View all publications

26 Jun 2020

An Examination of the Redaction Functionality of Adobe Acrobat Pro DC 2017

This document provides guidance on the efficacy of redaction facilities within Adobe Acrobat Pro DC 2017 and is intended for information technology and information security professionals within organisations looking to redact sensitive or personal information from PDF documents before releasing them into the public domain or to other third parties.

10 Sep 2020

ASD Cyber Skills Framework

The ASD Cyber Skills Framework defines the roles, capabilities and skills that are essential to ASD’s cyber missions. The ASD Cyber Skills Framework enables targeted recruitment of cyber specialists, provides a development pathway for current and future cyber staff, and aligns skills, knowledge and attributes with national and international industry standards.

26 Jun 2020

Assessing Security Vulnerabilities and Applying Patches

Applying patches to operating systems, applications and devices is critical to ensuring the security of systems. As such, patching forms part of the Essential Eight from the Strategies to Mitigate Cyber Security Incidents.

26 Jun 2020

Bring Your Own Device for Executives

Bring Your Own Device (BYOD) scenarios enable organisations to take advantage of new technologies faster. It also has the potential to reduce hardware costs and improve organisational productivity and flexibility. However, BYOD also introduces new risks to an organisation’s business and the security of its information, which need to be carefully considered before implementation.

27 Jul 2020

Cloud Assessment and Authorisation – Frequently Asked Questions

This publication provides answers relating to frequently asked questions on the Australian Cyber Security Centre (ACSC)’s new cloud security guidance, future support, government self-assessment and cloud security assessment reports.

27 Jul 2020

Cloud Computing Security Considerations

Cloud computing offers potential benefits including cost savings and improved business outcomes for organisations. However, there are a variety of information security risks that need to be carefully considered. Risks will vary depending on the sensitivity of the data to be stored or processed, and how the chosen cloud vendor (also referred to as a cloud service provider) has implemented their specific cloud services.

27 Jul 2020

Cloud Computing Security for Cloud Service Providers

This document is designed to assist assessors validating the security posture of a cloud service in order to provide organisations with independent assurance of security claims made by Cloud Service Providers (CSPs). This document can also assist CSPs to offer secure cloud services.

27 Jul 2020

Cloud Computing Security for Tenants

This document is designed to assist an organisation’s cyber security team, cloud architects and business representatives to jointly perform a risk assessment and use cloud services securely.

22 May 2020

COVID-19 – Remote access to Operational Technology Environments

This cyber security advice is for critical infrastructure providers who are deploying business continuity plans for Operational Technology Environments (OTE)/Industrial Control Systems (ICS) during the COVID-19 pandemic.

26 Jun 2020

Cyber Security for Contractors

This document has been developed to assist contractors with appropriately securing Australian Government information on their systems.

26 Jun 2020

Cyber Supply Chain Risk Management

All organisations should consider cyber supply chain risk management. If another organisation is involved in the delivery of a product or service to your organisation, there will be a cyber supply chain risk originating from that organisation. Likewise, your organisation will transfer any cyber supply chain risk you hold to your customers. Effective cyber supply chain risk management ensures, as much as possible, the secure supply of products and services for systems throughout their lifetime. For products, this includes their design, manufacture, delivery, maintenance and disposal. As such, cyber supply chain risk management forms a significant component of any organisation’s overall cyber security strategy.

26 Jun 2020

Cyber Supply Chain Risk Management Practitioner Guide

This guidance informs cyber security practitioners, procurement officers, and supply chain decision makers with a more detailed discussion of the key cyber SCRM elements.

26 Jun 2020

Data Spill Management Guide

A data spill is the accidental or deliberate exposure of information into an uncontrolled or unauthorised environment, or to persons without a need-to-know. A data spill is sometimes referred to as information disclosure or a data leak. Data spills are considered cyber security incidents and should be reported to the Australian Cyber Security Centre (ACSC).

19 Oct 2020

Defending Against the Malicious Use of the Tor Network

Blocking traffic from the Tor network will prevent adversaries from using the Tor network to easily conduct anonymous reconnaissance and exploitation of systems and typically has minimal, if any, impact on legitimate users. This publication provides guidance on the prevention and detection of traffic from the Tor network.

26 Jun 2020

Detecting Socially Engineered Messages

Socially engineered messages present a significant threat to individuals and organisations due to their ability to assist an adversary with compromising accounts, devices, systems or sensitive information. This document offers guidance on identifying socially engineered messages delivered by email, SMS, instant messaging or other direct messaging services offered by social media applications.

26 Jun 2020

Domain Name System Security

This publication provides information on Domain Name System (DNS) security. DNS systems, known as DNS Resolvers, are vulnerable to a number of exploits that can lead to compromises. This publication provides information on protecting DNS integrity and mitigation strategies to reduce the likelihood of DNS Resolver compromises.

26 Jun 2020

End of Support for Microsoft Windows 10

Under Microsoft’s current servicing model, support for Microsoft Windows 10 will end between 18 to 30 months after release depending on the version and edition being used. At such a time, organisations will no longer receive patches for security vulnerabilities identified in these products. Subsequently, adversaries may use these unpatched security vulnerabilities to target workstations running unsupported versions of Microsoft Windows 10.

26 Jun 2020

End of Support for Microsoft Windows 7

On 14 January 2020, Microsoft ended support for Microsoft Windows 7. As such, organisations no longer receive patches for security vulnerabilities identified in this product. Subsequently, adversaries may use these unpatched security vulnerabilities to target Microsoft Windows 7 workstations.

26 Jun 2020

End of Support for Microsoft Windows Server 2008 and Windows Server 2008 R2

On 14 January 2020, Microsoft ended support for Microsoft Windows Server 2008 and Windows Server 2008 R2. As such, organisations no longer receive patches for security vulnerabilities identified in these products. Subsequently, adversaries may use these unpatched security vulnerabilities to target Microsoft Windows Server 2008 and Windows Server 2008 R2 servers.

26 Jun 2020

Essential Eight Explained

The Strategies to Mitigate Cyber Security Incidents is a prioritised list of mitigation strategies to assist organisations in protecting their systems against a range of adversaries. The mitigation strategies can be customised based on each organisation’s risk profile and the adversaries they are most concerned about.

26 Jun 2020

Essential Eight Maturity Model

The Essential Eight Maturity Model provides advice on how to implement the Essential Eight in a phased approach. It also assists organisations in self-assessing the maturity of their implementation.

26 Jun 2020

Essential Eight to ISM Mapping

This document provides a mapping between Maturity Level 3 of the Essential Eight Maturity Model and the security controls within the Australian Government Information Security Manual (ISM). This mapping represents the minimum security controls organisations must implement to meet the intent of the Essential Eight.

26 Jun 2020

Fundamentals of Cross Domain Solutions

This guidance introduces technical and non-technical audiences to cross domain security principles for securely connecting security domains. It explains the purpose of a Cross Domain Solution (CDS) and promotes a data-centric approach to a CDS system implementation based on architectural principles and risk management. This guidance also covers a broad range of fundamental concepts relating to a CDS, which should be accessible to readers who have some familiarity with the field of cyber security. Organisations with complex information sharing requirements are encouraged to refer to this guidance in the planning, analysis, design and implementation of CDS systems.

21 Oct 2020

Hardening Linux Workstations and Servers

This document has been developed to assist organisations understand how to harden Linux workstations and servers, including by applying the Essential Eight from the Australian Cyber Security Centre (ACSC)’s Strategies to Mitigate Cyber Security Incidents.

26 Jun 2020

Hardening Microsoft Office 2013

Workstations are often targeted by adversaries using malicious websites, emails or removable media in an attempt to extract sensitive information. Hardening applications on workstations is an important part of reducing this risk.

26 Jun 2020

Hardening Microsoft Office 365 ProPlus, Office 2019 and Office 2016

Workstations are often targeted by adversaries using malicious websites, emails or removable media in an attempt to extract sensitive information. Hardening applications on workstations is an important part of reducing this risk.

26 Jun 2020

Hardening Microsoft Windows 10 version 1909 Workstations

Workstations are often targeted by an adversary using malicious websites, emails or removable media in an attempt to extract sensitive information. Hardening workstations is an important part of reducing this risk. This document provides recommendations on hardening workstations using Enterprise and Education editions of Microsoft Windows 10 version 1909. Before implementing recommendations in this document, thorough testing should be undertaken to ensure the potential for unintended negative impacts on business processes is reduced as much as possible.

26 Jun 2020

Hardening Microsoft Windows 8.1 Workstations

Workstations are often targeted by an adversary using malicious websites, emails or removable media in an attempt to extract sensitive information. Hardening workstations is an important part of reducing this risk. This document provides recommendations on hardening workstations using Enterprise editions of Microsoft Windows 8.1. Before implementing recommendations in this document, thorough testing should be undertaken to ensure the potential for unintended negative impacts on business processes is reduced as much as possible.

26 Jun 2020

How to Combat Fake Emails

Organisations can reduce the likelihood of their domains being used to support fake emails by implementing Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting and Conformance (DMARC) records in their Domain Name System (DNS) configuration. Using DMARC with DomainKeys Identified Mail (DKIM) to sign emails provides further safety against fake emails.

26 Jun 2020

How to Manage Your Security When Engaging a Managed Service Provider

The compromise of several Managed Service Providers’ (MSPs) was reported in 2017. In response, the Australian Cyber Security Center (ACSC) provided organisations with the information they needed to protect themselves and others from this threat.

26 Jun 2020

Implementing Application Control

Application control is one of the most effective mitigation strategies in ensuring the security of systems. As such, application control forms part of the Essential Eight from the Strategies to Mitigate Cyber Security Incidents. This document provides guidance on what application control is, what application control is not, and how to implement application control.

26 Jun 2020

Implementing Certificates, TLS and HTTPS

Using the TLS and HTTPS configuration guidelines outlined in this document will help strengthen website encryption and authentication.

26 Jun 2020

Implementing Multi-Factor Authentication

Multi-factor authentication is one of the most effective controls an organisation can implement to prevent an adversary from gaining access to a device or network and accessing sensitive information. When implemented correctly, multi-factor authentication can make it significantly more difficult for an adversary to steal legitimate credentials to facilitate further malicious activities on a network. Due to its effectiveness, multi-factor authentication is one of the Essential Eight from the Strategies to Mitigate Cyber Security Incidents.

26 Jun 2020

Implementing Network Segmentation and Segregation

This document intends to assist staff responsible for an organisation’s network architecture and design to increase the security posture of their networks by applying network segmentation and segregation strategies.

26 Jun 2020

Industrial Control Systems Remote Access Protocol

External parties may need to connect remotely to critical infrastructure control networks. This is to allow manufacturers of equipment the ability to maintain the equipment when a fault is experienced that cannot be fixed in the required timeframe. Such access to external parties will only occur in extraordinary circumstances, and will only be given at critical times where access is required to maintain the quality of everyday life in Australia.

26 Jun 2020

Introduction to Cross Domain Solutions

This document introduces technical and non-technical audiences to the concept of a Cross Domain Solution (CDS), a type of security capability that is used to connect discrete systems within separate security domains in an assured manner.

17 Sep 2020

IoT Code of Practice: Guidance for Manufacturers

Internet of Things (IoT) devices need to have effective cyber security provisions to defend against potential threats.

26 Jun 2020

Malicious Email Mitigation Strategies

Socially engineered emails containing malicious attachments and embedded links are routinely used in targeted cyber intrusions against organisations. This document has been developed to provide mitigation strategies for the security risks posed by these malicious emails.

26 Jun 2020

Managed Service Providers: How to Manage Risk to Customer Networks

The compromise of several Managed Service Providers (MSPs) was reported in 2017. In response, the Australian Cyber Security Center (ACSC) provided organisations with the information they needed to protect themselves and others from this threat.

26 Jun 2020

Mergers, Acquisitions and Machinery of Government Changes

This publication provides guidance on strategies that organisations can apply during mergers, acquisitions and Machinery of Government changes.

26 Jun 2020

Microsoft Office Macro Security

Microsoft Office applications can execute macros to automate routine tasks. However, macros can contain malicious code resulting in unauthorised access to sensitive information as part of a targeted cyber intrusion. This document has been developed to discuss approaches that can be applied by organisations to secure systems against malicious macros while balancing both their business and security requirements.

26 Jun 2020

Mitigating Drive-by Downloads

Adversaries are increasingly using drive‐by download techniques to deliver malicious software that compromises computers. This document explains how drive‐by downloads operate and how compromise from these techniques can be mitigated.

26 Jun 2020

Mitigating Java-based Intrusions

Java applications are widely deployed by organisations. As such, exploiting security vulnerabilities in the Java platform is particularly attractive to adversaries seeking unauthorised access to organisations’ networks.

26 Jun 2020

Mitigating the Use of Stolen Credentials

This document explains the risks posed by the use of stolen credentials and how they can be mitigated.

15 Oct 2020

Patching During Change Freezes

This document has been developed to assist organisations in assessing and applying patches during change freezes.

26 Jun 2020

Preparing for and Responding to Cyber Security Incidents

The Australian Cyber Security Centre (ACSC) is responsible for monitoring and responding to cyber threats targeting Australian interests. The ACSC can help organisations respond to cyber security incidents. Reporting cyber security incidents ensures that the ACSC can provide timely assistance.

26 Jun 2020

Preparing for and Responding to Denial-of-Service Attacks

Although organisations cannot avoid being targeted by denial-of-service attacks, there are a number of measures that organisations can implement to prepare for and potentially reduce the impact if targeted. Preparing for denial-of-service attacks before they occur is by far the best strategy, it is very difficult to respond once they begin and efforts at this stage are unlikely to be effective.

23 Oct 2020

Protecting Against Business Email Compromise

Business email compromise is when criminals use email to abuse trust in business processes to scam organisations out of money or goods. Criminals can impersonate business representatives using similar names, domains and/or fraudulent logos as a legitimate organisation or by using compromised email accounts and pretending to be a trusted co-worker.

01 Jul 2018

Protecting Industrial Control Systems

Industrial control systems are essential to our daily life. They control the water we drink, the electricity we rely on and the transport that moves us all. It is critical that cyber threats to industrial control systems are understood and mitigated appropriately to ensure essential services continue to provide for everyone.

26 Jun 2020

Protecting Web Applications and Users

This document provides advice for web developers and security professionals on how they can protect their existing web applications by implementing low cost and effective security controls which do not require changes to a web application’s code. These security controls when applied to new web applications in development, whether in the application’s code or server configuration, form part of the defence-in-depth strategy.