Skip to main content

Web Conferencing Security

Apr 2, 2020 - Web conferencing solutions (also commonly referred to as online collaboration tools) often provide audio/video conferencing, real-time chat, desktop sharing and file transfer capabilities. As we increasingly use web conferencing to keep in touch while working from home, it is important to ensure that this is done securely without introducing unnecessary privacy, security and legal risks. This document provides guidance on both how to select a web conferencing solution and how to use it securely.

End of Support for Microsoft Windows 10

Apr 7, 2020 - Under Microsoft’s current servicing model, support for Microsoft Windows 10 will end between 18 to 30 months after release depending on the version and edition being used. At such a time, organisations will no longer receive patches for security vulnerabilities identified in these products. Subsequently, adversaries may use these unpatched security vulnerabilities to target workstations running unsupported versions of Microsoft Windows 10.

End of Support for Microsoft Windows Server 2008 and Windows Server 2008 R2

Apr 1, 2020 - On 14 January 2020, Microsoft ended support for Microsoft Windows Server 2008 and Windows Server 2008 R2. As such, organisations no longer receive patches for security vulnerabilities identified in these products. Subsequently, adversaries may use these unpatched security vulnerabilities to target Microsoft Windows Server 2008 and Windows Server 2008 R2 servers.

End of Support for Microsoft Windows 7

Apr 1, 2020 - On 14 January 2020, Microsoft ended support for Microsoft Windows 7. As such, organisations no longer receive patches for security vulnerabilities identified in this product. Subsequently, adversaries may use these unpatched security vulnerabilities to target Microsoft Windows 7 workstations.

Security Configuration Guide - Samsung Galaxy S9 and S9+ Devices

Apr 1, 2020 - This publication provides guidance on hardening the security configuration of Samsung S9 and S9+ devices.

Security Configuration Guide - Apple iOS 12 Devices

Apr 1, 2020 - This publication provides guidance on hardening the security configuration of iOS 12 devices.

Mitigating Java-based Intrusions

Apr 1, 2020 - Java applications are widely deployed by organisations. As such, exploiting security vulnerabilities in the Java platform is particularly attractive to adversaries seeking unauthorised access to organisations’ networks.

Essential Eight to ISM Mapping

Apr 1, 2020 - This document provides a mapping between Maturity Level 3 of the Essential Eight Maturity Model and the security controls within the Australian Government Information Security Manual (ISM). This mapping represents the minimum security controls organisations must implement to meet the intent of the Essential Eight.

Windows Event Logging and Forwarding

Apr 1, 2020 - A common theme identified by the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) while performing investigations is that organisations have insufficient visibility of activity occurring on their workstations and servers. Good visibility of what is happening in an organisation’s environment is essential for conducting an effective investigation. It also aids incident response efforts by providing critical insights into the events relating to a cyber security incident and reduces the overall cost of responding to them.

Using Virtual Private Networks

Apr 1, 2020 - Virtual Private Network (VPN) connections can be an effective means of providing remote access to a network; however, VPN connections can be abused by an adversary to gain access to a network without relying on malware and covert communication channels. This document identifies security controls that should be considered when implementing VPN connections.

Using Remote Desktop Clients

Apr 1, 2020 - Remote access solutions are increasingly being used to access organisations’ systems. One common method of enabling remote access is to use a remote desktop client. This document provides guidance on security risks associated with the use of remote desktop clients.

Securing PowerShell in the Enterprise

Apr 1, 2020 - This document describes a maturity framework for PowerShell in a way that balances the security and business requirements of organisations. This maturity framework will enable organisations to take incremental steps towards securing PowerShell across their environment.

Secure Administration

Apr 1, 2020 - Privileged access allows administrators to perform their duties such as establishing and making changes to key servers, networking devices, user workstations and user accounts. Privileged access or credentials are often seen as the ‘keys to the kingdom’ as they allow the bearers to have access and control over many different assets within a network. This publication provides guidance on how to implement secure administration techniques.

Risk Management of Enterprise Mobility Including Bring Your Own Device

Apr 1, 2020 - This document has been developed to provide senior business representatives with a list of enterprise mobility considerations. These include business cases, regulatory obligations and legislation, available budget and personnel resources, and risk tolerance. Additionally, risk management controls are provided for cyber security practitioners.

Protecting Web Applications and Users

Apr 1, 2020 - This document provides advice for web developers and security professionals on how they can protect their existing web applications by implementing low cost and effective security controls which do not require changes to a web application’s code. These security controls when applied to new web applications in development, whether in the application’s code or server configuration, form part of the defence-in-depth strategy.

Implementing Network Segmentation and Segregation

Apr 1, 2020 - This document intends to assist staff responsible for an organisation’s network architecture and design to increase the security posture of their networks by applying network segmentation and segregation strategies.

Assessing Security Vulnerabilities and Applying Patches

Apr 1, 2020 - Applying patches to operating systems, applications and devices is critical to ensuring the security of systems. As such, patching forms part of the Essential Eight from the Strategies to Mitigate Cyber Security Incidents.

Hardening Microsoft Windows 10 version 1709 Workstations

Apr 1, 2020 - Workstations are often targeted by an adversary using malicious websites, emails or removable media in an attempt to extract sensitive information. Hardening workstations is an important part of reducing this risk. This document provides recommendations on hardening workstations using Enterprise and Education editions of Microsoft Windows 10 version 1709. Before implementing recommendations in this document, thorough testing should be undertaken to ensure the potential for unintended negative impacts on business processes is reduced as much as possible.

Hardening Microsoft Windows 8.1 Workstations

Apr 1, 2020 - Workstations are often targeted by an adversary using malicious websites, emails or removable media in an attempt to extract sensitive information. Hardening workstations is an important part of reducing this risk. This document provides recommendations on hardening workstations using Enterprise editions of Microsoft Windows 8.1. Before implementing recommendations in this document, thorough testing should be undertaken to ensure the potential for unintended negative impacts on business processes is reduced as much as possible.

Microsoft Office Macro Security

Apr 1, 2020 - Microsoft Office applications can execute macros to automate routine tasks. However, macros can contain malicious code resulting in unauthorised access to sensitive information as part of a targeted cyber intrusion. This document has been developed to discuss approaches that can be applied by organisations to secure systems against malicious macros while balancing both their business and security requirements.

Essential Eight Maturity Model

Apr 1, 2020 - The Essential Eight Maturity Model provides advice on how to implement the Essential Eight in a phased approach. It also assists organisations in self-assessing the maturity of their implementation.

Cyber Security for Contractors

Apr 1, 2020 - This document has been developed to assist contractors with appropriately securing Australian Government information on their systems.

Essential Eight in Linux Environments

Apr 1, 2020 - This document has been developed to assist organisations understand how the Essential Eight from the Strategies to Mitigate Cyber Security Incidents can be implemented in Linux environments. While this document refers specifically to Linux environments, the guidance presented is equally applicable to all Unix-style environments.

Essential Eight Explained

Apr 1, 2020 - The Strategies to Mitigate Cyber Security Incidents is a prioritised list of mitigation strategies to assist organisations in protecting their systems against a range of adversaries. The mitigation strategies can be customised based on each organisation’s risk profile and the adversaries they are most concerned about.

Implementing Application Control

Apr 1, 2020 - Application control is one of the most effective mitigation strategies in ensuring the security of systems. As such, application control forms part of the Essential Eight from the Strategies to Mitigate Cyber Security Incidents. This document provides guidance on what application control is, what application control is not, and how to implement application control.

Malicious Email Mitigation Strategies

Apr 1, 2020 - Socially engineered emails containing malicious attachments and embedded links are routinely used in targeted cyber intrusions against organisations. This document has been developed to provide mitigation strategies for the security risks posed by these malicious emails.

Cloud Computing Security for Cloud Service Providers

Apr 1, 2020 - This document is designed to assist assessors validating the security posture of a cloud service in order to provide organisations with independent assurance of security claims made by Cloud Service Providers (CSPs). This document can also assist CSPs to offer secure cloud services.

Mitigating Drive-by Downloads

Apr 1, 2020 - Adversaries are increasingly using drive‐by download techniques to deliver malicious software that compromises computers. This document explains how drive‐by downloads operate and how compromise from these techniques can be mitigated.

Cloud Computing Security Considerations

Apr 1, 2020 - Cloud computing offers potential benefits including cost savings and improved business outcomes for organisations. However, there are a variety of information security risks that need to be carefully considered. Risks will vary depending on the sensitivity of the data to be stored or processed, and how the chosen cloud vendor (also referred to as a cloud service provider) has implemented their specific cloud services.

Mergers, Acquisitions and Machinery of Government Changes

Mar 2, 2020 - This publication provides guidance on strategies that organisations can apply during mergers, acquisitions and Machinery of Government changes.

Securing Content Management Systems

Mar 2, 2020 - Security vulnerabilities within content management systems (CMS) installed on web servers of organisations are often exploited by adversaries. Once a CMS has been compromised, the web server can be used as infrastructure to facilitate targeted intrusion attempts.

Cloud Computing Security for Tenants

Mar 2, 2020 - This document is designed to assist an organisation’s cyber security team, cloud architects and business representatives to jointly perform a risk assessment and use cloud services securely.

Hardening Microsoft Office 365 ProPlus, Office 2019 and Office 2016

Jan 30, 2020 - Workstations are often targeted by adversaries using malicious websites, emails or removable media in an attempt to extract sensitive information. Hardening applications on workstations is an important part of reducing this risk.

Hardening Microsoft Office 2013

Jan 30, 2020 - Workstations are often targeted by adversaries using malicious websites, emails or removable media in an attempt to extract sensitive information. Hardening applications on workstations is an important part of reducing this risk.

Introduction to Cross Domain Solutions

Jan 16, 2020 - This document introduces technical and non-technical audiences to the concept of a Cross Domain Solution (CDS), a type of security capability that is used to connect discrete systems within separate security domains in an assured manner.

Cyber Supply Chain Risk Management

Dec 16, 2019 - All organisations should consider cyber supply chain risk management. If another organisation is involved in the delivery of a product or service to your organisation, there will be a cyber supply chain risk originating from that organisation. Likewise, your organisation will transfer any cyber supply chain risk you hold to your customers. Effective cyber supply chain risk management ensures, as much as possible, the secure supply of products and services for systems throughout their lifetime. For products, this includes their design, manufacture, delivery, maintenance and…

Fundamentals of Cross Domain Solutions

Dec 4, 2019 - This guidance introduces technical and non-technical audiences to cross domain security principles for securely connecting security domains. It explains the purpose of a Cross Domain Solution (CDS) and promotes a data-centric approach to a CDS system implementation based on architectural principles and risk management. This guidance also covers a broad range of fundamental concepts relating to a CDS, which should be accessible to readers who have some familiarity with the field of cyber security. Organisations with complex information sharing requirements are encouraged to…

Quick Wins for your End of Support

Oct 31, 2019 - Every software product has a lifecycle. Knowing key dates in a program’s lifecycle can help you make informed decisions about the products your small business relies on every day. This guide helps small businesses understand what end of support is, why it is important to be prepared and when to update, upgrade or make other changes.

Implementing Certificates, TLS and HTTPS

Oct 15, 2019 - Using the TLS and HTTPS configuration guidelines outlined in this document will help strengthen website encryption and authentication.

Step-by-Step Guide – Turning on Two-Factor Authentication – Twitter

Oct 11, 2019 - This step-by-step guide shows you how to turn on two-factor authentication (2FA) on your desktop and mobile devices for Twitter.

Step-by-Step Guide – Turning on Automatic Updates (For Windows 10)

Oct 9, 2019 - This step-by-step guide shows you how to turn on automatic updates if you use Microsoft Windows 10.

Small Business Cyber Security Guide

Oct 9, 2019 - This guide has been developed to help small businesses protect themselves from the most common cyber security incidents.

Step-by-Step Guide – Turning on Two-Factor Authentication – Facebook

Oct 9, 2019 - This step-by-step guide shows you how to turn on two-factor authentication (2FA) on your desktop and mobile devices for Facebook.

Step-by-Step Guide – Turning on Two-Factor Authentication – Apple ID

Oct 9, 2019 - This step-by-step guide shows you how to turn on two-factor authentication (2FA) on your desktop and mobile devices for Apple ID.

Step-by-Step Guide – Turning on Automatic Updates (For iMac & MacBook, and iPhone & iPad)

Oct 9, 2019 - This step-by-step guide shows you how to turn on automatic updates if you use an iMac, MacBook, iPhone or iPad.

Step-by-Step Guide – Turning on Two-Factor Authentication – Gmail

Oct 9, 2019 - This step-by-step guide show you how to turn on two-factor authentication (2FA) on your desktop and mobile devices for Gmail

Quick Wins for your Portable Devices

Oct 9, 2019 - Mobile technology is an essential part of modern business. While these devices may be small, the cyber threats when transporting them outside of the office are huge. This guide helps small businesses understand what represents a portable device, why it is important to manage their usage and how to keep the data on portable devices secure.

Evaluated Products List

Oct 3, 2019 - The Evaluated Products List (EPL) is a list of products that have been evaluated via the ASD Cryptographic Evaluation (ACE) program or the High Assurance evaluation program. For a list of products certified via the Australasian Information Security Evaluation Program (AISEP), see the Certified Products List (CPL) on the Common Criteria website.

How to Combat Fake Emails

Sep 16, 2019 - Organisations can reduce the likelihood of their domains being used to support fake emails by implementing Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting and Conformance (DMARC) records in their Domain Name System (DNS) configuration. Using DMARC with DomainKeys Identified Mail (DKIM) to sign emails provides further safety against fake emails.

Cyber Supply Chain Risk Management Practitioner Guide

Jun 25, 2019 - This guidance informs cyber security practitioners, procurement officers, and supply chain decision makers with a more detailed discussion of the key cyber SCRM elements.