This includes across all available environments (i.e. development, test, staging, pre-production and production).
The ACSC recommends the following actions:
- Ensure the service interface is not exposed to the internet if it is not required
- Ensure the service interface only listens on localhost/127.0.0.1 if it does not require remote access
- Ensure service administration interface is not exposed on the internet
- Use Virtual Private Network (VPN) connection where applicable
- Implement proper access control including controlling IP addresses and user accounts, and role-based access control
- Use least privileged user accounts, e.g. read-only access accounts for auditing and reporting purposes
- Use Data Loss Prevention (DLP) and Intrusion Prevention System (IPS)/Intrusion Detection System (IDS)
- Strong password policy for both user and service accounts
- Use multi-factor authentication wherever possible
- Implement network segmentation and segregation
- Retain audit and access logs
- Regularly monitor logs for suspicious activities
- Use Transport Layer Security (TLS) to secure communication in accordance with the Australian Government Information Security Manual (ISM) wherever possible
- Review product vendors’ security guidelines
- Report data breaches to the ACSC for assistance
- If a data breach has resulted from an unprotected service, you may be required to report this to the Office of the Australian Information Commissioner (OAIC). To determine whether you are required to report a data breach, please read about the Notifiable Data Breaches Scheme (NDB) on the OAIC website.
Australian customers with questions regarding this advice should contact us via 1300 CYBER1 (1300 292 371) or https://www.cyber.gov.au/acsc/contact.
You are eligible to participate in the AISI if you have been assigned Australian IP address ranges and are solely responsible for the management of these ranges. If you would like to participate in the AISI, please send an email to email@example.com with the following information:
- the IP address ranges associated with your network (preferably in CIDR format)
- an email address to send the daily AISI email reports to (ideally a generic email address rather than an individual email address)
- a direct contact number and email address to discuss AISI operational matters
- the name by which you want your company to be listed on the AISI website.