Attendees at the 2010 American Petroleum Institute Information Security Conference held in Houston last month heard from a succession of IT security vendors bent on putting the fear of, if not God, then of the hacker, terrorist, disgruntled and/or careless employee and other sources of IT insecurity into them. While the need for a security crackdown is emerging, the debate is also opening-up to embrace the emerging field of social networking inside the organization—bringing a boatload of new potential security risks.
Kevin Cearlock of the FBI’s Houston division reported that the focus of foreign intelligence has shifted from military secrets to critical technology and economic information. While China is the most aggressive country conducting espionage against US interests, political and military ‘allies’ are as active in technology/economic collection as the US’ traditional adversaries.
Economic espionage tradecraft works through visitors, trade delegations, joint ventures and traditional espionage techniques such as intercepts, hidden cameras, ‘dumpster diving’ and casual ‘overhear.’ The oil and gas industry is at risk of attack and there is no magical appliance or software that can guarantee protection. Many networks are misconfigured, easing penetration.
Anti-virus alerts, intrusion detection systems (IDS), network logs analysis all help but no anti virus program has every signature, IDS rules are usually too relaxed and administrators are inundated with false positives. Logging is usually turned off and anyway, logs are rarely checked.
A big risk comes from the innocent user, a potential victim of phishing, malicious websites, trojans and application vulnerabilities such as SQL injection, buffer overflows and unpatched web servers. Both foreign intel services and economic adversaries may try to gain a foothold in critical infrastructure for strategic and tactical military advantage. Others may be trying to ‘exfiltrate’ bid data and other information on the quantity, value and locations of oil discoveries, news briefings, internal reports, business data.
Mitigation revolves around user awareness and a good understanding of your network and traffic. Penetration tests can expose vulnerabilities. Networks should be segmented isolate sensitive servers which should be monitored closely with a ‘crown jewels’ policy. Strong passwords and two-factor authentication is a must and unnecessary services and accounts should be removed. More from www.api.org.
© Oil IT Journal - all rights reserved.