An organisation must assume that its cyber security has already been compromised and develop its strategy from there, chief information security officer (CISO) for the Met Office Jonathan Kidd has told Computing.
Kidd, who leads a team of about 16 security staff at the Exeter headquartered national weather service provider, made the comments in an interview with Computing at the Infosecurity Europe 2015 conference at London Olympia.
The Met Office CISO described how his strategy is based on a “proactive risk managed response'” which “focuses on the areas that need attention”, although he admitted that complete security is probably an impossible goal, even for the most well-staffed and well-funded organisations.
“You can never be one hundred per cent certain that you’re protected and this is where risk comes in. We don’t have an unlimited budget or unlimited resources,” Kidd explained.
“What we do have is some really good technical expertise and what we choose to do is to take a proactive risk managed response and focus on the areas that we think need attention,” he added.
To be proactive in the face of cyber crime and potential attacks by hackers, Kidd suggested the best strategy is to assume you’ve been compromised and develop a protection strategy on how to deal with that.
“In today’s environment you can’t assume that you’re not already compromised; it’s safe to assume that you are and you need to try to find out where you are and do something about it,” he told Computing.
One of the ways the Met Office tests its own security for potential vulnerabilities is by carrying out regular penetration testing within the organisation as part of “an annual plan of IT health checks”.
“A lot of organisations might just have one penetration test but we have such a complex and diverse infrastructure and we take a risk-based approach as well,” Kidd explained.
“We look at what’s most important, what are our assets which are most important from a production point of view? And we have a programme that rolls out throughout the year,” he continued, adding “it’s risk based. So it might be that it changes its dynamic”.
However, Kidd described how “it’s impossible to know” who is attacking you, so “it’s not wise to try and predict where your attack is going to come from”, but just be ready for the attacks, whoever might be perpetrating them.
“The resources and the capabilities are there for a wide range of actors to use; some may be individuals, some may be organisations and I think we shouldn’t focus so much on where it’s coming from but on being able to respond to it when it happens,” said Kidd, echoing what security expert Bruce Schneier told the audience during his Infosec keynote.
“We’re actually living in a world where you can be attacked and not know if it is a nuclear-powered government with a $20bn military budget or a couple of guys in a basement somewhere. That’s actually a legitimate thing to be unsure about. That’s freak,” said Schneier.
Therefore, the Met Office doesn’t put resources into finding how who is carrying out cyber attacks, but focuses on how to protect against them.
“We as an organisation just don’t have the resources to be able to focus on who the attacker is, what we need to focus on is what the response is and how we deal with that,” he said. “In some cases it’s not worth trying to make the attribution.”
Kidd also warned that as time moves on, defending against ever more sophisticated malware and phishing attempts is only going to become more difficult.
“Malware is becoming a lot more sophisticated. We’ve seen a lot more of what you’d previously categorise as zero-day [previously unknown] malware. It’s so new it slips through your traditional anti-virus. We have seen a lot of those over the last few years and it’s increasing all the time,” he said.
“That kind of ability to have that advanced toolset available to almost anybody is just increasing and the overall background noise is just going to carry on getting more prevalent,” Kidd concluded.