I was just reading through an article on Security Search called “Sophisticated spam, employee errors continue unabated” and remembered that I’d promised to do a post on the whole idea of Security Awareness. The comment in the above article that made me think of this was:

You could have the best practices in place … but we find in more cases than not that its human error, not machine error that causes the problems you see today

There was also another incident earlier this week – a local bank got hit hard by a phishing scam. This one was particularly subtle in that it (at least the email portion of it) didn’t have a link to click – it had a phone number to call. Computer professionals tell their co-workers not to ever click on links in emails – do we tell them not to ever call numbers sent to them by an email?

Wikipedia defines Security Awareness as:

knowledge and attitude members of an organization possess regarding the protection of the physical and, especially, information assets of that organization

You’ll notice that there is not much in the way of technology in that definition. Security awareness doesn’t deal with spam filters, network intrusion detector program or port scanning software – it deals with the education of the front-line, everyday users of our computer networks who have their own jobs to do and don’t have time to keep on top of every security blog, white paper and announcement mailing list out there. Our job, as computer professionals, is to keep on top of that stuff – and pass what we learn on to the people who use our networks. If we don’t, all of the high-tech scanners, detectors and filters won’t help us when one of our co-workers clicks a link, or calls a phone number, in an email and infects the system from the inside.

The general “themes” of security awareness are:

• nature and proper handling of sensitive materials
• proper methods for securing sensitive materials on a computer (password policy, authentication, etc.)
• other security concerns (phishing, malware, social engineering, etc.)
• physical security issues
• consequences of following proper security procedures

All of these – even the first two – are very applicable to libraries. We aren’t working in a big corporation with company secrets that can make or break next quarter’s profits – but we are in a position of trust with our patrons to make sure that the information they give us (names, addresses, books they have checked out, etc.) stays safe and outside the reach of anyone who doesn’t have a legitimate court order. We, however, are also in the somewhat unique position of having all of that confidential and sensitive material to keep to ourselves, while also being a place for people to go to get information and use computing resources that we have to make both available and make secure. All of this takes both attention to detail and flexibility from the folks responsible for a library’s network! It also takes education of the *entire* staff as to what all of the things listed above are. They need to be aware of what information we can and can’t give out about patrons and other staff members. They need to be aware of what a social engineering attack is and how to recognize one when they are being scammed. They need to understand that each and every one of them has the power to bring down the library’s network (including the ability to check out books, look up items in the catalog, etc.) by the decisions that they make. The responsibility for making sure they understand this? That part is up to the computer professionals, network administrators and even the computer-savvy staff who work in our organizations.

And after saying all of that, I’ll now pimp the latest project that my library, MRRL, has going. Bobbi and I will be doing a Library Learning 2.1 program that offers a blog posting a week on a particular application or topic that deals with – in some way – Web 2.0. I’m going to focus on posting a regular (maybe monthly, maybe every other month) treatise on some aspect of staying secure while playing with all of these nifty 2.0 toys – and this program is open to both the public and the staff! Any extra awareness about security-related topics is good, so I’m hoping that by making security issues part of this program, I can improve the security awareness of both the staff that use the internal network and the patrons that use our external network (PCC and wireless).

I’d just finished writing up my post for Monday morning on Security Awareness when I happened to check my twitter feed. In it, I noticed Jay Datema (my editor at LJ for the article I wrote for them) let me know that my blog had been hit by spammers and – even more helpfully – he pointed me to a resource to get it fixed fast. I checked out the WordPress Footer Follies post he referenced and found the fix! Since there were a few differences between our fixes, I’ll post my abbreviated solution here as well. Read the post above for more commentary on the solution!
First, I found the call to an outside file in my footer and deleted it, found another one in my main index.php page, and deleted that one too. I looked for the extra files in wp-includes that Scott mentioned in his post and didn’t see ’em. I did find the extra code in the default-filters.php file in that directory, though, so I got rid of it. After making sure I got it all, I downloaded the most recent copy of WordPress (I know – should have done that a long time ago…) and uploaded it. I upgraded the blog, then started changing passwords. Now my domain, FTP and WordPress passwords are all different. And no, I won’t tell you what they are.

Now, I’ll be keeping a close eye on the blog and I’ll be upgrading much more regularly. I’d let it go to long, and I paid for it. If you haven’t upgraded – do it now!

The Ed Techie: My personal work/leisure/learning environment mentions the idea of a Personal Work Environment (PWE) that is quite similar to a PLE (personal learning environment for those not familiar with the term or my earlier post). He has a nifty graphic showing all of the Web 2.0ish stuff he uses in his personal environment (not work-provided like Outlook, just what he uses beyond the work-provided tools). He also comments that it’s really a combination PLE/PWE/PRE (personal recreation environment) because he can do all three things at once with many of these tools. While I’ve taken to the idea of a PLE for a couple of topics I want to either stay on top of (Web 2.0) or learn more about (Security), the idea of compiling and using a PWE is pretty cool as well! The funny part about all this – I found the link via my recently set up Web 2.0 PLE…

I decided, by the way, on Protopages for my PL/W/RE. It’s at http://www.protopage.com/webgoddess if you wanna check it out. So far, the Web 2.0 and Security tabs are the only ones I’ve customized!

Have you all heard about the new shortcuts in Gmail? There are a few new things in their recent code roll-out, but the ] and [ shortcut keys one is one I’m finding myself using ALL THE TIME. My Gmail workflow generally has me starting at the bottom (looking at oldest emails first) and working my way to the top. Now, all I have to do is start at the bottom, press the “n” key to get to the next email in the thread, then press the “]” key to go up to the next oldest email in my inbox (and the “[” key goes down to the next youngest email). I can’t tell you how much quicker my email processing is now!

ClearContext has come out with version 4 of the IMS (Information Management System, I think – too lazy to look it up right now) just in time to revitalize my personal implementation of the GTD system. I needed it, too! I’ve managed to get my electronic clutter taken care of – zero inbox clutter in either work or Gmail accounts, yeah me! – but my physical clutter is still sitting on my desk, waiting for attention… Anyway, the point behind this post is not to brag about the fact that I have NO waiting-for-action emails in my inbox any more (ohhh – can I say that one more time – I’m email free right now!!) but to point you all to the newest edition of this product. It ain’t cheap – $90 for the software, $25 or so to upgrade from version 3, but it’s pretty sweet!
The new feature that prompted me to shell out $25 more dollars on it is the new dashboard. It presents messages, appointments and tasks/actions all in one place, filterable by topic (project) or category (context) or both. This is pretty handy – before I go talk to my boss now (Hi, Bill!) I can filter by my “boss” context, read through recent emails or tasks that I’ve associated with him and have all the information I need. Theoretically. If I manage to keep it up. But it’s too new for me to be thinking so negatively! I’m going to keep on top of my various inboxes and keep everything running this time – not least because playing with the dashboard of this product is so much fun…

Your Score: Cayenne Pepper

You scored 75% intoxication, 75% hotness, 75% complexity, and 50% craziness!

You are Cayenne!

You’re known for your dry wit, saucy remarks, and ability to stimulate (take that however you want). People in hot climates like you for your ability to make them sweat, but you’re also quite good for people all over the world. Just don’t mention your cousin, deadly nightshade.

I really don’t know how to feel about that…

I’ve been running across the concept of Personal Learning Environments (PLEs) recently in various blog posts, so when I noticed that Webjunction would be offering a PLE-focused webinar, I signed up! I didn’t get in right away, due to a glitch in the login, but I came in just as the meat of the presentation got going.
Notes
“PLE’s provide tools to allow users to take control of and manage their own learning”
3 principles of PLE

• Interaction
• Usability
• Relevance

Why? “provide physical evidence of your self-taught skills” – great reasoning!!
Time? a few hours on setup plus brief, frequent visits with weeklyish review of information
Tools? Ajax start page (iGoogle, NetVibes, Protopage, Pageflakes etc.) recommended
Protopage offers mash-up of feeds – one feed box with all feeds included. Nice!
Topic searching services – del.icio.us, CiteULike, Technorati, Google Blog Search, SlideShare & Twitter Tracking – they all provide RSS results that you can pull into your PLE
“use what other people have already done”
www.pageflakes.com/mlx/14579658 – her “starter” PLE page, examples and information about PLEs
Review – Discussion – Evaluation
Her blog

The first slide I actually saw was a survey – how do you keep your learning stuff organized? The options were journaling, bookmarking, post-its, lists and something else I’ve already forgotten. I chose journaling because, as any long-time reader can attest – I do a lot of my learning and, perhaps more importantly, my thinking through what I’m learning, right here in the pages of this blog (posts of this blog? whichever…). Add an Ajax start page (and I already use iGoogle) with a focus on each of the topics I’d like to know more about with a way for me to easily post my thoughts about my learning here and I’ll have a darn near workable PLE of my own!

Update The archived Webinar that I attended is here

From the User Experience People at UIE comes a case study of usable, attractive web forms – http://www.uie.com/articles/forms-fairmont-hotel/share/. One of the things I need to do for the MRRL site is to determine the best kind and format of contact forms for us to use. This article series came at *exactly* the right time for me! The first in the series has 8 design “tips” that the Fairmont Hotel form the author used failed miserably on. The second in the series – linked to from the bottom of the first post – gives 6 more design tips using 2 other sites’ forms that failed as well. Of all of the tips, I think 7 (Always give people a way to easily recover from errors), 13 (Illuminate a clear path to form completion) and 14 (Remove secondary actions whenever possible) are the three most likely to help with user understanding of the form – and user completion of the form. I like the way the author took 3 forms, tore them apart and used the wreckage to deliver a nice, concise message about how to deal with forms on your site.

In computer frustrations, a point is made about the use of Public Lab computers at the library for the 2.0 programs that are going on. This is interesting for me, specifically, because we will be inviting the public to work along with our Library Learning 2.1 program that will be starting up in January. Some of those people will possibly be using the public computers we offer to follow along. Now, we won’t be requiring users to post to their own blogs, but we will ask them to comment on our blog – which is in Blogger. And, yes, we too are still on IE 6, so we may find that this is a problem. I’ll spend some time on Monday trying to figure out if the program will work properly on our public computers – something that wouldn’t have occurred to me until too late, probably, without this post!

I’ve recreated and updated my Presentations and Publications page. I know I’ve missed some past presentations, and some of the upcoming ones are still in the “talking” phase, so I’m keeping them out of this page until they are finalized, but I thought I’d go ahead and make the page public anyway. Enjoy!