SIP2 security

Several libraries in the NHAIS ILL System allow patrons to create requests in the system, with staff approval required before those requests are sent to potential lenders. In the course of creating a cyber attack response plan recently, one library offering patron-initiated requesting asked the NHAIS Help Desk if an attack on their ILS could damage the ILL program through the SIP2 connection used to authenticate patrons. Here's the answer we got from Auto-Graphics:

"Yes, it’s an issue but most likely a low priority one. If we assume that the local catalog is attacked in a DOS [denial of service] fashion, that means patrons who want to initiate an ILL won’t be able to authenticate. It is true that SHAREit’s SIP2 client will use previously provided credentials to authenticate if the SIP2 server is unreachable so there’s some level of backup there. But if the attack is more about credential stuffing or identity stealing, attackers could leverage that for patron access to SHAREit. Patron access is limited though so the worst that could happen is a ton of items are requested."

SIP2 authentication through a local ILS applies only to libraries configured to offer patron-initiated requesting in the ILL program. Those libraries are reminded that they can set limits on how many requests a patron can submit.