Most cyber threats come, unintentionally, from within.
By Paul Wiseman
“We have met the enemy, and they are ours.” Admiral Oliver Perry, September 1813
“We have met the enemy, and he is us.” Walt Kelly, as quoted in a Pogo poster, April 1970
The average person receives 12 spam emails per day, totaling 4,000 per year. About 156 million spam emails go out each day, with about 10 percent of them making it through spam filters. A blog by internet security firm AGARI includes their observation that, “IT Governance reports that once the emails have made it past filters, 8 million are opened, 800,000 recipients click on the links, and 80,000 of them unwittingly hand over their information to criminals.”
As scary as these statistics are, IT experts across the board agree, including Prabhu Tamilarasan, who is director of technology at SOTAOG, an oil and gas oriented digital technology firm headquartered in Houston. He notes, “…the weakest part of any system is usually the users.”
Adds Zedi Solutions’ Corporate Risk and Compliance Manager, Dean Greenhorn: “I personally think that the largest threat today is our people, compared to our systems.” Greenhorn says phishing schemes—where the recipient is asked to enter personal data such as bank or credit card accounts and passwords—“have become dramatically more prevalent over the past couple of years and will only become worse in the future.” This is because, “You’re just delegating your [hacking] work to someone else.”
This threat even has a name: the people firewall.
Some of the data breaches are due to carelessness, said Tamilarasan. “People use easy-to-remember passwords, reuse passwords, write them down, or share accounts with others.”
As much of a threat as phishing is to individuals, the dollar amounts increase dramatically when phishers get access to corporate accounts. In 2018 the FBI estimated corporate exposure had reached $12.5 billion. That amount does not include the man hours required to sort through and delete emails that do not achieve their goal.
When an email is compromised, its damage, much like Pandora’s famous box, greatly exceeds the immediate act. Said Greenhorn: “Email, hands-down, is our biggest method of communication. So when an attacker can leverage our exact email signature, [when] he can understand the contact network, including who talks to whom, and [when] he can put together an email chain that seems relevant,” the spammer can create a much more deceptive email. In a particular instance Greenhorn noted that the spammer had copied the company’s web address with one letter difference—close enough to get past a significant number of people.
Often it’s even more insidious, Greenhorn said. For example, if a domain name contains the letter “m,” a spammer can create one with the combination “rn” that is hard to distinguish from an “m.” Reading this sentence in print makes that point clearly.
That email was requesting a wire transfer to the hackers’ own account. “In some organizations that might be just part of business,” Greenhorn said, “whereas in other organizations, maybe not so much.” For a company that does not often do wire transfers, that would be a red flag. “When you flood an entire organization, it’s really easy—it only takes one person who doesn’t understand to escalate that and actually get the job [of theft] done.”
This scenario brings to mind the classic terrorist truth that the target has to fend off dozens or hundreds of attacks to be successful, while the terrorist only has to get through once to claim victory.
Finding that “weakest link” is much easier for a cyber-criminal than trying to hack directly into a system, get past a firewall and a security system—an operation that could take months or longer if attempted from outside.
Greenhorn listed other common intrusions, including “SQL injection attacks, cross-site scripting, denial of service, man in the middle, zero-day exploits, and internal employee threats (sharing confidential data, disgruntled).”
Both Tamilarasan and Greenhorn cite training as the best prevention. Greenhorn recommends including cyber security in the training of all new employees and that companies create a culture of security, with regular reminders to stay diligent.
Companies cannot afford to be lackadaisical about online security, Greenhorn contends. “Regardless of whether you’re in a private cloud or a public cloud, if you don’t have a security program in place and are not currently evaluating yourself against best practices, you’re no better off. That’s because security involves all company information, your people, processes, and technologies. These include:
- Employee security awareness
- Information security needs to be at board level knowledge, moving towards a cybersecurity culture
- Protect your remote access into the network
- Keep your software and hardware technologies up to date
- Up-to-date network segmentation methods to reduce breach/attack spread
- IOT security
Outside providers are often called on to create spam awareness campaigns and to alert employees to the latest attacks because there is too much for an oil company itself to keep up with. The outside security company can also launch faux spam attacks to learn how many employees open suspicious emails—and which ones may need to be retrained.
One of the costs of defending against attacks, ironically, is in spam filters themselves. Filters with too-stringent settings can capture legitimate emails which, if not located by the intended recipient and retrieved, can lead to lost business, uncorrected problems, or other costly issues..
Tamilarisan noted that, while rare, some cyber attacks can occur for competitive reasons. “In oil and gas operations, threats come from competitors seeking after sensitive production data that would provide them an advantage. Hackers can also target automation control systems in order to affect production, or cause damage. This could be done for financial gain, political statements, exposure, or sometimes just to cause mischief.”
Greenhorn added, “There are ways you can take on more of a competitive advantage by hacking in and doing some sort of an attack that hinders production and those kinds of things. But especially for last year and this year, really the majority of things I’ve seen is that it doesn’t really even matter what the industry is, it’s just ‘How good are your employees? How quickly can I just get some money from you?’”
“With the automation tools that are available today, it’s just way too easy” to hack in from any country around the world, Greenhorn said.
Part of the challenge lies in improving security without compromising the flow of legitimate business processes, said Pini Huber, Senior VP of global sales for Israeli security startup Terafence LTD. According to their website, Terafence has developed a “firmware/microchip solution for cyber security connectivity.”
Employees are not the only threat in this realm, said Huber. Other threats lie in the growing network of programmable logic computers (PLCs) that control automation, along with—and this may come as a surprise—security cameras. Huber calls these “the digital weak links.”
In an email interview, he explained, “Cyber threats today to operational areas are increasing because of the lack of real ability to protect the real assets of enterprises and infrastructure—the processes themselves and the end equipment.
“The industry’s tendency toward… smart infrastructure—Industry 4.0—raises the immediate need for stronger network security and data transfer solutions. These smart enterprises will need to be able to remotely monitor and control the various processes and use the Internet and cellular network on a large scale. IP addresses, MAC (media access control), etc. are fertile grounds for strong cyber crime opportunities.”
No longer simply “dumb” pieces of equipment that simply send data through a network, security cameras “today are powerful computers with high resolution features, various applications (such as face recognition), the possibility of high quality zoom, and so on at relatively cheap prices.”
Huber said the fact that thousands of these cameras are active and on the network 24/7 makes them a readily available target for hackers. But again, the human element contributes to their vulnerability.
“Usually, these cameras are installed with the user name and password set by the manufacturer,” he continued, adding that most cameras are not monitored for malfunctions or hacks because most companies don’t realize their vulnerability. All this adds up to an open invitation to hackers, especially those involved in industrial espionage.
Huber says Terafence’s VSECURE product provides a hardware buffer between cameras and the receiving device, which allows the video to flow into the system while preventing unauthorized hacking into the camera—which would then allow access into the system as a whole. “Hidden spyware is automatically filtered,” he said.
Is it worth being on the web at all?
One might ask if uploading field data to the web is worth the risk. But not putting data online is even more costly, said Tamilarasan. “The benefits of immediate, always-available information outweigh the risks, but these risks can be mitigated through secure coding best practices, as well as basic security training for users. Keeping data on premise is possible but it requires a much larger investment in people, infrastructure, and time.”
The other question is whether the time and expense involved in erecting firewalls and doing ongoing training is worthwhile. It might be argued that none of that makes money; it just keeps a company from losing money.
Greenhorn disagrees. “Realistically, if you do get your security program up to a point where you do have a lot of integrity, theoretically, you can generate quite a bit more business.” Possible business partners may be more inclined to do business with a company whose security track record they are comfortable with than one where there are questions. He noted that this is similar to the way business partners view a company’s onsite safety record.
Like the Internet as a whole, there is plenty of good and bad to be found. Security experts unanimously warn the industry of the need for greater diligence—first with employees and second with software and hardware defenses—to protect information and the ability to keep operating.
Paul Wiseman is a freelance writer in Midland.