Government case study highlights from Mary Kelaher, the Chief Information Security Officer at the Bureau of Meteorology (BOM) about creating a Robust Cyber Incident Response Strategy.
Chief Information Security Officer
Bureau of Meteorology (BOM)
Cyber-Attacks are a Constant Threat
Cyber security is something that all organisations, particularly those working in the digital arena, need to take seriously. Large public sector institutions need to pay particular attention to cyber security because there is a growing number of incidents all across the country. In fact, Mary Kelaher, the Chief Information Security Officer at the Bureau of Meteorology (BOM), says that “there have been more attacks in the Asia-Pacific region in the last year than in any other region,” with Australia often in the crosshairs. Despite the BOM being a prime target for attacks, “the Bureau has only been building a cybersecurity program from the ground up since September 2019.”
Apart from just providing forecasts, the BOM also “supports flood activity, cyclones, fires and all other critical weather related activities.” In many ways, “we’re primarily a data organisation, and we support a lot of critical infrastructure as well.” As such, “our data is extremely important,” and this was proven in drastic ways when “we had a major cybersecurity attack in 2016.” It is unclear exactly who was responsible, but the attack was conducted with the use of remote malicious software aimed at mining data about “who we communicate with, but also who our customers and partners are. This set the Bureau on a path to improve our cybersecurity program.”
According to figures provided by Verizon, “70% of attacks in the last year contained social engineering action aimed at harvesting credentials.” These attacks, sometimes referred to as “business email compromise incidents, are increasing at quite a significant rate.” The particularly scary part about many of these attacks is that “sometimes organisations only find out about them after they’ve been discovered by external parties.” For instance, it has happened before “that organisational credentials are on the dark web and that is when people get notified.” This means that the individuals are often unaware that they have been breached. Often these breaches occur through the use of “email phishing campaigns, most of which are very innovative, very realistic, with the employment of extremely clever tactics.” Part of the success of these campaigns relies on the fact that “user awareness is low, and that open source intelligence gathering is really easy,” particularly in the days of social media, if someone wants to put in the time and effort.
Mitigating Risks and Improving Monitoring
The Bureau, like every other organisation, knows that “it is impossible to protect ourselves 100% from cyber-attacks, and this is the consensus internationally as well.” The way forward therefore is through “cyber awareness and risk mitigation.” This means constantly communicating with all staff about potential risks, and having “phishing reporting processes” for both internal staff and all external suppliers. Despite that, there are “on average 6 to 8 major phishing campaigns a month, but at least we know about them.” A major campaign as defined by BOM as one that “targets between 60 and 100 staff at a minimum.” Given that there are a total of “around 1,700 staff,” this means that most of them get targeted at some point.
To try to get on top of the incidents, monitoring and reporting them is critical. “We are on a journey to uplift our security response.” Part of that response included coming up with “four areas of capabilities and processes that we wanted to address:”
- Threat intelligence management – “Knowing what to look for.”
- Vulnerability management – “Maintaining an inventory of vulnerable assets. We are trying to get ahead of any vulnerabilities that we have.”
- Security monitoring – “Visibility of critical assets. We have a complex IT ecosystem but we’re improving in that area.”
- Incident management – “Timely and well managed responses.”
These four areas make up the “security operating model,” and in order to “develop our maturity for cyber operation monitoring, we had to think about what services or capabilities we could retain and which ones we could outsource.” This is still a work in progress. In the meantime, “we’ve developed a plan for continuity and maturity.” There are multiple levels, each with their own rules, but essentially they are all about how to progress an incident and who handles the incidents. For instance, there is both an internal and an external security operation centre (SOC) with a cyber defence team. The next stage is to “establish a command centre for Level 2 incident responses, which will be for 24/7 coverage.”
Essentially the incident processes “follow four standard stages: detect and report; contain, eradicate and recover; engage in formal communication; and post incidents.” There are complex steps involved in each stage with “all the decision points mapped out,” but the basic principles apply across the board. The four stages are based on industry standards, but “of course every organisation needs to come up with its own incident response plan, as we have done.”
To assist organisations in mitigating risks, the Australian Signals Directorate (ASD) established the ‘ASD Essential Eight’, in conjunction with the Australian Cyber Security Centre, for the purpose of “mandating levels of maturity for cybersecurity for Australian government organisations.” Though initially the top four were considered a priority, “all eight are now important, so our approach is to work across all of them to help with our planning for continuity.” They cover things like maturity levels, application patching, settings and privileges, authentication and backups.
Ultimately, cybersecurity is about mitigating risks and being as prepared as possible for potential harm. Security is something that all “professionals in this space are passionate about.” To continue do this, “we need to engage with our peers and have a good network around us to support us. A good exchange of information is critical.”