local Salt Lake office on speed, you know, there are various things that they are interested in hearing about
- 1275
- 04:14:36.840 --> 04:14:45.630
- Corey Roach: And they've had even some good resources for us where they've offered to come in and do audits and other things. So tactically maybe they're more interested, maybe not strategically it
- 1276
- 04:14:47.190 --> 04:14:50.130
- Tim Lloyd : Tosca. Quick question interview, Rick. So
- 1277
- 04:14:51.810 --> 04:14:52.770
- Tim Lloyd : A couple minutes left.
- 1278
- 04:14:53.040 --> 04:15:06.420
- Tim Lloyd : Okay, yeah, I'll make it quick. So do you think you could go to your administration and say, okay, a bunch of major publishers are going to start penalizing us for infractions. I think we should therefore invest more in security. Do you think you could sell them.
- 1279
- 04:15:06.930 --> 04:15:09.600
- Rick Anderson : Yes, depending on what the dollar figures are
- 1280
- 04:15:11.580 --> 04:15:15.300
- Rick Anderson : I mean, if it's a publisher, with whom we do $1,000 of business a year.
- 1281
- 04:15:15.300 --> 04:15:15.810
- Tim Lloyd : And there might
- 1282
- 04:15:16.020 --> 04:15:23.010
- Rick Anderson : Last $100. No, but if it's Elsevier, and they're going to penalize us 10% of our annual expenditure than yes
- 1283
- 04:15:23.520 --> 04:15:39.900
- Corey Roach: Well, and I think it would be important on how Elsevier frames that and if they come in next year and say, you know, hey, here's your normal increase in cost over the year. But if we set up this risk sharing program. I've got a 5% discount. I can get you
- 1284
- 04:15:40.920 --> 04:15:41.700
- Corey Roach: Know you got to look
- 1285
- 04:15:41.970 --> 04:15:47.730
- Tim Lloyd : Towards model seems to be a good fit here doesn't it when you get a benefit from good behavior and a penalty for bad behavior.
- 1286
- 04:15:48.240 --> 04:15:55.500
- Rick Anderson : But, but the other thing that it depends on is where if a penalty is going to be paid out of what budget is it going to be paid.
- 1287
- 04:15:55.770 --> 04:16:04.320
- Rick Anderson : If it's going to be paid out of the library's budget that's already been allocated to it by the university. The university stance could be. You just have to manage this.
- 1288
- 04:16:04.830 --> 04:16:17.490
- Rick Anderson : Now, if we come back to the university and saying this is significantly undermining our ability to provide content that that the university needs in order to do its work okay but we make that argument to the to the university, all the time. And we don't always win.
- 1289
- 04:16:18.030 --> 04:16:26.430
- Corey Roach: Well, and I would argue, I sorry I want to quit because it's really going to minutes, but I would argue also that it's kind of a prod, it's not the entirety of the equation. So,
- 1290
- 04:16:27.270 --> 04:16:34.830
- Corey Roach: It's the thing would get your sea. So thinking about, okay, but now I got to factor in the reputational risk. And do I have economies of scale where this doesn't cost me much and
- 1291
- 04:16:35.160 --> 04:16:44.490
- Corey Roach: You know, regulatory things. And, you know, but it's that initial first push to say you know securities actually starting to matter over here on these library resources better take a look at it.
- 1292
- 04:16:44.760 --> 04:16:45.810
- Rick Anderson : Yeah, totally agree.
- 1293
- 04:16:47.040 --> 04:16:55.890
- Rick Anderson : komaci. First of all, thanks so much to everybody for thanks for submitting the questions and thanks for offering such great answers to our panelists who are able to stay with us.
- 1294
- 04:16:56.310 --> 04:17:05.280
- Rick Anderson : I think it's been a really, really useful and certainly a very interesting conversation collective. What should we say to the folks who submitted questions that we didn't have time to get to
- 1295
- 04:17:07.440 --> 04:17:08.730
- Okere, Kelechi N. (ELS-NYC): I think we could
- 1296
- 04:17:11.670 --> 04:17:18.630
- Okere, Kelechi N. (ELS-NYC): Put it this way if if there is someone on the panel that has an answer to any of these questions, we can just
- 1297
- 04:17:19.770 --> 04:17:23.520
- Okere, Kelechi N. (ELS-NYC): Put that answer in the email that we're going to send to
- 1298
- 04:17:24.720 --> 04:17:38.880
- Okere, Kelechi N. (ELS-NYC): You know, to our attendees. So I think by tomorrow Monday will be send an email to attendees with a link to the to this recording, we can also put the answer to these are remaining questions in that email.
- 1299
- 04:17:39.990 --> 04:17:47.730
- Corey Roach: Great. Well, I can also say that if this organization is interested in setting up things like birds of a feather or
- 1300
- 04:17:48.180 --> 04:17:58.140
- Corey Roach: Community sharing stuff I would be interested in participating or sending one of my engineers to participate. So I think you could get those type of questions answered on a regular basis.
- 1301
- 04:18:01.020 --> 04:18:06.360
- Okere, Kelechi N. (ELS-NYC): That's very good to know. Yeah. And I think that's also one of the
- 1302
- 04:18:07.410 --> 04:18:20.490
- Okere, Kelechi N. (ELS-NYC): Intent for this forum right to kind of think about ways that we can collaborate publishers and universities can be working more closely together, you know, since says he is a
- 1303
- 04:18:21.300 --> 04:18:33.450
- Okere, Kelechi N. (ELS-NYC): SSI Rick, I just couldn't correct myself. Is there a relatively new coalition. Right. So I think, in essence, this gives us a lot about food for thought.
- 1304
- 04:18:35.850 --> 04:18:42.510
- Rick Anderson : I give it a hard time because I'm a huge reggae fan and every time I hear the word sensi it startles me in this context.
- 1305
- 04:18:45.720 --> 04:18:47.280
- Corey Roach: Not something I would have guessed.
- 1306
- 04:18:51.570 --> 04:19:09.180
- Okere, Kelechi N. (ELS-NYC): So I want to thank all the all the panelists. I want to thank the audience the attendees that are still remaining. Thank you all for a fantastic presentation all throughout the day. Lots of our thought provoking ideas and insights that you that you provided to us today.
- 1307
- 04:19:10.890 --> 04:19:12.060
- Okere, Kelechi N. (ELS-NYC): As we now.
- 1308
- 04:19:13.410 --> 04:19:17.700
- Okere, Kelechi N. (ELS-NYC): Let me just hand it back to Daniel to then take us through to close.
- 1309
- 04:19:31.980 --> 04:19:36.480
- Daniel Ascher: Said that you to read for moderating the panel and to our panelists Corey.
- 1310
- 04:19:36.510 --> 04:19:37.560
- Daniel Ascher: Tim and crane.
- 1311
- 04:19:37.830 --> 04:19:42.450
- Daniel Ascher: And two other question asked her as and attendance, a lot of credit discussion just occur.
- 1312
- 04:19:43.470 --> 04:19:55.770
- Daniel Ascher: So with that we will go to our closing remarks by Stephen income, the chief publishing and solutions officer at spirit nature as well as the co Chair of SNS I
- 1313
- 04:19:59.280 --> 04:20:00.930
- Steven Inchcoombe: Done what a
- 1314
- 04:20:02.310 --> 04:20:12.900
- Steven Inchcoombe: What a wonderful discussion we've just had the benefit off. And if I reflect for the last couple of minutes on what we've had over today's sessions.
- 1315
- 04:20:14.250 --> 04:20:21.030
- Steven Inchcoombe: Corey started with the keynote and gave us the perspective from a university is chief information security officer.
- 1316
- 04:20:21.900 --> 04:20:37.080
- Steven Inchcoombe: It shone a light for us on what's going on when bad bots, which tend to be customers while will why wrong time intervention is needed and how to balance that with privacy following that he gave us some advice on how to strengthen the system.
- 1317
- 04:20:39.060 --> 04:20:48.570
- Steven Inchcoombe: can utilize his FBI experience and he's more recent work to cover the attacks by silent librarian one 300 plus universities around the world.
- 1318
- 04:20:49.170 --> 04:21:04.050
- Steven Inchcoombe: And that their links to the Iranian government with frankly shocking consequences crane also explained how sigh have has taken advantage of economic opportunities resulting from there piracy in places like you're on.
- 1319
- 04:21:05.070 --> 04:21:16.860
- Steven Inchcoombe: Its political backing in Russia and how it is cynically exploited the next this movement to claim a societal mission suffering in many we simply unknown consequences today.
- 1320
- 04:21:19.170 --> 04:21:35.190
- Steven Inchcoombe: In her own at the university library Linda gave us her perspective on her priorities and the tension, she sees between security, privacy and the various regulations so they have to apply, apply with in education and in the medical spheres.
- 1321
- 04:21:36.300 --> 04:21:45.540
- Steven Inchcoombe: Linda highlighted the responsibility we all have to take reasonable steps to protect each other and went on to explain how her library undertook this
- 1322
- 04:21:45.990 --> 04:21:58.050
- Steven Inchcoombe: By moving to federated access or utilizing open Athens so security could be dealt with across the university by experts with highly targeted approaches.
- 1323
- 04:22:01.110 --> 04:22:18.060
- Steven Inchcoombe: can focus on the treasure trove of information accessible in academia if cyber criminals or hackers act on behalf of hostile governments take advantage of this and greatly hurt their victims, which is all of us, our family and our friends.
- 1324
- 04:22:19.380 --> 04:22:33.720
- Steven Inchcoombe: Jeremy's very clear that site hub and others are using the concerns of some academics, but some academics have over copyright as a cover to get into university networks and then the consequences of these breaches can be truly appalling.
- 1325
- 04:22:35.670 --> 04:22:41.880
- Steven Inchcoombe: Tim tried for a solution federated authentication and it's extension seamless access
- 1326
- 04:22:42.990 --> 04:22:49.200
- Steven Inchcoombe: To me explain that this work, enabling authentication and control, whilst protecting privacy.
- 1327
- 04:22:50.430 --> 04:22:57.570
- Steven Inchcoombe: He went on show how seamless access overcomes much of the landscape fragmentation terminology and some of the friction
- 1328
- 04:22:58.740 --> 04:23:09.270
- Steven Inchcoombe: And in terms of security and privacy, how it is, how it is applied the shield data protection code of conduct which aligns closely with the
- 1329
- 04:23:10.080 --> 04:23:22.500
- Steven Inchcoombe: Standards. He then went on to contrast this with why relying on IP addresses is likely to result in an inconsistent customer experience and security enforcement challenges.
- 1330
- 04:23:24.720 --> 04:23:36.660
- Steven Inchcoombe: And lastly, in what I think has been one of the most interesting panel discussions. I've experienced for a long time, which chaired a roundtable discussion with all the speakers.
- 1331
- 04:23:38.070 --> 04:23:50.760
- Steven Inchcoombe: This is brought to life the day to day challenges the limits of the technical solutions and the vulnerability of the human factor, especially in organizations that can help their staff easily left leg game.
- 1332
- 04:23:52.470 --> 04:24:04.170
- Steven Inchcoombe: The discussion in terms of the level of risk of responsibility people and librarians in particular feel over security when coupled with access to copyright material.
- 1333
- 04:24:05.490 --> 04:24:09.540
- Steven Inchcoombe: will cost us about whether competitors will work together to solve this
- 1334
- 04:24:10.890 --> 04:24:13.410
- Steven Inchcoombe: Karen, I would say that the CO chairs of
- 1335
- 04:24:15.900 --> 04:24:27.030
- Steven Inchcoombe: Si, si come from Elsevier and spring in Asia, and I can assure you that our organizations compete strongly elsewhere, but when it comes to security we actively to avoid
- 1336
- 04:24:29.100 --> 04:24:41.040
- Steven Inchcoombe: The discussion then turned to what is sufficient to meet contractual reasonable requirements and then the focus was on war two in Korea referred to as table stakes.
- 1337
- 04:24:42.870 --> 04:24:58.140
- Steven Inchcoombe: Moving to federated access was described as a way to enable way to control, but given this way to empower the disciplines around is use are critical in increasing that way to control this needed in order to which use these risks.
- 1338
- 04:25:01.080 --> 04:25:09.150
- Steven Inchcoombe: Towards the end of the discussion which turns the different capabilities resources and attitudes of libraries institutional IT departments and publishers
- 1339
- 04:25:09.780 --> 04:25:21.630
- Steven Inchcoombe: To identify and deal with security breaches trying to find entry level solutions and the understanding that is needed to apply them cause much debate.
- 1340
- 04:25:22.650 --> 04:25:34.140
- Steven Inchcoombe: The conclusion seem to be the shared infrastructure may be a better way. And I think Corey for publishers could incentivize his customers, the risk reward sharing approach.
- 1341
- 04:25:35.430 --> 04:25:47.100
- Steven Inchcoombe: Overall I think a fantastic meeting of minds ideas experience and Alex that helps us really inform what may be our parts going forward.
- 1342
- 04:25:49.980 --> 04:25:59.850
- Steven Inchcoombe: If we now as we finished the event, think about our next steps. I would just leave you with two thoughts, I would urge you, when you
- 1343
- 04:26:01.080 --> 04:26:21.060
- Steven Inchcoombe: Interact with colleagues and peers and in the coming days to take this conversation, further to share with them what you've learned and to have an open debate about where reasonable bad behaviors and actions are and what it is that is our common
- 1344
- 04:26:22.230 --> 04:26:24.660
- Steven Inchcoombe: significant risks that we all face.
- 1345
- 04:26:26.160 --> 04:26:33.180
- Steven Inchcoombe: And secondly, I would ask you get involved to become involved in, and she's like the scholarly network security initiative.
- 1346
- 04:26:33.720 --> 04:26:49.020
- Steven Inchcoombe: To inform your own strategies, your plans and your actions are tackling the cyber threats which ultimately are a threat to the whole research enterprise. We're all interconnected. So let's share and collaborate wherever we can.
- 1347
- 04:26:51.420 --> 04:27:01.620
- Steven Inchcoombe: Find me on behalf of Nick Fowler, my co chair and my colleagues this solidly Network Security Initiative. I want to thank all of our speakers.
- 1348
- 04:27:02.190 --> 04:27:11.250
- Steven Inchcoombe: For all of their contributions to this summit, they've been incredibly interesting and insightful and I'd like to thank everyone that has joined us online and participated today.
- 1349
- 04:27:12.630 --> 04:27:20.280
- Steven Inchcoombe: I wish you all in your family's a safe and healthy fall season and I'll hand over now to Dan to wrap up today's events.
- 1350
- 04:27:21.390 --> 04:27:22.260
- Steven Inchcoombe: Thank you very much.
- 1351
- 04:27:24.240 --> 04:27:24.960
- Daniel Ascher: Thank you very much.
- 1352
- 04:27:28.230 --> 04:27:30.840
- Daniel Ascher: So for our final poll question here.
- 1353
- 04:27:46.560 --> 04:27:50.580
- Okere, Kelechi N. (ELS-NYC): I'll leave the the poll for just leave it open for a minute.
- 1354
- 04:27:52.290 --> 04:27:58.290
- Okere, Kelechi N. (ELS-NYC): About 42% of people have voted and panelists can vote this time to
- 1355
- 04:28:09.900 --> 04:28:13.170
- Okere, Kelechi N. (ELS-NYC): Hope hoping to get 100% of everyone voted.
- 1356
- 04:28:23.400 --> 04:28:27.570
- Okere, Kelechi N. (ELS-NYC): Alright nine more seconds. Any final votes.
- 1357
- 04:28:33.540 --> 04:28:33.990
- Okere, Kelechi N. (ELS-NYC): Alright.
- 1358
- 04:28:35.400 --> 04:28:53.100
- Okere, Kelechi N. (ELS-NYC): Just sharing the results. So 89% of you voted sorry in up to 10. Have you found the discussion to the very useful and 11% final somewhat useful so also good to see that no one thought that it was not useful. So
- 1359
- 04:28:54.180 --> 04:28:57.000
- Okere, Kelechi N. (ELS-NYC): Thank you all again for participating.
- 1360
- 04:29:00.480 --> 04:29:00.780
- Okere, Kelechi N. (ELS-NYC): Then
- 1361
- 04:29:01.110 --> 04:29:02.250
- Daniel Ascher: Yes, thank you.
- 1362
- 04:29:03.810 --> 04:29:13.800
- Daniel Ascher: For all attendees and panelists and speakers. So after this, there will be an email with a link to the recording.
- 1363
- 04:29:14.580 --> 04:29:32.070
- Daniel Ascher: Along with a survey we would really appreciate if you fill that out. Once it's received and as we mentioned at the end of the round table the panelists will also be answering some of the questions that we were not able to cover during the roundtable session.
- 1364
- 04:29:35.340 --> 04:29:38.580
- Daniel Ascher: So anything else to add before we close this out coaching.
- 1365
- 04:29:38.940 --> 04:29:49.620
- Okere, Kelechi N. (ELS-NYC): Know, I think that said it's really been a fantastic day. It's always a deep sigh of relief. You know when you come to the end of
- 1366
- 04:29:50.100 --> 04:29:59.910
- Okere, Kelechi N. (ELS-NYC): A session like this. And so I want to thank everyone. I want to thank my colleagues who contributed to planning this event, putting it together. I want to thank
- 1367
- 04:30:00.690 --> 04:30:09.840
- Okere, Kelechi N. (ELS-NYC): The speakers for all your thought provoking presentations and all the time that you put into it and also want to thank all the attendees for making the time
- 1368
- 04:30:10.500 --> 04:30:27.270
- Okere, Kelechi N. (ELS-NYC): Today, so do visit the SSI website as an SI dot info for more information and also share what you've learned today with colleagues. Thank you again very much, bye bye now. Have a good day.
- 1369
- 04:30:28.080 --> 04:30:28.470
- Daniel Ascher: Thank you.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement