Contact us
Portal login
1300 CYBER1 (1300 292 371)
You can view all our publications from this page. Use the filters below to filter by audience type, title and summary and the sort options to sort for the most recently updated or published content.
20 Jan 2023
End of Support for Microsoft Windows and Microsoft Windows Server
Under Microsoft’s Windows lifecycle policy, support for Microsoft Windows and Microsoft Windows Server varies depending on the release (e.g. Microsoft Windows 10), edition (e.g. Enterprise) and version (e.g. 22H2) of the operating system being used. Following the expiration of the specified servicing timeline, organisations will no longer receive patches for security vulnerabilities identified in these products.
17 Jan 2023
Essential Eight Assessment Process Guide
The purpose of this document is to provide supplementary guidance on the eight essential mitigation strategies from the Australian Cyber Security Centre’s Strategies to Mitigate Cyber Security Incidents (known collectively as the ‘Essential Eight’). In doing so, this document details the steps for undertaking an assessment against the Essential Eight, including methods for testing the implementation of each of the mitigation strategies.
05 Dec 2022
Questions for Boards to Ask About Cyber Security
This publication discusses high-level topics that board members should know about cyber security within their organisations.
24 Nov 2022
Essential Eight Maturity Model FAQ
The Essential Eight Maturity Model provides advice on how to implement the Essential Eight to mitigate different levels of adversary tradecraft and targeting.
Essential Eight Maturity Model
Essential Eight to ISM Mapping
This publication provides a mapping between the Essential Eight Maturity Model and the security controls within the Information Security Manual (ISM). This mapping represents the minimum security controls organisations must implement to meet the intent of the Essential Eight.
23 Nov 2022
Vulnerability Disclosure Programs Explained
A vulnerability disclosure program (VDP) is a collection of processes and procedures designed to identify, verify, resolve and report on security vulnerabilities disclosed by people who may be internal or external to organisations. The importance of developing, implementing and maintaining a well thought-out VDP cannot be underestimated. It is an integral part of professional organisations’ business operations.
21 Nov 2022
An Introduction to Securing Smart Places
Smart places, also known as smart cities, are places designed to provide enhanced services to citizens using a collection of smart information and communication technology (ICT)-enabled systems and devices that capture, communicate and analyse data. To achieve this purpose, previously discrete technologies and systems are interconnected to allow for large-scale coordination, real-time decision making, and increased visibility and situational awareness of the smart place’s status.
14 Oct 2022
Cyber Incident Management Arrangements for Australian Governments
The CIMA provides Australian governments with guidance on how they will collaborate in response to, and reduce the harm associated with, national cyber incidents.
29 Jul 2022
Gateway Security Guidance Package: Gateway Technology Guides
This guidance is one part of a package of documents that forms the gateway security guidance package. When designing, procuring, operating, maintaining or disposing of a gateway, it is important to consider all the documents from the gateway security guidance package at different stages of governance, design and implementation, and not to consume this guidance in isolation.
Gateway Security Guidance Package: Gateway Operations and Management
This guidance is one part of a package of documents that forms the Australian Signals Directorate (ASD)’s gateway security guidance package written for audiences responsible for the operation and management of gateways.
Gateway Security Guidance Package: Gateway Security Principles
This guidance is one part of a package of documents that forms the Australian Signals Directorate (ASD)’s gateway security guidance package written for audiences responsible for the procurement, operation and management of gateways.
Gateway Security Guidance Package: Executive Guidance
The purpose of this guidance is to inform decision-makers at the executive level of their responsibilities, the appropriate considerations needed to make informed risk-based decisions, and to meet policy obligations when leading the design or consumption of their organisation’s gateway services.
14 Jul 2022
Security Tips for Social Media and Messaging Apps
Social media and messaging apps can pose risks to the security and privacy of individuals and organisations. This guidance provides an overview of those risks along with recommendations for business and personal use in order to assist in securing social media accounts as well as social media and messaging apps.
06 Jul 2022
Post-Quantum Cryptography
A cryptographically relevant quantum computer (CRQC) will render most contemporary public key cryptography (PKC) insecure, thus making ubiquitous secure communications based on current PKC technology infeasible. Such a computer does not currently exist, but this future threat should be mitigated before it is realised.
10 Jun 2022
Mergers, Acquisitions and Machinery of Government Changes
This publication provides guidance on strategies that organisations can apply during mergers, acquisitions and Machinery of Government changes.
07 Jan 2022
Log4j: What Boards and Directors Need to Know
Log4j is a software library used as a building block found in a wide variety of Java applications. The Log4j vulnerability – otherwise known as Log4Shell – is trivial to exploit, and represents a significant business continuity risk. This publication outlines what Boards and Directors need to know in order to protect their businesses.
05 Jan 2022
Hardening Microsoft 365, Office 2021, Office 2019 and Office 2016
Workstations are often targeted by adversaries using malicious websites, emails or removable media in an attempt to extract sensitive information. Hardening applications on workstations is an important part of reducing this risk.
06 Oct 2021
Web Conferencing Security
Web conferencing solutions (also commonly referred to as online collaboration tools) often provide audio/video conferencing, real-time chat, desktop sharing and file transfer capabilities. As we increasingly use web conferencing to keep in touch while working from home, it is important to ensure that this is done securely without introducing unnecessary privacy, security and legal risks. This publication provides guidance on both how to select a web conferencing solution and how to use it securely.
Preparing for and Responding to Denial-of-Service Attacks
Although organisations cannot avoid being targeted by denial-of-service attacks, there are a number of measures that organisations can implement to prepare for and potentially reduce the impact if targeted. Preparing for denial-of-service attacks before they occur is by far the best strategy, it is very difficult to respond once they begin and efforts at this stage are unlikely to be effective.
Security Configuration Guide – Samsung Galaxy S10, S20 and Note 20 Devices
The ACSC has developed this guide to assist Australian’s to understand the risks when deploying Samsung Galaxy S10 and S20 devices.
Mitigating the Use of Stolen Credentials
This publication explains the risks posed by the use of stolen credentials and how they can be mitigated.
Implementing Certificates, TLS, HTTPS and Opportunistic TLS
Transport Layer Security (TLS) is a widely used encryption protocol which enables parties to communicate securely over the internet. Through the use of certificates and Public Key Infrastructure (PKI), parties can identify each other through a trusted intermediary and establish encrypted tunnels for the secure transfer of information.
Protecting Against Business Email Compromise
Business email compromise is when criminals use email to abuse trust in business processes to scam organisations out of money or goods. Criminals can impersonate business representatives using similar names, domains and/or fraudulent logos as a legitimate organisation or by using compromised email accounts and pretending to be a trusted co-worker.
Protecting Web Applications and Users
This publication provides advice for web developers and security professionals on how they can protect their existing web applications by implementing low cost and effective security controls which do not require changes to a web application’s code. These security controls when applied to new web applications in development, whether in the application’s code or server configuration, form part of the defence-in-depth strategy.
Cloud Computing Security Considerations
Cloud computing offers potential benefits including cost savings and improved business outcomes for organisations. However, there are a variety of information security risks that need to be carefully considered. Risks will vary depending on the sensitivity of the data to be stored or processed, and how the chosen cloud vendor (also referred to as a cloud service provider) has implemented their specific cloud services.
Securing PowerShell in the Enterprise
This publication describes a maturity framework for PowerShell in a way that balances the security and business requirements of organisations. This maturity framework will enable organisations to take incremental steps towards securing PowerShell across their environment.
Cloud Assessment and Authorisation – Frequently Asked Questions
This publication provides answers relating to frequently asked questions on the Australian Cyber Security Centre (ACSC)’s new cloud security guidance, future support, government self-assessment and cloud security assessment reports.
Secure Administration
Privileged access allows administrators to perform their duties such as establishing and making changes to key servers, networking devices, user workstations and user accounts. Privileged access or credentials are often seen as the ‘keys to the kingdom’ as they allow the bearers to have access and control over many different assets within a network. This publication provides guidance on how to implement secure administration techniques.
Security Configuration Guide – Viasat Mobile Dynamic Defense
The ACSC has developed this guidance to assist organisations to understand the risks of deploying and provide specific configuration requirements for the Viasat Mobile Dynamic Defense (MDD) system to handle sensitive or classified data.
Assessing Security Vulnerabilities and Applying Patches
Applying patches to applications and operating systems is critical to ensuring the security of systems. As such, patching forms part of the Essential Eight from the Strategies to Mitigate Cyber Security Incidents.
Malicious Email Mitigation Strategies
Socially engineered emails containing malicious attachments and embedded links are routinely used in targeted cyber intrusions against organisations. This publication has been developed to provide mitigation strategies for the security risks posed by these malicious emails.
Marketing and Filtering Email Service Providers
This publication provides high level guidance on how to use email service providers (ESPs) in particular deployment scenarios. The considerations and controls described in that publication also apply to ESPs sending email on your behalf.
Implementing Network Segmentation and Segregation
This publication intends to assist staff responsible for an organisation’s network architecture and design to increase the security posture of their networks by applying network segmentation and segregation strategies.
Anatomy of a Cloud Assessment and Authorisation
This publication is co-designed with industry to support the secure adoption of cloud services across government and industry.
Using Remote Desktop Clients
Remote access solutions are increasingly being used to access organisations’ systems. One common method of enabling remote access is to use a remote desktop client. This publication provides guidance on security risks associated with the use of remote desktop clients.
Cloud Computing Security for Cloud Service Providers
This publication is designed to assist assessors validating the security posture of a cloud service in order to provide organisations with independent assurance of security claims made by Cloud Service Providers (CSPs). This publication can also assist CSPs to offer secure cloud services.
Industrial Control Systems Remote Access Protocol
External parties may need to connect remotely to critical infrastructure control networks. This is to allow manufacturers of equipment the ability to maintain the equipment when a fault is experienced that cannot be fixed in the required timeframe. Such access to external parties will only occur in extraordinary circumstances, and will only be given at critical times where access is required to maintain the quality of everyday life in Australia.
Identifying Cyber Supply Chain Risks
This guidance has been developed to assist organisations in identifying risks associated with their use of suppliers, manufacturers, distributors and retailers (i.e. businesses that constitute their cyber supply chain).
Mitigating Java-based Intrusions
Java applications are widely deployed by organisations. As such, exploiting security vulnerabilities in the Java platform is particularly attractive to adversaries seeking unauthorised access to organisations’ networks.
Microsoft Office Macro Security
Microsoft Office applications can execute macros to automate routine tasks. However, macros can contain malicious code resulting in unauthorised access to sensitive information as part of a targeted cyber intrusion. This publication has been developed to discuss approaches that can be applied by organisations to secure systems against malicious macros while balancing both their business and security requirements.
Travelling Overseas with Electronic Devices
This publication provides guidance on strategies that individuals can take to secure the use of electronic devices when travelling overseas.
Mitigating Drive-by Downloads
Adversaries are increasingly using drive‐by download techniques to deliver malicious software that compromises computers. This publication explains how drive‐by downloads operate and how compromise from these techniques can be mitigated.
Hardening Microsoft Windows 10 version 21H1 Workstations
Workstations are often targeted by an adversary using malicious websites, emails or removable media in an attempt to extract sensitive information. Hardening workstations is an important part of reducing this risk. This publication provides recommendations on hardening workstations using Enterprise and Education editions of Microsoft Windows 10 version 21H1.
Data Spill Management Guide
A data spill is the accidental or deliberate exposure of information into an uncontrolled or unauthorised environment, or to persons without a need-to-know. A data spill is sometimes referred to as information disclosure or a data leak. Data spills are considered cyber security incidents and should be reported to the Australian Cyber Security Centre (ACSC).
Cloud Computing Security for Tenants
This publication is designed to assist an organisation’s cyber security team, cloud architects and business representatives to jointly perform a risk assessment and use cloud services securely.
How to Manage Your Security When Engaging a Managed Service Provider
The compromise of several Managed Service Providers’ (MSPs) was reported in 2017. In response, the Australian Cyber Security Centre (ACSC) provided organisations with the information they needed to protect themselves and others from this threat.
Domain Name System Security for Domain Owners
This publication provides information on Domain Name System (DNS) security for domain owners, as well as mitigation strategies to reduce the risk of misuse of domains and associated resources. Organisations are recommended to implement the mitigation strategies in this publication to improve the security of their DNS infrastructure.
Restricting Administrative Privileges
This publication provides guidance on restricting the use of administrative privileges. Restricting the use of administrative privileges is one of the eight essential mitigation strategies from the Strategies to Mitigate Cyber Security Incidents.
Introduction to Cross Domain Solutions
This publication introduces technical and non-technical audiences to the concept of a Cross Domain Solution (CDS), a type of security capability that is used to connect discrete systems within separate security domains in an assured manner.
